It was just another day in lockdown for Craig Barnes.
The personal trainer in Glasgow, Scotland, was gearing up for another virtual fitness class on popular video-conferencing platform Zoom. He conducts multiple classes a day and streams them live on Facebook (FB) as he tries to keep people fit and healthy during the global coronavirus pandemic.
While the class was in full swing, however, Barnes’ fitness session became “bombarded with disgusting material,” he said.
“The first video I saw was an Asian girl who was tied up, and I wasn’t too sure what was going on — I was a bit perplexed,” Barnes told CNN.
“Remember, I am trying to take a class at the same time — trying to stay professional, and obviously I’ve got to try and protect the eyes of my clients. So when I removed the video of the girl who was tied up … I thought that was going to be it,” he continued.
He had fallen victim to “Zoombombing.” The term refers to a form of cyber harassment, where calls are hijacked by unidentified individuals and trolls who spew hateful language or share graphic images.
Whether it’s fitness workouts like those conducted by Barnes, or music, dance or language lessons, online classes are helping to keep people sane during this pandemic. They allow us to maintain old routines and habits as well as start new ones and are a lifeline for many kids who are cut off from school.
However, the shift to living our lives online has thrown many people in at the deep end with technology they’re not familiar with, potentially exposing them to trolls and online abuse.
Here are some simple steps you can take to help protect yourself.
Zoom gets more serious on security
Zoom has been used for popular online quizzes, high-profile political cabinet meetings, virtual funerals and more. Zoom’s ease of use — where you simply need a URL that you fire to whomever you’d like — has seen its usage soar.
It’s that same usability, however, which has opened up Zoom to scrutiny, too.
Earlier in April, the CEO of Zoom, Eric Yuan, had to apologize to millions of its users after the platform came under increasing privacy concerns.
Perhaps most alarmingly, investigations have been launched following reports of meetings being infiltrated by people sharing footage of children being sexually abused, according to the United Kingdom’s National Crime Agency (NCA).
Other apps like Skype and Webex face similar security issues. However, the cases of Zoombombing, like the incident that had befallen Barnes, seem to be much more common, with numerous examples being highlighted in the media. A Zoom spokesperson said the company was “deeply upset” and “strongly condemned” the incident that disrupted Barnes’ class.
Update, update, update
Zoom recently introduced a new update to enhance security on its platform and to help users more easily protect meetings. The newest version of the app, Zoom 5.0, now includes encryption and more security controls for users.
The company said it has made the meeting IDs less visible to help prevent unintended sharing, and have added a new security icon to the controls to help hosts access features that allow them to remove participants and lock rooms.
Cybersecurity experts stress the importance of updating software to reduce vulnerability.
“Update, update, update!” Lisa Forte, a former member of the UK’s police cyber crime unit, emphasized to CNN. “It’s really important, especially at this time. Zoom are issuing updates continuously — if you don’t apply that update, you are leaving yourself hugely vulnerable to being exploited,” she added.
Fitness trainer Barnes doesn’t blame Zoom for what happened during his class. He said he takes “full responsibility” for it. After all, he put the password to the class on his Facebook page — leaving him particularly vulnerable to malicious trolls.
“It was my fault for not protecting the password. … But I am just a personal trainer, here to try and keep people healthy. When it comes to social media, I am not the best at it,” Barnes admitted.
Who are the trolls, and how do I stay safe?
How can you prevent your class from being hijacked like Barnes’ was?
The cybersecurity experts who CNN spoke to believe that video conferencing on the whole is playing a positive role during the coronavirus pandemic.
After all, it encourages human-to-human connection when it might not otherwise be possible. When used properly, many experts thought it could be a great tool.
There is a common theme with trolls and the likes of people who carry out Zoombombings, according to Forte. The culprits are often young people.
“The experience I have from law enforcement and other people, it tends to be young kids,” Forte told CNN.
Get CNN Health's weekly newsletter
Sign up here to get The Results Are In with Dr. Sanjay Gupta every Tuesday from the CNN Health team.
Graham Cluley, who has worked in cybersecurity for almost 30 years, said it’s younger people who tend to get a “kick out of doing these things.” They wreak havoc on these virtual spaces and then post the videos on internet platforms like 4chan.
He said the videos often used are “probably taped from porn websites.” The Zoombombers then use online forums, where they are collecting details of open Zoom meetings with the intention of causing some “mischief,” he said.
Steps you can take, according to experts
Use the security measures in place, and make sure they’re up-to-date. All the cyber experts CNN spoke to agreed on one thing: the importance of using simple security measures — often found within apps like Zoom — to ensure you are as secure as possible. Lisa Forte said the waiting room and lock functions within Zoom are good forms of protection.
They allow you to vet who comes into your meeting before it gets underway and also freeze out any late party poopers. Additionally, make sure you disable the option that allows people (other than you as the host) to share their screens during the chat; or at least only grant access to trusted class members.
Be careful with your password, and don’t share it excessively. Craig Barnes failed to do this. Nishanth Sastry, a privacy network and security expert who is a senior lecturer at King’s College London, encouraged using a separate channel for sharing passwords — be it via text message or email. He also encouraged using a time limit if you had to share your password publicly.
Distribute it five minutes, rather than 24 hours, before the start of your online conference to limit the time trolls have to plan and coordinate.
Protect your kids on video-conference platforms. A lot of children also attend video-conferencing classes — making the risk of these sessions being hijacked even greater. Talk openly with children about the dangers of online interactions, and ensure correct security measures are in place for them.
Cluley advised parents to have the computer or tablet in a shared communal area of the house so adults are aware of what the child is watching and can oversee the content.