Recently in Norway a school had to stop using the Whereby video conference service because during a video lesson a man broke into the group video conference and ​showed himself naked.



This new phenomenon is called, according to Wikipedia, "Zoombombing":

Zoombombing refers to the unwanted intrusion of an individual in a video conference call. The term became popular in 2020, after the COVID-19 coronavirus forced many people to stay at home, and use videoconferencing on a large scale. The term derives from the name of the popular Zoom videoconferencing software, though the phenomenon can refer to any type of intrusion on a video conference.

https://en.wikipedia.org/wiki/Zoombombing

The intrusion [1] was made possible because the man was able to guess the public link of the video lesson.
The issue is already known, but obviously is now in the spotlight due the sudden increase in the use of these communication tools: each video conference is assigned an identifier, a meeting ID, which is not difficult to guess.


How to avoid this risk?

The remediation is easy: protect the video conference with a password, as indicated in the configuration instructions of the various services, such as Zoom [2] or Webex [3].

https://twitter.com/redpenblackpen/status/1242988090702155786

According to a post by SamuraiSecurity [4], there are some additional tips, such as disabling phone calls or protecting them with a PIN and enabling two-factor authentication, especially for those who are videoconferencing administrators and for those who record sessions: anyone who has access to the administrator account can download any recorded session.


References

  1. A Norwegian school quit using video calls after a naked man ‘guessed’ the meeting link
  2. Meeting and Webinar Passwords – Zoom Help Center
  3. Required Password Enforcement for Webex Meetings, Events, and Training Sessions
  4. Zoom default settings are NOT secure. Here is what can go wrong, and how to stop it.


Additional reading