“Zoombombing” in video conferencing is still going strong. It disrupts increasingly strategic online meetings, often with malicious intent. To avoid this, video conferencing security must be maximised at all levels.
What is “zoombombing” in online meeting?
“Zoombombing” is an unwanted intrusion into an online meeting. During the health crisis and the containment, the sudden and massive use of video conferencing caused this phenomenon to explode. Zoombombing” got its name from the large number of intrusions by malicious people during Zoom videoconferences.
Indeed, intruders can have different objectives when they join a videoconference, ranging from simply disrupting the meeting to retrieving sensitive data such as the names of participants, the purpose of the meeting, documents or shared screens…
Serious consequences for organisations
An intruder in a videoconference is not only disruptive to the conduct of the meeting. It also represents a danger for the confidentiality of the information exchanged.
In its latest flash on the risks linked to video conferences, the DGSI cites the example of an intrusion into a company’s video conference to broadcast messages of a terrorist nature. The cause? No control over access to the online meeting: registration was free and the application password had a very low level of security. This lack of protection made it easier for individuals to break in.
Similarly, a recent Federal Reserve videoconference was cancelled after pornographic images appeared and were distributed by an anonymous participant in the meeting. About 100 representatives of major US banks were present during this online meeting. This disruption has led to the risk of data theft and tarnished the organisation’s reputation.
A must: the security of the video conferencing software used
These intrusions can be avoided if the videoconferencing software used is “Secure by design“. This principle consists of designing software by addressing security concepts from the very first stages of its design, in order to prevent the risks of security breaches.
Access to the software or its functionalities are thus subject to strict analysis from the moment they are created. As a result, as soon as a vulnerability is discovered, it is immediately corrected before the software is deployed.
For video conferences, end-to-end encryption is one of the essential security criteria. This data transmission system (audio, video and data) guarantees total confidentiality of communications. Indeed, only the sender and the recipient(s) are able to decrypt the data exchanged, without any decryption phase between them.
It is therefore impossible to eavesdrop or spy on an end-to-end encrypted video conference from outside the meeting. Therefore, end-to-end encryption makes it even more difficult to intrude into an online meeting.
The key role of the videoconference organiser
The security of the video conferencing software is a first barrier against “zoombombing” in online meeting.
However, to ensure maximum protection, it is important that the meeting organiser is able to :
- easily manage the participants and exclude an unwanted participant at any time
- moderate the speaking rights in the meeting
- adapt the security level according to the sensitivity of the meeting
Controlling access to online meetings
When a videoconference login link is shared, some unwanted guests have the opportunity to login and access the meeting directly.
With Tixeo, if someone clicks on a videoconference login link, he/she indicates his/her name and accesses a waiting room. The organizer receives a notification of this access request. The organiser can then decide whether or not to include this person.
Similarly, at any time during the online meeting, the organiser can exclude a participant if he or she considers that the participant is suspicious.
Managing participants’ rights
Until all the participants in the videoconference are assembled, it is preferable that only the organiser has the microphone open. This avoids noise from everyone arriving and the risk of an intruder speaking up and attracting attention.
The organiser can also ask each participant to activate their webcam, so that there is no doubt about who is present, as recommended by the DGSI.
Choose the right security level
Tixeo allows the organizer to choose a higher or lower security level depending on the sensitivity of the videoconference.
For example, with a standard security level, it will be possible to share a connection link to the meeting and to connect to it from a web browser.
With a maximum security level, participants will have to create a user account and connect to the online meeting from the software.
Avoiding sharing information about an online meeting
Finally, information about a videoconference is sometimes inadvertently shared. For example, in shared agendas, where the list of participants, the purpose of the meeting or the login link is accessed. But it also happens that photos of meeting rooms with a video conference in progress are published on social networks, even though the name of the network or the connection identifiers can be seen on the screen.
Vigilance must be exercised when sharing this type of information as it can lead to “zoombombing”.
Tixeo, Secure by Design video conferencing software, integrates security in the design of its solution. Its end-to-end encryption technology secures communications, regardless of the number of participants in the videoconference.