Insecurities in Remote Learning Provide Low-Hanging Fruit for Attackers
The novel coronavirus pandemic has revealed a myriad critical security vulnerabilities, and insufficient configuration practices, within IS and IT infrastructure around the globe. Due to how quickly remote learning had to be frantically set up, COVID-19 has created a perfect storm for attacking and exploiting remote learning and educational systems for fun, profit, and disruption.
For multiple days, Miami-Dade County Public Schools were attacked with a distributed denial of service attack (DDoS), by one of their own students. And, due to glitches and hackers, even New York City public school students are not guaranteed real-time remote learning.
And then there’s Zoom bombing, or the act of disrupting or hijacking webinar and video conference calls popular among remote learning environments, which has received the most attention by mainstream media because it’s become so prevalent — and because of its sheer shock value.
The Zoom platform isn’t the only video conferencing service to succumb to Zoom bombing, but the name stuck due to Zoom being a victim of its own popularity. Just as generic cotton swabs are now referred to as Q-tips, and generic hook-and-loop fasteners are now referred to as Velcro, content hijacks and attacks against any video conferencing platform are now referred to as Zoom bombings by mainstream media.
Many other services, such as Cisco Webex Meetings, LiveWebinar, Google Meet (formerly Google Hangouts), BlueJeans Meetings, share similar attack vectors with different pros and cons.
For example, a Brooklyn mother of a sixth-grader complained that her child was accosted by images of pornography on their first day of school, which lead to a Department of Education investigation on the incident. Except this wasn’t an external attack or a hack, and the investigation concluded that it was simply an inside job — more than likely a result of a configuration error or access control mistake made by faculty.
And ironically, by complaining and posting a photo of the disruption with the Google Meet ID in-tact, other uninvited guests could have found their way into the video conference and disrupted it even more.
Beware of Default Configurations
Dozens of personalization, security, and configuration options are available for most webinar and video conferencing services, and many of those features are wholly inappropriate for classroom environments filled with students and minors. By default, many platforms allow anyone to join with nothing more than a clickable link.
Every calendar, webinar, and video conferencing service is different, so it’s impossible to step through every configuration option here, but it’s fairly simple to take basic steps to start locking down a remote learning environment. Specifically, by looking for options and features in each service that may cause disruptions.
Unique Meeting IDs and Meeting Passwords
Some platforms enable a reusable or customizable Personal Meeting ID, or PID, that makes it super easy to hold impromptu sessions. Simply copy the easy-to-remember PID or link, and forward that link to all attendees! But, easy-to-remember usually translates to easy-to-guess.
Plus, since there’s no password, that means that anyone who has the PID or link can join the session at any time — including uninvited guests who either guessed the PID, found the link embedded in a presenter’s public calendar or website, or found a link inadvertently posted publicly by an attendee. And students are already intentionally leaking PIDs, specifically to cause disruptions, when they want to skip a class.
So the easiest and most important step to take is to require a password to join sessions. This password should be changed occasionally, even if only once a month or once a quarter, and distributed to attendees via email or a messaging app. Just never include the password in a public calendar or on a public website, as that defeats the purpose of password-protecting the session.
The next option, which is a bit more inconvenient, is to enable unique meeting IDs or links that change for every session. If an uninvited guest somehow figures out the unique ID, then it’s only valid for that one session. So, in the worst case scenario, the presenter can suspend the session and create a new unique ID for the day.
Private, Invite-Only Calendars
Calendars are obviously critical for planning sessions. However, many presenters create a single public calendar for their entire syllabus, and send the public link to all attendees. These public calendars might be picked up by search engines, or be found by uninvited guests, so presenters should take a few extra minutes to make sure that any calendars that contain unique meeting IDs or PIDs are invite-only.
By only allowing invited attendees to view the calendar, it’s less likely that uninvited guests may stumble across links to sessions.
Waiting Rooms
Depending on the configuration of the video conferencing session, it may be possible for attendees to join the session before the presenter. Attendees that join video conferences before the presenter are akin to students that run rampant in school classrooms before the teacher arrives and tells everyone to settle down. Sessions without waiting rooms can be chaotic and, without a moderator to keep things in line, may quickly spiral out of control with inappropriate content.
Waiting rooms isolate attendees until the presenter or moderator is ready, and help prevent the equivalent of homeroom roughhousing before the bell rings. Some services show the presenter who is in the waiting room, and may allow uninvited guests to be weeded out before the session starts. Otherwise, if a disruption occurs once the session starts, the presenter can quickly react accordingly.
