Blog
Category
Back to Blog

Securing Your Video Conferences from “Zoombombing” and Other Threats

Paul Oliveria
November 17, 2021
5
min read

Before we explore Zoombombing – imagine this: you’re a sales manager in a video conference meeting with a qualified lead and you’re trying to close this huge deal with them. The prospect company’s top honchos are there, and your bosses have dialled in at the last minute because they too, are excited about this deal.

You have been sharing your screen to present your pitch deck, and just as you are about to go the next slide for the big reveal, you’re interrupted by the sound of a bullhorn. You turn off the screen sharing to check who was causing the commotion. Big mistake: someone takes over that feature and starts sharing meme pictures. A series of offensive messages also appear in the conference chat room—some racist remarks, and a lewd comment to your prospect company’s female executive.

It went as fast as it came. You quickly recover from the shock and try to steer the meeting back on topic but you know its a lost cause. You don’t have a choice but to end the call, promising to reschedule it. But somehow, you know that it won’t happen anytime soon. Or if it will happen at all.

What is Zoombombing?

The above scenario is a prime example of zoombombing. Defined as an unwanted, disruptive intrusion into video conference calls, its a phenomenon that rose to prominence earlier this year when there was an uptick in the use of videoconferencing software, which was crucial to work-from-home setups in response to the COVID-19 pandemic. Zoombombing isn’t limited to one video conference provider, it was felt across many platforms – and affected schools, businesses, medical practitioners – even governments.

In a typical zoombombing scenario, unwanted and uninvited users get ahold of conference meeting IDs and disrupt an ongoing meeting by displaying or sharing inappropriate content or sending offensive messages in the chatrooms. Attackers have previously obtained meeting IDs by randomly guessing number combinations or searching the internet for publicly-available meeting information. Since zoombombing became popular, however, these attackers are reportedly sharing these meeting IDs freely on user forums and social media platforms so that like-minded individuals can easily launch their attacks.

Conference calls as entry points for security threats

As this behavior continues to affect companies, schools, and other organisations—thus attracting media attention—the phenomenon also illustrates how workplace tools like videoconferencing programs can be misused or abused to become infection and attack vectors for malware and threat actors. It’s no longer just a prank when sensitive data is at risk; it becomes a security issue.

Imagine that instead of an overt, distracting intrusion, an unwanted visitor has hijacked your meeting on mute, and eavesdropping on potentially confidential information. Or instead of offensive messages, a hacker drops a malicious URL on the conference chat room, tricking attendees into clicking and installing a remote access Trojan into their machines.

A malicious attacker can also potentially exploit a vulnerability in the application to gain entry and join a meeting without the need of a meeting ID. Social engineering tactics may also trick users into installing a Trojanized videoconferencing installer or clicking on a spoofed meeting URL that leads them to phishing sites instead. With work-from-home setups becoming the norm for some companies, these scenarios are becoming increasingly possible because employees may not be equipped with the same level of security and protection using their home networks to work, compared to when they are in an office.

Securing your conference programs (and how CINNOX does it)

Companies need to rethink their business communications strategies to address current working environments while keeping their data safe and secure. This may include reassessing the tools and software their employees use and how they manage the upkeep of these programs.

Below are some of the things you can do to have more secure meetings:

  • Always keep your videoconferencing programs up-to-date. No software is 100% perfect out of the box, which is why developers regularly provide software updates. These updates not only provide enhanced features and capabilities for your application, but it also provides fixes to vulnerabilities that may be exploited in the future.
  • Avoid sharing meeting information in public. It is prudent to not share meeting information in public spaces such as social media platforms. Even if a meeting or conference call requires for attendees outside your organisations (e.g., webinars or online events), you need to have proper systems and processes in place, such as registration and confirmation procedures, to make sure only the right attendees join your meetings.
  • Use videoconferencing features, such as host controls and waiting rooms to your advantage. Organisations have fallen victim to threats because they were not able to take advantage of videoconferencing features like password-protecting their meetings, enabling the waiting room where the host can approve who gets to join in, or even as simple as muting everyone who joins upon entry. These features help ensure that your meetings proceed without distractions and must be therefore be utilised at all times.

Read more: 5 SaaS Security Risks to Consider

Secure conference calls with CINNOX

  • Multiple ways to invite participants. Apart from generating a link to the conference that a host can copy and share to participants, CINNOX also provides the option to invite attendees using their contact list or by direct dialling phone numbers. This is ideal for hosting small meetings.
  • Removing and blocking participants. Similar to other videoconferencing programs, CINNOX’s conferencing feature lets hosts kick out a participant from the conference. Any user removed from the conference can no longer join in unless they are invited back by the host.
  • SMS verification. Conference hosts using CINNOX can enable SMS verification so that anyone with the conference link will have to verify their phone number first before they can join the conference.
  • Share link deactivation. Conference hosts can deactivate the conference link anytime during the meeting, such as when all required participants are already in the room. This prevents other users—even if they have the conference link—from joining.

As videoconferencing—along with live chat, video calls, and other communication tools—becomes more integral for a company’s business strategy given the current situation, companies need to consider its security to ensure business continuity, improve employee productivity, and build customer trust. A unified communications solution like CINNOX, combined with best practices such as those outlined above, may not be entirely foolproof against pranksters and threat actors, but they are good baselines to ensure a safe and pleasant conference calls for your customers and colleagues.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Before we explore Zoombombing – imagine this: you’re a sales manager in a video conference meeting with a qualified lead and you’re trying to close this huge deal with them. The prospect company’s top honchos are there, and your bosses have dialled in at the last minute because they too, are excited about this deal.

