Cybersecurity Issues: Zoom hacking of universities and schools

COVID-19 has forced education – from preschool through post-graduate – to shift from in-person to online. One of the biggest platforms being used by educational institutions is Zoom. As the use of Zoom increased this spring, when classes first transitioned online, so did the risk of hackers exploiting vulnerabilities in the system. Cybersecurity experts were immediately tasked with identifying and resolving these issues to ensure students and staff remained safe.

Zoom hacking, or Zoom bombing, has been a nationwide problem resulting in hackers accessing Zoom “classrooms” and displaying anything from pornographic materials to hate images. By late March 2020, the number of hacking concerns led the FBI to issue a warning and made recommendations for keeping Zoom more secure. 

By early April, Zoom was working on enhancements to privacy and security, issuing a freeze on all work unrelated to these issues. Zoom 5.0, released at the end of April, was a massive update including over 100 features directed in preventing future hacking. Upgrades included a higher level of encryption, a
“Report a User” function, and defaulting meeting settings to require a passcode, waiting room, and limited screen sharing.

Following up on the Zoom 5.0 enhancement, Zoom issued a report in July, including a list of steps taken to ensure that Zoom remains secure from hackers moving forward. According to the report, CEO Eric Yuan stated that Zoom, “put mechanisms in place to make sure that security and privacy remain a priority in each phase of our product and feature development:

• Design phase: Security requirements, risk assessment, threat modeling 
• Build: Secure code guidelines, self-service scanning, CI/CD tools
• Test: Security testing, automated test execution, web testing tools
• Stage: Secure configuration, integrity monitoring, validate requirements
• Production: Monitoring the security of our system, system health, threat landscape.”

These cybersecurity strategies, along with others like creating a Chief Information Security Officers (CISO) council, running additional penetration testing to identify potential concerns, and partnering with industry security experts, are all geared toward limiting Zoom hacking and protecting the students, teachers, and faculty that use the program.

With any new technology, it’s important that cybersecurity experts stay on top of the potential for threats, and communicate with staff the methods that those threats can be reduced.

CNet reported four steps that cybersecurity staff and users alike can use to ensure that their Zoom meetings are as secure as possible, therefore limiting the likelihood of Zoom bombing. Most of these steps relate to the enhanced settings that Zoom has issued and are easy to implement. 

For example, users can create meeting-specific IDs instead of a user-specific personal ID. That way, if a hacker has obtained a user’s personal ID, it can’t be used to access a specific instance of a meeting. Another default setting to take advantage of is the waiting room, which forces the meeting host to individually admit attendees into the meeting session. 

More advanced options include disabling multiple functions, like the ability for attendees to join before the host, screen share, or transfer files. Meetings can also have co-hosts assigned to assist with security efforts and can be locked to outsiders. 

Zoom also encourages users to report all instances of Zoom hacking. A “Report” function has been added to the Security tab so that problematic users can be easily reported to Zoom. 

As classes continue to remain online, it’s especially important that those in the education world remain vigilant on the latest cybersecurity concerns and methods for staying safe.

Want to learn about cybersecurity? Capitol Tech offers bachelor’s, master’s and doctorate degrees in cyber and information security. Many courses are available both on campus and online. To learn more about Capitol Tech’s degree programs, contact admissions@captechu.edu.