CHICAGO — Morgan Elise Johnson has been hosting virtual meditation sessions each weekday morning through her digital media company The Triibe, to bring a sense of calm to the audience during the coronavirus outbreak.
One morning last week, though, that calm was shattered.
The group was using video conferencing app Zoom and had just started its session when some young men joined the meeting, Johnson said. They started heckling the wellness professional leading the meditation. Then it got worse.
They took control of the screen and started searching for pornography, Johnson said. When she tried to mute them, the hackers scolded her and used a racial slur.
“I just exited out right away,” Johnson said. “For it to be at a moment where we were seeking community and seeking collective calm … it really cut through my spirit and affected me in a very visceral way.”
The group, comprised mainly of Black Chicagoans, had been “Zoombombed,” an increasingly popular form of hacking where someone drops in, uninvited, to a Zoom video meeting. The Triibe has continued hosting meditation sessions, but they’re doing it on Instagram Live instead, Johnson said.
“It’s just a question of how do we move forward?” she said. “Is Zoom a platform that we need to just disregard completely?”
Zoom’s popularity has skyrocketed as millions of homebound people settle into new remote work and learning routines during the pandemic. There are free versions of Zoom, or users can pay for a subscription for broader use. The platform has been used in recent weeks for everything from business meetings and yoga classes to virtual happy hours. But the increased use of Zoom has brought more opportunities to hack into it.
Unlike other types of cyberattacks, hacking into a Zoom meeting can be relatively easy if certain security settings aren’t turned on, experts say. Zoom invites often are posted on social media to increase attendance, which can make them more vulnerable. Some argue Zoom’s default settings could be more secure.
“Bad actors are focusing on the fact that everybody’s using it but not everybody may know how to use it properly,” said Louis McHugh IV, a cybersecurity professor at the Illinois Institute of Technology.
In other forms of cyberattacks, hackers typically want money, McHugh said. They’re out for passwords, credit card numbers, or data to hold ransom that will end in a payday. That does not seem to be the case with Zoombombing, McHugh said. So far, the main motivation appears to be mischief.
But many reported incidents of Zoombombing tread into more nefarious waters, said David Goldenberg, Midwest regional director of anti-hate organization ADL, also called the Anti-Defamation League. On Tuesday alone, ADL’s Chicago office received four calls from different Jewish organizations reporting that their video meetings had been targeted.
“We assume that those who are doing it are seeking to disrupt, and in some cases, spread hate and even intimidate,” Goldenberg said. “Those who have particular ideologies … can use this as an opportunity to target different groups.”
ChiTribe, a Chicago-based organization meant to reach Jewish millennials, was Zoombombed Monday night, said co-founder and Executive Director Rebecca Joey Schwab.
The group was hosting a virtual game night on Zoom with about 30 people, when hackers took control of the call. They appeared to be teenage boys, Schwab said.
Schwab knew immediately what was happening. She uses Zoom frequently and knew that if meeting hosts don’t disable certain settings, members can take control of the screen. Schwab and the meeting host acted quickly to shut down the call.
The incident lasted less than a minute, but that was enough time for the hackers to shout antisemitic profanities, Schwab said.
“It was jarring, and it was good it happened to us because we knew what to do,” she said.
The host changed Zoom settings to lock down the meeting to uninvited guests, and took other measures. Ten minutes later, the virtual game night was up and running again.
Similar incidents have been reported from around the city and country. Earlier this week, the FBI Boston Division put out a warning about Zoombombing after receiving reports of video conferences being interrupted with hate speech, pornography and threatening language.
New York’s attorney general sent Zoom a letter asking what steps the company is taking to ensure users’ security and privacy.
On Tuesday, Chicago aldermen and Illinois state representatives were on a press conference via Zoom that was hacked.
“It was disruptive,” said Ald. Brian Hopkins, 2nd, who was on the call. “The intent was to derail our press conference. Whoever did this had some success.”
Illinois’ attorney general’s office has not received any complaints about Zoom hacking, but it is monitoring the issue, spokeswoman Tori Joseph said.
“We urge people to take steps to protect themselves, such as password protecting their meeting, not sharing meeting credentials with anyone who is not a participant in the meeting, and disabling screen sharing,” she said in an email.
Some organizations that use Zoom are taking measures to lock down their meetings or class sessions.
The University of Chicago has worked with Zoom to maximize security and update default settings, said spokesman Gerald McSwiggan. The university’s information technology department is holding training sessions for instructors.
Zoom recently updated guidance on how to better lock down meetings. Chief Marketing Officer Janine Pelosi said in a statement that the San Jose, Calif-based company is “deeply upset” about the incidents.
“We take the security of Zoom meetings seriously,” she said. “We also recently updated the default screen sharing settings for our education users so teachers by default are the only ones who can share content in class. We strongly condemn such behavior.”
Users that have experienced a Zoombombing say they never would have thought they’d be hacked in such a way. Dr. Santina Wheat, a family physician at Erie Family Health Centers, said she was on a Zoom call last week that hackers dropped in on.
She was about 40 minutes into a call with other physicians, discussing how to provide care during the pandemic, when two men joined the meeting and started swearing. It was jarring, Wheat said, but at least now she knows to look out for it.
User education will be key to combating Zoombombing, said Art Sturdevant, director of operations at Ann Arbor, Michigan-based cybersecurity company Censys.
“As Zoom becomes more prevalent, this problem is going to pick up steam,” he said. “If the quarantine drives on, people are only going to get more bored, and you’ll see more mischief.”
Here are some tips from the FBI, Zoom and other experts to prevent Zoombombing:
Keep meetings and classrooms private. Do this by requiring a meeting password. Additionally, the “Waiting Room” feature can help hosts control who enters.
Do not share invites to Zoom meetings on social media. Instead, send the meeting password directly to attendees.
Use a random meeting ID, so it can’t be shared multiple times. According to Zoom’s website, this is safer than using a “Personal Meeting ID.”
Change screensharing settings to “Only Host,” so no one but the host can control the screen. The host can also mute participants in their settings.
Lock a Zoom session that has already begun so no one else can join. Do this by clicking “Participants” in the bottom of a Zoom window, then clicking “Lock Meeting.”
Remove participants by hovering over their name in the Participants menu, and clicking the “Remove” option. The removed participant will not be allowed back in, according to Zoom’s website.
The FBI advises users to make sure they have the most updated version of Zoom’s software. A recent security update added default passwords and disabled the ability to scan for meetings to join.