Subscribe to Outbreak, a daily newsletter roundup of stories on the coronavirus pandemic and its impact on global business. It’s free to get it in your inbox.
As people and businesses have become increasingly reliant on video chatting since the coronavirus pandemic began, the FBI’s Boston office reported this week that “Zoom bombing” incidents are occurring across America. A disruption specific to the teleconferencing app Zoom, which has recently surged in popularity, this vulnerability has been been exploited by hackers, with disturbing results.
On March 30, for instance, uninvited strangers crashed a Zoom meeting on cyberattacks. When the presenter started covering coronavirus disinformation posted to Reddit, Facebook, and Twitter, a Zoom bomber scribbled all over the screen, forcing the meeting to end early.
Zoom hacking issues like this are happening all over the world, from over-the-Internet Alcoholics Anonymous meetings to sensitive, high-level government gatherings. Here’s how Zoom bombings work, and, more importantly, how to prevent them.
What is Zoom bombing?
Many Zoom bombing incidents have amounted to a form of trolling. Hackers gain access to a Zoom meeting and attempt to disrupt the video chat and upset participants by shouting profanity or racial slurs, or putting disturbing or offensive images in their video feed.
The vulnerability also has people wondering if Zoom is safe to use. Particularly in a large meeting, an unwelcome participant might go unnoticed, enabling that person to record the meeting or otherwise gather information. In particularly sensitive cases, this could become a method of corporate espionage or blackmail.
How are hackers joining Zoom meetings they aren’t supposed to be in?
The majority of Zoom bombing attacks appear not to be the product of flaws in Zoom’s code, but rather of users’ overall cybersecurity hygiene and their imperfect command of Zoom’s privacy settings.
If a Zoom meeting is set to public, it can be accessed by anyone with the correct link. According to Roy Zur, cofounder and CEO of cybersecurity firm Cybint, bad actors can find these addresses simply by searching for “zoom.us” on social media sites like Facebook, where public meeting links are often posted. Dedicated forums have also cropped up on sites like Reddit, where r/Zoombombing was described as “dedicated to the posting of Zoom Classroom Meeting IDs.” Reddit says it has now banned the forum for violating site policies.
How can I prevent Zoom bombing of my meetings and video calls?
There are several important, mostly straightforward ways to protect your meetings. Fortune reached out to Zoom for comment. The company recommended users read this detailed guide, which covers precautions for keeping their meetings safe.
Most importantly, Zoom users should not share meeting links publicly. This is perhaps the single most obvious precaution you can take. Rather than posting a meeting link to a Facebook group or in a promotional tweet, distribute information via a more private method, such as email.
Second, set your meetings to “private.” Zoom now sets all new meetings to “private” by default, requiring attendees to provide a password for access. But users often opt to make meetings public for the sake of convenience. Given the wave of Zoom bombings, the inconvenience of requiring a password is probably worthwhile in keeping your meeting safe.
Also, don’t use your personal meeting ID. Every registered Zoom user has a personal meeting ID, linked to what is essentially a permanent virtual meeting room. Because that ID doesn’t change, sharing it publicly increases the chance that future meetings using your personal ID might be Zoom bombed.
To avoid the risk of Zoom bombing, share your personal meeting ID only with your most trusted contacts. Generally, while Zoom will prompt you to use your personal ID for “instant” meetings, scheduled meetings will use a one-time meeting ID, reducing risk. If you’re concerned that you may have already shared your personal meeting ID in an insecure way, Zur recommends contacting Zoom directly to have it changed.
Finally, restrict video sharing. If the meeting host is the only person who needs to share video, such as in a seminar or presentation, the host should change Zoom’s screen-sharing setting to “Host only.” Zoom has already made this change by default for K-12 classes using the software.
Is Zoom safe to use?
Given the wave of Zoom bombings, you might suspect there’s a problem with the Zoom software. But Zur says Zoom is generally doing a good job on security, and the bulk of Zoom bombings are most likely due to lax user practices rather than bugs.
However, the very popularity of Zoom may inherently make it riskier.
“As you see hype around a specific product, it also attracts attackers,” says Zur. But white-hat hackers and cybersecurity organizations, including government-backed organizations, will also follow suit, devoting more time and energy into keeping these newly popular technologies safe, he adds.
More must-read tech coverage from Fortune:
—Everyone is using Zoom, but is that what Zoom wants?
—How the coronavirus stimulus package would change gig worker benefits
—Inside the global push to 3D-print masks and ventilator parts
—Apple focuses on what’s next amid coronavirus outbreak
—A startup is building computer chips using human neurons
—Listen to Leadership Next, a Fortune podcast examining the evolving role of CEO
—WATCH: Best earbuds in 2020: Apple AirPods Pro Vs. Sony WF-1000XM3
Catch up with Data Sheet, Fortune’s daily digest on the business of tech.
