Zoom is getting some unwanted attention as internet miscreants or mischievous students learn to abuse its open default settings. There have been several reports of “zoombombing” where uninvited guests join a zoom session and share offensive content, including reports from universities. For example, The University of Southern California (USC) has had classes disrupted.
The biggest defense against these types of attacks is to avoid public posting of Zoom links where they can be accessed by people outside the Penn community. This way someone looking to cause trouble cannot join the meeting just by sniffing out the Zoom link with a Google search.
Additional recommendations include:
By default, users can share their screen with all participants, allowing a participant to share offensive content with the meeting. With this default setting disabled, users must be authorized by the host before they can share.
Unless needed, disable “file transfer” to avoid participants passing viruses or other malicious content to other participants. File transfer is disabled by default. Incase it is enabled:
- Sign in the Zoom web portal
- Click Settings
- Navigate to the File Transfer option on the Meeting tab and verify that the setting is enabled
- If the setting is enabled, click the Status toggle to disable it
- If a verification dialog displays, choose Turn On to verify the change.
You can limit the file type/extensions you plan to share by taking the following step:
Disable “Allow Removed Participants to Rejoin” so that if a troublemaker is removed from a meeting they cannot simply rejoin.
If you are the account admin, you can disable "Allow Removed Participants to Rejoin" by taking the following steps:
- Sign in to the Zoom web portal as an administrator with the privilege to edit account settings.
- Click Account Management and then Account Settings
- Navigate to the Meeting tab and In-Meeting (Basic) and switch off the Allow removed participants toggle.
- Be careful when joining personal IDs and Links: Sharing Personal Meeting IDs and personal links can be used to re-join the same meeting room later, which may be unwanted.
- Lock Meeting: To prevent new participants from joining a meeting, the host can lock the meeting after the arrival of attendees by clicking on:
- More at the bottom of the Manage Participants window.
- Select Lock Meeting
- Mute unintentional background noise and Stop distributive video: The host can mute individual participants unintentional background noise:
- More next the participant's name in the Manage Participants window.
- Click Mute.
- For distributive video follow the steps to mute unintentional background but instead of clicking Mute, you can click to Stop a participant video.
- Block annotations to prevent participants from using annotation tools to add information to shared screens.
Meeting passwords can be employed if there are challenges in restricting access only to the intended participants.
If you use a Personal Meeting Room, a good place to start is disabling the “Enable join before host” option. This prevents others from using your Personal Meeting ID without you. To adjust this setting, follow these steps. [1]
- Navigate to meeting settings in the Zoom web portal.
- Click Personal Meeting Room.
- Scroll to the bottom of the page and click Edit this Meeting.
- Deselect Enable join before host.
- Click Save.
[1] Steps were borrowed from Stanford University IT at https://uit.stanford.edu/service/zoom/meetingsecurityguide
Zoom: Managing participants in a meeting
University of Southern California (USC) Zoombombing Resources
ZD Net - "How to prevent Your zoom meetings being Zoom-bombed (gate crashed) by trolls"
The New York Times "Troll Terrifies Public Zoom Meeting by Sharing Highly Disturbing Video"
Stanford University How to Protect Your Zoom Meetings