Distanced by Coronavirus, lawyers and teachers are flocking to the teleconferencing platform Zoom to meet and share screens.  Zoom is also turning up as a way to emulate face-to-face social interactions ranging from AA meetings and book clubs to happy hours and rock concerts.  Last week, the Chipotle fast food chain sought to bring a little joy to COVID-stressed customers by hosting an online concert with singer/songwriter Lauv. Things didn’t go as planned, and there’s a lesson there for lawyers and others needing meeting security.

Per Tressie Lieberman, Chipotle’s VP of digital and off-premise, “As we saw large scale events begin to get cancelled, we wanted to act fast and give our fans something to get excited about despite being surrounded by negative news.”  Chipotle acted fast–too fast it seems–and assuredly gave viewers something to get excited about, though not as intended.  Chipotle was forced to pull the plug after one attendee used Zoom’s Screen Share feature to broadcast pornography to hundreds of other attendees.  ‘Zoombombing’: When Video Conferences Go Wrong New York Times, March 22, 2020

Whoever configured the Zoom meeting apparently failed to select the option that limits the ability of any meeting participant other than the host to share screens.  As a result, any attendee—including any troll logging in anonymously—could share any content they like with all other attendees.  It’s called Zoom bombing (like Photobombing) and it’s a growing disruption.  If a Zoom bomber logs in multiple times, stopping the interloper is like playing Whack-a-Mole.  The host shuts down one Zoom bombing instance only to push the Zoom bomber to the next and the next.

It’s an embarrassment that could have been avoided had the individual setting up the Zoom meeting changed a Screen Sharing option buried in the program’s settings menu, eschewing the default “All Participants” in favor of the the considerably safer “Host Only” as seen below.

This unfortunate intrusion was caused by user error, not a vulnerability in the tool.  But I’d been expecting something of a similar nature to occur since I noticed that Zoom issues every subscriber a personal Zoom meeting ID as an alternative to generating a one-time use meeting ID for every meeting. That’s a vulnerability. What it means is, if anyone learns the host’s personal Zoom meeting ID (hint: it’s the meeting number contained in the meeting invitation), anyone can attend the host’s personal meetings whether invited or not.  Of course, if the host is managing participants and keeping a close eye on headcounts, an uninvited lurker may be spotted.  If it were a meeting of many counsel in multidistrict litigation or other matters characterized by large teams, it would be easy for an opponent to log in and listen undetected. 

Here are other simple tips to secure your Zoom meetings against Zoom bombers and eavesdroppers:

1. Protect your personal Zoom meeting ID as you would your personal passwords. Never use your personal Zoom meeting ID to host a meeting.   Instead, have Zoom automatically generate a unique meeting ID for your invitations.

2. Require a meeting password.  Zoom will generate one for your invitees when you check the box.

3. Allow only authenticated users to join.  To gain entry, invited users will need to have a Zoom user account (they’re free) and log into Zoom.

4. Require participants attend with video cameras turned on, at least until the host can identify all the participants in the meeting and confirm they were invited.

5. Lock the meeting after all invited attendees have joined and prevent latecomers. To lock an ongoing meeting, click “Manage Participants,” then click “More” at the bottom of the Participants screen.  Finally, choose” Lock Meeting.”