Professor Brendan O’Flaherty’s Tuesday afternoon lecture for Principles of Economics was hacked by three individuals who disrupted the class for about six minutes, playing audio containing racial slurs and inappropriate content, hurled insults at the professor, and later called a participant a racial slur, according to a course recording obtained by Spectator.
As colleges across the country have transitioned to online learning in response to the COVID-19 pandemic, many of them choose to use Zoom, an online communications platform that cybersecurity experts warn hosts a myriad of potential privacy and security issues.
Numerous Columbia faculty have reported being hacked, but reports from across the country show that links to courses are frequently being placed on online forums such as Discord and course websites, leaving professors and students susceptible to hackers when they choose to enter the space.
More recently, the FBI reported nationwide instances of video-telecommunication hijacking, highlighting two instances in Massachusetts that exposed Zoom conference viewers to pornographic or hate material and threatening messages.
Though experts and universities have recommended security practices to faculty to address these breaches, experts and faculty members attributed the drastic shift to online learning as a reason that users were ill-prepared for the safety risks attached to Zoom and video conferencing platforms. Further, though certain security measures that allow faculty to vet users would be possible to implement for smaller lectures or seminars, larger lectures with hundreds of students may make it difficult for faculty to take the same steps.
O’Flaherty said he was lecturing from his home and lost connectivity the moment the hackers joined the meeting. He quickly tried to regain Internet connection by moving closer to his Wi-Fi router.
“I panicked: This is a big class, and if you lose connectivity in a big class, you’re in trouble,” he said. “It took me a while to understand what was going on because things aren't responding right.”
When he was able to regain control of the meeting, he ended the meeting, sent an apology to the students, and reported it to the University.
“Not only did they lose a class, they were exposed to a hate crime. ... The [hackers] should be prosecuted,” O’Flaherty said. “As a faculty member, we all have a responsibility to protect our students.”
Ostrowski recommended that universities provide educational material on identifying malicious Zoom emails and links as well as tutorials on utilizing Zoom functions, such as setting a password for meetings and avoiding reusing the same meeting ID. In addition, he recommended that users download security browser extensions that identify false sites and avoid posting meeting links on public websites.
The University has provided guidelines to professors with the same recommendations suggested by experts.
However, professor Steven Bellovin, who currently teaches Computer Security II, noted that Zoom automatically includes the password in the meeting join URL, so hackers can still gain access.
Security researcher Jonathan Leitschuh said users can also utilize the waiting room function where the host can accept people into the meeting.
Bellovin said he uses the waiting room option for his office hours but finds the feature unfeasible for his large lectures. For smaller classes or courses with teaching assistants who can accept people, though, this feature can be useful, he said.
He also encouraged professors to adjust meeting configurations to disable screen sharing from students and stop students from entering the meeting after five or 10 minutes after the start time.
Bellovin said he recommends universities follow Stanford University’s lead in providing all students and faculty with Zoom accounts so that professors can limit access to meetings to students only. If someone does hack into a class, the administrators would be able to track them down easily, since only students would have access to the classes, he said.
With the growing popularity of Zoom, cybersecurity researchers, professors, and even the New York Attorney General Letitia James have raised concerns over user safety on the platform. Some experts raised concerns over the vulnerabilities in the platform, while others point to the users’ Internet safety practices.
James’ office sent out a letter to the company expressing concerns over increased safety measures with the recent surge in users, a spokesperson from the New York Attorney General’s office said.
Faculty also expressed concerns over user privacy, citing the company’s ability to share recorded content to a third party such as University administrators.
“I think we should have the same rights in a virtual classroom that we have in a physical classroom,” Amsellem said.
In July 2019, Leitschuh found several vulnerabilities in the platform that could enable a user’s videocam without their knowledge and could force a user into a meeting without the host’s consent. The company responded to the request after The Electronic Privacy Information Center, a public interest research center, filed a formal complaint to the Federal Trade Commission.
In the past year, 1,700 new web domains with the word “Zoom” have been registered, with 25 percent of them coming from last week alone, Check Point Security’s report found. Ostrowski said cybercriminals are using similar domains to trick unsuspecting users into paying them money or clicking onto fake websites that download viruses.
“[There are] a lot of first-time users who don’t know what to expect and look past these alarms,” Ostrowski said. “We’re all expected to get an email to say, ‘Join our Zoom,’ and people are preying on that now.”
In January, Ostrowski's team detected that a person could predict a scheduled Zoom ID meeting and log into it. The company has since resolved the issue.
In the rush to shift the University learning to online classes, O’Flaherty said his biggest concern was being able to continue educating his students and that universities may have overlooked the risks involved with platforms like Zoom, though he said the University did provide some training on Zoom security.
“We were drowning; we had a life preserver but didn’t check if the life preserver was safe,” he said.
Leitschuh noted that the same features that make Zoom easy to use in online teaching have also made online classrooms open to security breaches.
“Part of the reason why we as a collective have chosen Zoom is because of its simplicity; it’s so easy,” Leitschuh said. “But those same reasons and those same features and functionalities have come back to bite us.”
Staff writer Sewenet Haile contributed reporting.