On Monday, March 30, Dean of Students Shea Kidd Houze was hosting a Milkshake Monday event with students over Zoom when an unknown guest launched a racist disturbance. The act, known as “Zoom Bombing,” has become common at institutions across the country, as the video communications company has seen a surge in users in the current pandemic.
Zoom Bombing refers to an interruption by an intruder into a zoom meeting to post hateful and/or offensive material. The issue quickly became such a problem that the FBI’s Boston office released a warning about the service the same day as UT’s incident.
The agency’s release cited two incidents in Massachusetts schools that prompted the warning. The first featured an individual dialing into a Zoom classroom to shout profanity and the teacher’s home address. In the second, an individual joined the video stream and displayed swastika tattoos.
The next day, March 31, UT Chancellor Donde Plowman released a statement about the incident in her daily campus update email. In the email, Plowman emphasized the university’s commitment to ensuring students matter.
“Most importantly, I want all of our students, faculty and staff to know that we care about you, and that we commit to working daily to make the University of Tennessee a place — both on campus and online — where everyone matters and everyone belongs,” Plowman said.
Zoom has come under tighter scrutiny as its user base has grown rapidly during the coronavirus outbreak. In a blog post on Wednesday, April 1, Zoom CEO Eric Yuan described his company’s efforts to keep up with demand.
“To put this growth in context, as of the end of December last year, the maximum number of daily meeting participants, both free and paid, conducted on Zoom was approximately 10 million. In March this year, we reached more than 200 million daily meeting participants, both free and paid,” Yuan said.
Yuan also said that while the app had fallen short of privacy expectations, it was designed for firms with integrated IT support like government or big-business entities. The unexpected boom of people all over the world working and socializing from home thus increased the variety of these cases the company experienced, revealing issues with the platform.
Unfortunately issues soon surfaced, including an apparently misleading claim about the company’s encryption practices. Zoom previously said that video calls were end-to-end encrypted, relying on its own definition of the term in which the company’s servers are regarded as an end. This mode of encryption, called transport encryption, allows Zoom to potentially access the content of meetings.
In a separate post on April 1, Zoom’s Chief Product Officer Oded Gal said that while Zoom maintains the key management system for its encryption in the cloud, it has implemented internal controls to prevent unauthorized access.
“Zoom has never built a mechanism to decrypt live meetings for lawful intercept purposes, nor do we have means to insert our employees or others into meetings without being reflected in the participant list,” Gal said.
A Zoom spokesperson told The Intercept in March that the company used a combination of TCP and UDP instead of end-to-end encryption.
Another concern was the accidental routing of meeting data to servers in China. According to Yuan in a post on April 3, Zoom maintains secondary, regionally-appropriate data centers to serve as a backup to primary servers in cases like network congestion.
“However, in February, Zoom rapidly added capacity to our Chinese region to handle a massive increase in demand. In our haste, we mistakenly added our two Chinese data centers to a lengthy whitelist of backup bridges, potentially enabling non-Chinese clients to — under extremely limited circumstances — connect to them,” Yuan said.
There were also multiple exploits that were shared with TechCrunch, including bugs allowing root access to macOS and being able to tap into users’ microphones and cameras.
UT’s Associate Vice Chancellor and Chief Information Officer Joel Reeves talked about the challenge to maintain security while expanding capacity.
“Zoom experienced exponential growth from 10 million Zoom meetings in December to over 200 million online meetings in March. At UT, we went from offering 24,000 hours of online credit hours to 360,000 hours in 10 days to ensure students could complete courses and stay on track academically,” Reeves said.
Reeves added that UT is keeping an eye on Zoom’s level of security.
“We have monitored the developments closely the past few weeks and will continue to do everything we can to protect students’ learning environments. As information about features and changes to Zoom becomes available, we will continue to provide instructions to the university community. Providing a safe and secure digital space for courses, services, and programs is of the utmost importance,” Reeves said.
OIT’s Associate Chief Information Officer and Chief Information Security Officer Bob Hillhouse said that many new users were unfamiliar with Zoom’s security features given the rapid shift, but that additional guidance has made a difference.
“We have shared with faculty and staff on how to require that participants authenticate with their UT NetID and password, create passwords for meetings and use the waiting room function. Authentication plus the Waiting Room drastically reduces the risk of unwanted guests,” Hillhouse said.
Hillhouse also commended Zoom for its ability to listen to concerns, listing measures the company has undertaken to reassure customers.
“We have also found Zoom to be responsive to security concerns. In addition to eliminating the connection to data centers in China, Zoom has declared a 90-day moratorium on product changes unless the changes relate directly to security or privacy,” Hillhouse said.
Hillhouse added that Yuan is effectively communicating with his customers about the subject.
“Zoom has scheduled a live, weekly meeting with the owner and founder Eric Yuan, where he updates viewers on progress in addressing security concerns. The company has made a number of changes to the Zoom client, such as making existing features more readily available to the host, such as the Waiting Room feature and the Meeting Lock feature,” Hillhouse said.
OIT’s guidance on how to prevent Zoom Bombing can be found online.