US warns that ‘Zoombombing’ could result in imprisonment

6 Apr 2020

Image: © charnsitr/Stock.adobe.com

The US Department of Justice has warned that individuals engaging in ‘Zoombombing’ could be arrested.

Over the last month, as droves of people in Europe and the US began working from home to mitigate the spread of the Covid-19, Zoom was quickly adopted as the go-to video conferencing tool for many businesses and organisations.

In the weeks that have passed, however, various security concerns have emerged. Zoom is now facing a lawsuit over its practice of sharing data with Facebook, and has come under fire for leaving thousands of recordings exposed and giving mixed messages about its encryption.

Another issue that has arisen is ‘Zoombombing’. Because, by default, guests in a video call do not need the host’s permission to share their screen with all other participants, some people have been abusing the feature to hijack calls and display graphic images, such as depictions of violence or pornography.

‘Zoombombing’

On 18 March, TechCrunch detailed an incident that occurred on a daily public zoom call hosted by Casey Newton, a journalist from The Verge. The daily call, entitled WFH Happy Hour, had dozens of attendees and was interrupted by a participant who used the screensharing feature to display “horrifying sexual videos”.

Each time that the host banned the participant, they simply returned with a new name and continued to bombard the conversation with pornography. Newton eventually decided to cut the call short.

Over the weekend, more reports of Zoombombing emerged, with the Wall Street Journal reporting that there have been targeted attacks on Alcoholics Anonymous meetings held through Zoom. In Ireland, a GAA club was the victim of a Zoombombing attack, which exposed young children to inappropriate content. The Ballymun Kickhams team has apologised to parents for the incident.

The New York Times reported that there are coordinated efforts across Reddit, Twitter, 4Chan and Instagram to organise Zoom harassment campaigns. Across these platforms, thousands of people were sharing meeting passwords and plans to cause trouble in both public and private meetings.

Video security

TechCrunch outlined some tips on how to protect Zoom calls. In the pre-meeting settings and in-call admin settings, for example, permission for screensharing can be revoked.

Zoom also announced that from 5 April, the platform will turn on passwords and virtual waiting rooms by default for both free and pro users, with the hope of making it more difficult for Zoombombers to interfere.

Passwords were already turned on by default for new Zoom meetings, instant meetings and calls joined with a meeting ID. But from this week, passwords will also be needed for previously scheduled Zoom meetings, and once users have joined a meeting, they’ll have to wait for the host to let them enter from a new virtual waiting room.

The company made the announcement after security researchers developed an automated tool that could identify 100 non-password-protected Zoom meeting IDs per hour.

The legal implications

On Friday (3 April), the US Department of Justice (DoJ) warned that Zoombombing qualifies as a federal offence. In a statement, the US Attorney’s Office for the Eastern District of Michigan said: “Hackers are disrupting conferences and online classrooms with pornographic and/or hate images and threatening language.

“Michigan’s chief federal, state and local law enforcement officials are joining together to warn that anyone who hacks into a teleconference can be charged with state or federal crimes. Charges may include – to name just a few – disrupting a public meeting, computer intrusion, using a computer to commit a crime, hate crimes, fraud or transmitting threatening communications.”

Matthew Schneider, US attorney for Eastern Michigan, said: “You think Zoombombing is funny? Let’s see how funny it is after you get arrested.

“If you interfere with a teleconference or public meeting in Michigan, you could have a federal, state or local law enforcement knocking at your door.”

Western District of Michigan US attorney Andrew Birge added: “Whether you run a business, a law enforcement meeting, a classroom or you just want to chat with family, you need to be aware that your video conference may not be secure and information you share may be compromised.”

Zoom banned in New York classrooms

The DoJ has warned against making meetings or classrooms public, as well as sharing meeting links on publicly available social media posts. Officials in New York have decided to ban the use of Zoom for remote teaching.

Danielle Filson, spokesperson for the New York City department of education, said: “Providing a safe and secure remote learning experience for our students is essential, and upon further review of security concerns, schools should move away from using Zoom as much as possible.

“There are many new components to remote learning, and we are making real-time decisions in the best interest of our staff and students.”

While advising schools not to use Zoom, New York’s department of education is helping schools to transition to Microsoft teams, which it said has the “same capabilities with appropriate security measures”. According to TechCrunch, the ban will affect the 1.1m students in more than 1,800 schools using Zoom.

Kelly Earley was a journalist with Silicon Republic

editorial@siliconrepublic.com