How to defend your virtual meeting from uninvited, malicious guests

As ‘Zoombombing’ becomes widespread, Penn’s Office of Information Security provides tips on staying secure.

Imagine sitting in a virtual class, or a meeting for work, and being interrupted by an uninvited guest. Silly gimmicks aside, too often this form of “Zoombombing” is playing out as extremely offensive—a few notches up from the already horrifying cyberbullying that took place before COVID-19 swept the globe.

person looks at computer screen with virtual conferencing displayed

And, yes, it’s happened to folks at the university level. Even at Penn.

Last Wednesday, during a weekly scheduled climate movement “happy hour” on Zoom co-hosted by Billy Fleming, the Wilks Family Director of Penn’s Ian L. McHarg Center for Urbanism and Ecology, dozens of malicious accounts “bombed” the meeting, making rude, inflammatory comments toward some of the participants.

“After a few minutes of trying to block and mute all of them unsuccessfully, we closed the Zoom and opened a new one to check in with everyone who’d been on the call, and were understandably very upset,” Fleming says. “We were all shocked and frazzled when it happened—we were not prepared for them.”

Zoombombing was something Fleming briefly took note of prior—he saw a stray headline about it on Twitter—but didn’t realize it was quite so widespread “until it happened to us.”

“Since then, nearly every organization I deal with has had some version of this happen to them and major features on the phenomenon have appeared in Gizmodo and The New York Times,” Fleming says.

Penn’s Office of Information Security (OIS) has been working hard—since the very first report of Zoombombing taking place—to address the problem as best it can. The OIS team has crafted a useful resource and recommendation guide, which is constantly being updated, highlighting best practices.

The biggest defense against Zoom attacks, the website notes, is to avoid public posting of Zoom links where they can be accessed by people outside the Penn community. Think: public social media accounts, or places where Zoom links can be sniffed out with a Google search.

Zoom, a remote conferencing service, was mostly being targeted by attackers for its open settings and its quick rise in utilization as many people have moved to online ways of interacting while staying socially distanced.

“Zoom gained a lot of popularity because it is very easy to use, in part because it is very easy to join meetings,” says Penn’s Chief Information Security Officer Nick Falcone. “That openness is what is being exploited in these incidents. So, while other platforms can have the same problems, it is a little less likely there.”

This past weekend, in response to numerous Zoombombing incidents, Zoom aptly changed its default settings to require a password and maintain a “waiting room” for meetings. The password can be included with the Zoom meeting invite, so it will not make the software harder to use, but it will make it more difficult for random guests to crash meetings, explains Falcone. 

“The waiting room will take a little bit of adjustment,” he says. “This is a setting that means that each participant will have to be approved by the meeting organizer before they can enter the meeting. This will make it harder for uninvited guests to join, but will also mean a little more work by presenters who have to let folks into the session.”

Falcone adds that any teleconferencing platform—even BlueJeans, often used across Penn—can be bombed if meeting information gets into the hands of someone wanting to cause trouble.

In most of the Zoombombing incidents, the actor will share their screen to display something offensive. To override this, Falcone says, the presenter should share their own screen. The host can then select the arrow next to “share screen” and click “advanced sharing options” and then, under “who can share,” select “only host.”

Next, if an attacker or attackers do enter the meeting, they should be removed quickly. If the list of participants is not already available, click “manage participants” at the bottom of the window to show the meeting participants. Then, select the problem individual or individuals and select “more,” then “remove.”

For now, Fleming has put in place all the administrative controls needed to ensure his meeting won’t be bombed again. He’s also searching for a viable alternative to Zoom.

“Unfortunately, many of [the recommended measures] make it hard to run an inclusive event like the happy hour we’ve been hosting—we tend to get a nice mix of friends and colleagues with new voices we’ve never met,” Fleming says. “That’s hard to replicate when the room is locked down.”

Ultimately, Fleming says, these bad actors will not stop him from organizing such important events.

“We’ve heard over and over from those on last week’s call that they want us to keep going, so we will,” Fleming says. “Particularly in these fraught times, we need more spaces for community building and hopefully these happy hours will serve as one of many vehicles for that.”

For any questions or concerns regarding Zoombombing or other technical issues, it is encouraged faculty and staff work with their local IT crews.