Hackers zoom in on COVID

Teleconferencing platforms are not immune to disruptions, but there are steps you can take.

Modern problems require modern solutions, which then lead to more problems.

During the COVID-19 pandemic, and Gov. Gretchen Whitmer’s executive order for residents to “Stay Home, Stay Safe,” many residents and essential businesses have turned to teleconferencing platforms like Zoom to stay connected, but according to FBI statistics, there has been a rise in teleconference hackings across the U.S.

The state of Michigan has seen several instances of such hacking, or “Zoom-bombing” in just one week. Hackers often disrupt conferences and online classrooms with pornographic and/or hate images and threatening language.

In response, Michigan’s chief federal, state, and local law enforcement officials are joining together to warn anyone who hacks into a teleconference can be charged with state or federal crimes. Charges may include disrupting a public meeting, computer intrusion, using a computer to commit a crime, hate crimes, fraud, or transmitting threatening communications. All charges are punishable by fines and imprisonment.

“Whether you run a business, a law enforcement meeting, a classroom or you just want to video chat with family, you need to be aware that your video conference may not be secure and information you share may be compromised. Be careful. If you do get hacked, call us,” said Western District of Michigan U.S. Attorney Andrew Birge.

As individuals continue the transition to online lessons and meetings, state and local law enforcement recommend the following steps to mitigate teleconferencing threats:

  • Do not make the meetings or classroom public. In Zoom, there are two options to make a meeting private: require a meeting password or use the waiting room feature and control the admittance of guests.
  • Do not share a link to a teleconference or classroom on an unrestricted publicly available social media post. Provide the link directly to specific people.
  • Manage screen sharing options in Zoom; change screen sharing to “Host Only.”
  • Ensure users are using the updated version of remote access/meeting applications. In January 2020, Zoom updated its software. In its security update, the teleconference software provider added passwords by default for meetings and disabled the ability to randomly scan for meetings to join.
  • Ensure the organization’s telework policy or guide addresses requirements for physical and information security.

The city of Grand Rapids is preparing for its first public teleconference meetings since the governor’s shelter in place order was executed.

Doug Start, director of IT for the city, said much of the time teleconference meetings are being “hacked” because users are posting the meeting information publicly. Additionally, he recommended requiring pass codes to enter a meeting, even though people may choose to omit them for convenience.

“I think it’s just a learning curve of suddenly being thrust into how you do everything virtually in a matter of days,” Start said.

No city departments have been the victim of a teleconferencing hack as of press time, Start said. The city uses Skype and Microsoft Teams for private meetings and Cisco Webex for public meetings. Start added the level of security users are afforded can depend on the software and how it’s set up.

“I know Zoom is getting a lot of the negative press now,” Start said. “It’s a semi-free, easy-to-use platform, but they’re all about the same.”

Start said the city chose Webex because it provides users more control over who can enter the meeting, as well as giving users control over volume and muting.

The city’s IT department recommends departments exercise the same precautions outlined by federal, state and local law enforcement to avoid cyber attacks during a meeting.

“Put a password on, even if it’s inconvenient,” Start said. “Pay attention to some of those things you’d normally take for granted in a face-to-face meeting. When you’re online, the whole world can come to you in click.

“We’re as comfortable as we can be. Nobody’s really comfortable right now. As we learn more, we’ll make adjustments, just like anybody else.”

Susan Benington, corporate attorney with Varnum LLP, said it’s important for companies to educate employees about company policies and acceptable use guidelines when it comes to using new technologies on work devices or to perform work functions, such as team meetings.

“For users, make sure to check with whoever the right person is to determine if it’s an approved or sanctioned product, because the call itself could include critical information,” Benington said. “By verifying that it can be used, in addition to making sure the company is aware, it ensures appropriate commercial terms are in place. That will determine how data will be used from a commercial perspective.”

Customers also should take the time to read terms of use and privacy notices, so they know how information like video recordings and conversation transcripts are secured, used and shared.

“None of us want to do this,” Benington said. “I’ll admit, I should be doing it as well, but we all need to be aware of terms of use and privacy notices. When the data we’re providing is more sensitive, users really need to be reading the privacy notices.”

On the other end, companies launching a new online or connected device product must implement compliant privacy notices and product security or else risk facing significant public relations or consumer backlash and subsequent litigation on both the state and federal level, Benington said.