Disable Attendee Screen and Audio Sharing
Depending on the session environment, the presenter, moderator, assistant, or host should be the only participants allowed to share their screens. Each platform has its own names or descriptions for special roles, or different levels of access control, but screen sharing should only be allowed for presenters, hosts, moderators, or similar privileged participants.
Most session disruptions, be it from external Zoom bombing attacks by uninvited guests, or by rowdy invited attendees, are due to unauthorized screen and audio sharing that takes over the session’s primary video pane. Since the purpose of screen sharing is to present content to all attendees, a shared screen usually pops up front and center, and replaces the presenter’s webcam by filling the entire session.
Whether the disruption is a silly meme, a political message, or a vulgar pornographic video doesn’t matter — an unauthorized screen sharing disruption could derail the session for minutes or hours, and is trivial to protect against.
Muting Microphones and Disabling Cameras
Depending on the session type, and the capabilities of the service, it may be possible to mute all attendees’ microphones at the beginning of the session (mute upon entry). This will allow the presenter to organize their thoughts, and to get things rolling before any attendees are allowed to chime in. As long as attendees have allowed access to their microphones and cameras, this may also allow presenters to selectively unmute attendees to answer questions, which is especially useful if the attendee is too young to figure out how to unmute themselves.
And not all video disturbances come in the form of unauthorized screen sharing. With video broadcast software, such as the free OBS Studio or ManyCam packages, it’s possible for attendees to emulate a webcam and redirect movies or videos to the session. This is similar to screen sharing, and can be just as disruptive, especially if the session is configured to go full-screen with the currently-speaking attendee.
This is not a bug or a security issue, however, as many presenters rely on such webcam emulators to provide multiple camera angles or picture-in-picture screen layouts.
Managing Private Chat
Most platforms have a public chat function, but some also support private chat which is not visible to the rest of the attendees. While private chat serves a purpose, and can be helpful for attendees to help each other out, it may become a distraction if abused, much like whispering to each other or passing notes in an in-person class.
However, disabling private chat may backfire, and cause attendees to backchannel private chat on Discord or other messaging apps. The one benefit to keeping private chat active is that some platforms allow presenters to log, and eavesdrop on, private chat. This is theoretical privacy invasion but, in theory, is no different than a teacher listening to students chat amongst themselves in an in-person class.
Kicking Rowdy Attendees or Banning Uninvited Guests
And, as a last resort, kicking attendees is the equivalent of sending misbehaving students to the principal’s office, albeit without a principal to actually discipline them. Some attendees may understand that getting kicked signifies that they stepped over the line, rejoin, and behave for the remainder of the session. However, others may simply stay disconnected, and interpret getting kicked as a free vacation day.
Uninvited guests, on the other hand, should immediately be kicked and banned, which prevents them from rejoining. Depending on the platform, though, simply kicking an attendee may also permanently ban them. And kicks and bans aren’t foolproof.
If the ban mechanism is based on cookies, then simply clearing cookies may allow the uninvited guest to rejoin. Or instead, if the mechanism is IP-based, then it’s possible that all attendees in the same campus, household, cafe, or office that are sharing that IP address may be banned as well.
Invite-Only and Locked Meetings
Invite-only is self-explanatory, and is obviously the most secure option, but may be a premium feature not available on free accounts or the lower-cost budget plans of some services. It might take a bit of housekeeping and attendance configuration beforehand but, if invite-only meetings are an available option, it’s one of the best security features to take advantage of.
It may also be possible to lock a meeting, which prevents additional participants, once the session starts and attendance or roll call has been completed. While this may seem like a no-brainer, it may prevent attendees that disconnect due to technical difficulties from rejoining a session that’s already in progress.
Appoint an Assistant or Presenter’s Aide
Not all presenters have the multitasking ability or technical skills required to both moderate their session, and to present at the same time. For sessions where attendees are a bit older and more responsible, it may be beneficial to appoint an attendee as a guest host or moderator, much like teachers utilize responsible students to help out in-person in classrooms.
Common Sense Security
“The most valuable service we offered was not our recommendations to remediate the vulnerabilities, it was changing their company’s mindset and our effect on their company culture.”
Bill Terwilliger, CEO, Alpha Defense
Security isn’t a skill that can be trivially learned, simply by following instructions, or by stepping through boilerplate responsive playbooks and checklists. Instead, security is a cultivated, dynamic, and proactive mindset that, once adopted, can be applied to virtually any project or task. It’s impossible to comprehensively describe every security aspect in an article, which is why adopting the mindset is critical — to brainstorm additional ideas and solutions to fill in possible gaps not covered by the article.