Zoombomb! Security for Zoom Learnt the Hard Way…Again!
The world is a very different place today… in fact it’s a very different place to what it was just two weeks ago. During this forced working from home situation caused by the COVID-19 pandemic, workers, friends and family have been forced to go digital to keep up social interactions. The messaging platform that has become a house hold name almost overnight (for those outside of IT) is Zoom. In fact, just as we use verbs like Uber to ride share or Skype before it to chat online… everyone seems to be Zooming everyone.
It’s no surprise that Zoom has risen in popularity among the general non tech savvy population. It’s easy to use, is low friction when it comes to initial setup and is multi platform. It was born to make peoples experiences of online meeting simpler. For those interested in Zoom’s history, the AcquiredFM Podcast guys go through the timeline of how Zoom rose to prominence, how it won the hearts and minds of core IT which lead to penetration into the Enterprise and from there how it went into an extremely successful IPO.
The other interesting part of Zoom is that they have a freemium model where you can host a meeting up to 40 minute for up to 300 people.
Since the start of this global situation Zoom has… well… Zoomed. The stock price has shot up even more and through a series of announcements around them supporting schools and businesses by extending paid access for free. When you rise so quickly… people will look to take you down just as quick. This can be seen in the last week where some of the positive news around Zoom has flipped to more negative press around security concerns of the communication protocol they leverage, to the most pressing issue of ZoomBombing. When you give your software away for free and also offer very generous responses to world crises you also leave yourself open to focused attacks… this has been happening a lot over the past week or so.
Another Real World Security Oops From Me
Those that read my blog and follow me know that I had an incident where my AWS Access and Secret key where scraped from GitHub after I mistakenly uploaded them… there where not there for more than 5 minute, but that was enough time for a malicious attack. I learnt my lesson and I am now super paranoid about any upload I do to GitHub… should have learnt my lesson right? Trust is an amazing thing, and a lack of situational awareness came back to bite me yesterday. Three weeks ago we started the Veeam Product Strategy Live Podcast. The idea was to leverage Zoom to have an open meeting where members of the Product Strategy Team spend 30-40 minutes chatting about stuff. For the first two episodes we had an open Zoom meeting which was advertised via Twitter and LinkedIn and they went smoothly.
Last nights episode was going ok, until about 15 minutes in, when I noticed a sudden influx of attendees. We had been ZoomBombed! The look on my face says it all. I can’t even begin to repeat what was said… but suffice to say some younger males had a lot of fun with it. Cleary groups are scraping Twitter for open Zoom meeting IDs and then posting them to internal forums for them to ZoomBomb. End of the day it was harmless for a group of adults conducting a meeting, but where this becomes very sketchy is when it happens when children are on a call. Zoom offered free access to all K-12 which means that the platform is being used by lots of schools and like me, might be making the same mistake.. in fact here is a very specific example of where this becomes disgusting and dangerous for those attending bombed meetings.
To Zoom’s Credit
Zoom yesterday came out and responded with this Blog Post outlining their response to both the criticisms and the security aspect around meeting security. For me, this shows that the company is responding well to the increased critisisms and for what it is worth, we will surly see a much better tighter platform evolve from this.
We did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socializing from home. We now have a much broader set of users who are utilizing our product in a myriad of unexpected ways, presenting us with challenges we did not anticipate when the platform was conceived.
Any business, school or individual using Zoom as a new user (me included) should read the blog post and follow the links to the content they have created to be better prepared to host Zoom meetings.
Veeam Product Strategy Take
After the initially bombed meeting, we resumed for take 2 and with what just happened fresh in our minds, we had an open conversation about the situation. That can be viewed below.
It should said, that I have once again learnt my lesson and the meeting above was recorded behind tighter security. It’s a bit of a shame that we will have to change tactic to keep the Veeam Product Strategy Live Podcast Live… but there are technologies available to make this possible. In any case…
I’ve once again learnt a lesson the hard way to not trust the internet and people who are always looking for a way in. Situational awareness in this new digital age is essential!