Protect yourself from the Zoom Bomb Squad

A year ago, many of us didn’t even know what Zoom was. Today, we couldn’t imagine a world without it and similar virtual meeting tools. While we’ve successfully pivoted in many ways to working from home (WFH), we still have lessons to learn to operate more securely.

The problem 

Zoom bombingThe growth of remote web-based meetings has been paralleled by that of a rising threat – Zoom-bombing. Zoom-bombing is the disruptive presence of uninvited and unwanted participants in any online web conference platform. These participants join to vandalize or to interfere with meetings. Consider the following when hosting or joining a virtual meeting to mitigate the risk of falling victim to Zoom-bombing. 

Keep yourself and virtual meeting participants safe

Waterloo has a site-license for cloud-hosted WebEx and a limited on-premises installation of Adobe Connect (for a specific set of uses) to provide audio and video conferencing for the its community. Waterloo also uses Microsoft Teams for collaboration, which includes support for online meetings. Though some departments have purchased Zoom or other similar software in the past, the University is expecting to provide and support Zoom centrally starting in the spring 2021 term. 

Know your settings

Each product of all virtual meeting platforms offers different settings. However, some settings common to all will help prevent meeting interruptions.  Review your settings carefully during meeting creation, and look for availability of the following options: 

Require log in

This requires attendees to log in to their account for the given platform to attend a meeting. While this doesn’t prevent malicious activity by all authenticated users, it does ensure some accountability. 
 

Waiting rooms

Platforms can require attendees to be allowed into the meeting by a moderator. This can prevent strangers from being allowed access to meetings and prevents those kicked out of meetings from returning. However, it requires overhead effort by the meeting organizers to provide this gatekeeping, especially for large groups. 
 

Personalized invitations

Rather than making an event link public, each attendee will receive a unique URL or password. This prevents vandals from stumbling across your meeting.
 

Limit audio and video

For some meetings, it may not be necessary for general attendees to be able to show video or transmit audio. You may be able to turn these features off for certain groups or require moderator approval for access.
 

Limit screen sharing

Only presenters in a meeting require this access, so try to limit it only to them.
 

Limit chat and questions 

You may want to prevent attendees from posting messages in a general chat window. Some platforms can require questions and messages to be vetted by a moderator before becoming visible to all participants. Again, meeting hosts may consider enlisting someone to provide this function (e.g., a TA for a course, or a staff member for a department meeting). 
 

Go Professional

Many people are familiar with the free version of Zoom, which is limited in the number of attendees and the maximum length of a meeting. However, the paid version offers many additional features to enhance meetings. The paid solutions offered at Waterloo are also much more powerful than free Zoom. Use the professional level software for all meetings.

All hands on deck

These platforms offer in-meeting features to require attendees to be admitted by a moderator or remove troublesome participants. It is difficult for a presenter to also monitor chat and to deal with problems while trying to present material. Break the different roles involved in the meeting among several people to ensure a good or better experience for both presenters and attendees.

Use the right tool for the job

While all virtual meeting tools can be configured to protect your meetings, some offer optimized versions for different types of on-line gatherings. WebEx, in addition to its Meeting package, offers variants for training and events. These mimic in-person classes, with audience participation limited to audio and chat. Audience participation can be further controlled with chat messages not being displayed until approved by a moderator. 

 

I've been Zoom-bombed! What should I do?

  • Try to remove the disruptive attendees from the meeting
  • Prevent anyone from joining the meeting to keep the Zoom-bombers from returning
  • If necessary, shut the meeting down for all participants
  • Preserve all information pertinent to the meeting, including recordings
  • Send a description of the events to the IST Security Operations Centre (SOC) at soc@uwaterloo.ca and the incident will be investigated

Additional resources

Zoom-bombing is always an annoyance, but at its worst, it can be disruptive and intimidating for all meeting participants. We have the ability, though, to protect ourselves and our colleagues and students by following the advice in this document. Being security-aware can keep you from being a victim.