Is there a way to stop crashing of Zoom calls?
Experts weigh in after court hearing disrupted by ‘low-value vandals of the cybercrime world’
WATERLOO REGION — While there are ways to reduce the chance that a virtual meeting will be hijacked, cybersecurity experts say no system is foolproof.
“A 100 per cent secure system will never exist,” said Florian Kerschbaum, executive director of the University of Waterloo’s Cybersecurity and Privacy Institute. “Absolute security is not achievable. We can only balance security with other objectives, like privacy, like personal freedoms, ease of use, performance.”
Kerschbaum’s comments come in the wake of an incident Tuesday in which a video court hearing was disrupted by perpetrators displaying pornography and other offensive imagery. Login details had been posted on social media by individuals.
“The term Zoom-bombing is around, but I don’t think this is specific to Zoom,” Kerschbaum said. “It is not something that is impossible in any other kind of video platform, so I would not single out Zoom as the culprit here.”
One of the biggest privacy concerns around these platforms is that they’re not
really private, even with security settings properly employed, Kerschbaum said.
“These conferences … are streamed via a central service which is often under the control of a cloud provider, of which we have no idea whether or not it is controlled by a nation state actor or whoever has access to these video conferences.”
COVID-19 prompted the rapid and widespread adoption of existing video technology for everything from virtual dinner parties to sensitive court proceedings.
“A lot of this technology has been developed for either a consumer or what I would call a light enterprise type of tool,” said Mark Sangster, vice-president and industry security strategist at Waterloo cybersecurity firm eSentire. “It hasn’t necessarily been designed or specifically configured to deal with specifics of a particular industry.”
Other technologies that the legal system and courts apply tend to have been designed from the ground up for that purpose, Sangster said. “It’s a little surprising that we haven’t seen adoption of a more tuned kind of solution for them.”
Expanded use of digital technologies expands the “threat surface,” or the opportunity for the criminal element to take advantage, he said. “Courts are going to be targets.”
This particular incident may have been the work of “the graffiti artist or the low-value vandals of the cybercrime world,” Sangster said. “Or it’s motivated by the nature of the court case.”
Tuesday’s incident occurred during a civil court hearing involving Waterloo Regional Police and a former officer.
Platforms such as Zoom are trying to cater to a broad market, said Dave Ockwell-Jenner, vice-president of information security at cybersecurity company Arctic Wolf Networks. To do that, the products are quite flexible.
But that’s not to say they’re lacking in security measures.
“Zoom and most of the other platforms do have a myriad of security settings,” he said. “I would certainly spend some time to get familiar with what they are.”
A spokesperson for the Ministry of the Attorney General said Tuesday that the security mechanisms that exist to reduce the potential for disruptions will be reviewed with the courts and court staff.
Participants who received an email Friday containing Zoom details for Monday’s resumption of the hearing were instructed not to publish or distribute that information, and they were reminded that any disruptions may be subject to contempt of court or a police investigation.
The court is also requiring media and members of the public to show photo identification prior to admission; latecomers will have to wait for a break in proceedings before they’re admitted.
If an online meeting link is shared, it typically contains everything someone needs to participate, Ockwell-Jenner said. Some people may be operating under the mistaken belief that the link is unique to them and wouldn’t allow access to others.
“Any time you’re inviting the public, you’re inviting all corners of the public, not just the ones you’d prefer to take part.”
Experts said some of the ways to reduce risk include removing the ability for anyone but the host to share content, disabling re-entry if someone is removed from the meeting, and disabling renaming, making it easier to keep tabs on who is participating. Stronger authentication or identification requirements can be enforced before allowing participants to join as well, but that introduces its own privacy implications, Kerschbaum said.
While this was a high-profile example, Sangster said many cybercrime incidents never go reported.
“Most victims of cybercrime, of these kinds of attacks and then the far more nefarious or damaging types of ones, suffer in silence.”
Despite the threat, Kerschbaum is impressed by how well usage of these services has gone for the most part.
“It is absolutely amazing how well it worked, considering how reluctant people were to adopt this beforehand,” he said. “It has catapulted us into the digital future by decades, which we would never, ever have done without COVID-19.”