- 0 Comments
By Craig Ball
Distanced by Coronavirus, lawyers and teachers are flocking to the teleconferencing platform Zoom to meet and share screens. Zoom is also turning up as a way to emulate face-to-face social interactions ranging from AA meetings and book clubs to happy hours and rock concerts. Last week, the Chipotle fast food chain sought to bring a little joy to COVID-stressed customers by hosting an online concert with singer/songwriter Lauv. Things didn’t go as planned, and there’s a lesson there for lawyers and others needing meeting security.
Per Tressie Lieberman, Chipotle’s VP of Digital, “As we saw large-scale events begin to get cancelled, we wanted to act fast and give our fans something to get excited about, despite being surrounded by negative news.” Chipotle acted fast–too fast it seems–and assuredly gave viewers something to get excited about, though not as intended. Chipotle was forced to pull the plug after one attendee used Zoom’s Screen Share feature to broadcast pornography to hundreds of other attendees. Zoombombing: When Video Conferences Go Wrong, New York Times, March 22, 2020.
Whoever configured the Zoom meeting apparently failed to select the option that limits the ability of any meeting participant other than the host to share screens. As a result, any attendee—including any troll logging in anonymously—could share any content they like with all other attendees. It’s called Zoombombing (like Photobombing) and it’s a growing disruption. If a Zoom bomber logs in multiple times, stopping the interloper is like playing Whack-a-Mole. The host shuts down one Zoombombing instance only to push the Zoom bomber to the next and the next.
It’s an embarrassment that could have been avoided had the individual setting up the Zoom meeting changed a Screen Sharing option buried in the program’s settings menu, eschewing the default “All Participants” in favor of the the considerably safer “Host Only” as seen below.
This unfortunate intrusion was caused by user error, not a vulnerability in the tool. But I’d been expecting something of a similar nature to occur since I noticed that Zoom issues every subscriber a personal Zoom meeting ID as an alternative to generating a one-time use meeting ID for every meeting. That’s a vulnerability. What it means is that if anyone learns the host’s personal Zoom meeting ID (hint: it’s the meeting number contained in the meeting invitation), anyone can attend the host’s personal meetings whether invited or not. Of course, if the host is managing participants and keeping a close eye on headcounts, an uninvited lurker may be spotted. If it were a meeting of many counsel in multi-district litigation or other matters characterized by large teams, it would be easy for an opponent to log in and listen undetected.
Here are other simple tips to secure your Zoom meetings against Zoom bombers and eavesdroppers:
1. Protect your personal Zoom meeting ID as you would your personal passwords. Never use your personal Zoom meeting ID to host a meeting. Instead, have Zoom automatically generate a unique meeting ID for your invitations.
2. Require a meeting password. Zoom will generate one for your invitees when you check the box.
3. Allow only authenticated users to join. To gain entry, invited users will need to have a Zoom user account (they’re free) and log into Zoom.
4. Require participants attend with video cameras turned on, at least until the host can identify all the participants in the meeting and confirm they were invited.
5. Lock the meeting after all invited attendees have joined and prevent latecomers. To lock an ongoing meeting, click “Manage Participants,” then click “More” at the bottom of the Participants screen. Finally, choose ” Lock Meeting.”
Craig Ball hails from Texas but now happily calls the Big Easy home. A board certified trial attorney in Texas and an Adjunct Professor at the University of Texas School of Law teaching Electronic Evidence and Digital Discovery, Craig is an expert in digital forensics, emerging technologies, visual persuasion, electronic discovery, and trial tactics, limiting his practice to service as a court-appointed Special Master in Electronically-Stored Information. An energetic speaker at CLE programs for the bench and the bar throughout the world, Craig is also an instructor in computer forensics and electronic evidence to multiple law enforcement and security agencies. Craig’s articles frequently appear in the national media. For nine years, he wrote the award- winning column on computer forensics and e-discovery for American Lawyer Media called “Ball in your Court,” and still pens a popular blog of the same name at ballinyourcourt.com. Craig Ball is the 2019 recipient of the Texas Bar’s Gene Cavin Award for Lifetime Achievement in Continuing Education.
This article was originally posted on craigball.net and is shared here with full permission from the author.