You have been sharing your screen to present your pitch deck, and just as you are about to go the next slide for the big reveal, you’re interrupted by the sound of a bullhorn. You turn off the screen sharing to check who was causing the commotion. Big mistake: someone takes over that feature and starts sharing meme pictures. A series of offensive messages also appear in the conference chat room—some racist remarks, and a lewd comment to your prospect company’s female executive.

It went as fast as it came. You quickly recover from the shock and try to steer the meeting back on topic but you know its a lost cause. You don’t have a choice but to end the call, promising to reschedule it. But somehow, you know that it won’t happen anytime soon. Or if it will happen at all.

What is Zoombombing?

The above scenario is a prime example of zoombombing. Defined as an unwanted, disruptive intrusion into video conference calls, its a phenomenon that rose to prominence earlier this year when there was an uptick in the use of videoconferencing software, which was crucial to work-from-home setups in response to the COVID-19 pandemic. Zoombombing isn’t limited to one video conference provider, it was felt across many platforms – and affected schools, businesses, medical practitioners – even governments.

In a typical zoombombing scenario, unwanted and uninvited users get ahold of conference meeting IDs and disrupt an ongoing meeting by displaying or sharing inappropriate content or sending offensive messages in the chatrooms. Attackers have previously obtained meeting IDs by randomly guessing number combinations or searching the internet for publicly-available meeting information. Since zoombombing became popular, however, these attackers are reportedly sharing these meeting IDs freely on user forums and social media platforms so that like-minded individuals can easily launch their attacks.

Conference calls as entry points for security threats

As this behavior continues to affect companies, schools, and other organisations—thus attracting media attention—the phenomenon also illustrates how workplace tools like videoconferencing programs can be misused or abused to become infection and attack vectors for malware and threat actors. It’s no longer just a prank when sensitive data is at risk; it becomes a security issue.

Imagine that instead of an overt, distracting intrusion, an unwanted visitor has hijacked your meeting on mute, and eavesdropping on potentially confidential information. Or instead of offensive messages, a hacker drops a malicious URL on the conference chat room, tricking attendees into clicking and installing a remote access Trojan into their machines.

A malicious attacker can also potentially exploit a vulnerability in the application to gain entry and join a meeting without the need of a meeting ID. Social engineering tactics may also trick users into installing a Trojanized videoconferencing installer or clicking on a spoofed meeting URL that leads them to phishing sites instead. With work-from-home setups becoming the norm for some companies, these scenarios are becoming increasingly possible because employees may not be equipped with the same level of security and protection using their home networks to work, compared to when they are in an office.

Securing your conference programs (and how CINNOX does it)

Companies need to rethink their business communications strategies to address current working environments while keeping their data safe and secure. This may include reassessing the tools and software their employees use and how they manage the upkeep of these programs.

Below are some of the things you can do to have more secure meetings:

  • Always keep your videoconferencing programs up-to-date. No software is 100% perfect out of the box, which is why developers regularly provide software updates. These updates not only provide enhanced features and capabilities for your application, but it also provides fixes to vulnerabilities that may be exploited in the future.
  • Avoid sharing meeting information in public. It is prudent to not share meeting information in public spaces such as social media platforms. Even if a meeting or conference call requires for attendees outside your organisations (e.g., webinars or online events), you need to have proper systems and processes in place, such as registration and confirmation procedures, to make sure only the right attendees join your meetings.
  • Use videoconferencing features, such as host controls and waiting rooms to your advantage. Organisations have fallen victim to threats because they were not able to take advantage of videoconferencing features like password-protecting their meetings, enabling the waiting room where the host can approve who gets to join in, or even as simple as muting everyone who joins upon entry. These features help ensure that your meetings proceed without distractions and must be therefore be utilised at all times.

Read more: 5 SaaS Security Risks to Consider

Secure conference calls with CINNOX

  • Multiple ways to invite participants. Apart from generating a link to the conference that a host can copy and share to participants, CINNOX also provides the option to invite attendees using their contact list or by direct dialling phone numbers. This is ideal for hosting small meetings.
  • Removing and blocking participants. Similar to other videoconferencing programs, CINNOX’s conferencing feature lets hosts kick out a participant from the conference. Any user removed from the conference can no longer join in unless they are invited back by the host.
  • SMS verification. Conference hosts using CINNOX can enable SMS verification so that anyone with the conference link will have to verify their phone number first before they can join the conference.
  • Share link deactivation. Conference hosts can deactivate the conference link anytime during the meeting, such as when all required participants are already in the room. This prevents other users—even if they have the conference link—from joining.

As videoconferencing—along with live chat, video calls, and other communication tools—becomes more integral for a company’s business strategy given the current situation, companies need to consider its security to ensure business continuity, improve employee productivity, and build customer trust. A unified communications solution like CINNOX, combined with best practices such as those outlined above, may not be entirely foolproof against pranksters and threat actors, but they are good baselines to ensure a safe and pleasant conference calls for your customers and colleagues.

By subscribing you agree to with our Privacy Policy.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.