As college students and professors turn to video conferencing platforms to stay connected during the COVID-19 pandemic, the FBI issued a warning Monday that bad actors have hijacked several conferences and disrupted classes with explicit and hateful images and comments.
Also called “Zoombombing,” after the popular video conferencing tool Zoom, hijacking incidents have been reported at two Massachusetts-based schools, as well as at the University of Southern California.
Interruptions to USC’s online classes took place on March 24th, a university spokesperson told EdScoop.
Several classes were interrupted when unknown individuals joined Zoom calls and used the platform’s screen-sharing feature to share “racist and vile” comments with everyone on the call, according to the university.
“We are deeply saddened that our students and faculty have had to witness such despicable acts,” USC president Carol Folt and USC provost Charles Zukoski wrote in a letter to students and faculty. “When students and faculty gather, there is a trust that it is a safe environment. This trust has been breached by people intentionally trying to cause great harm at a time when our entire community is trying to cope with a global health crisis.”
The hijacking didn’t exploit software vulnerabilities in the Zoom platform, but instead took advantage of faculty’s inexperience with the tool by taking control of calls using Zoom’s screen-sharing function.
Faculty hosting Zoom calls can lock the screen-sharing function to prevent participants from sharing random content, according to Zoom. Faculty are also able to lock Zoom sessions to prevent others from joining, restrict chat functions, remove participants from calls and set up waiting rooms where students can wait to be admitted into their classes by an administrator.
“We take the security of Zoom meetings seriously and we are deeply upset to hear about the incidents involving this type of attack,” a Zoom spokesperson said. “For those hosting large, public group meetings, we strongly encourage hosts to review their settings and confirm that only the host can share their screen. For those hosting private meetings, password protections are on by default and we recommend that users keep those protections on to prevent uninvited users from joining.”
Default settings for Zoom calls on education accounts were updated on March 26 to change default screen-sharing settings to “host-only.” And beginning April 2, the waiting room feature will be turned on by default.
At USC, IT staff are working to quickly implement safeguards for online classes, Douglas Shook, USC’s chief information officer, said in a letter to faculty.
“Additional development is underway to further tighten up the access to our on-line learning environment and classes,” he said.
The FBI also on Monday released guidelines for hosting classes using video conferencing platforms, suggesting faculty ensure their software is up-to-do date, make meetings or classrooms private and not to post links to conference sessions on social media.