Singapore MOE suspends use of Zoom for home-based learning after hackers hijack classes

Yihao Lim, a principal intelligence analyst at cybersecurity firm FireEye, said that the incident is not the fault of Zoom’s software, but rather that of users’ 'imperfect command' of the application’s privacy setting. ― AFP pic
Yihao Lim, a principal intelligence analyst at cybersecurity firm FireEye, said that the incident is not the fault of Zoom’s software, but rather that of users’ 'imperfect command' of the application’s privacy setting. ― AFP pic

SINGAPORE, April 10 — Schools here will suspend its use of video conferencing platform Zoom for home-based learning after a student was reported to have encountered pornography while using the application.

In a Facebook post purportedly by the student’s mother, she said hackers hijacked the student’s Zoom stream and showed pornographic content, before asking the girls in the class of 39 students to flash their chests.

She said that other schools may have also encountered similar incidents.

In response to TODAY’s queries, the Ministry of Education (MOE) said it is aware of two such incidents on Thursday.

In an email response, Aaron Loh, the divisional director at MOE’s educational technology division, called the episodes “very serious incidents”.

“MOE is currently investigating both breaches and will lodge a police report if warranted. We are already working with Zoom to enhance its security settings and make these security measures clear and easy to follow,” said Loh.

Loh said that the ministry will ensure that all security protocols are strictly followed at all times.

“We have reiterated and spelt out to all our teachers the security measures they must adhere to when using such video conferencing platforms.”

These measures include requiring secure log-ins and not sharing the meeting link beyond students in the class.

“In the meantime, as a precautionary measure, our teachers will suspend their use of Zoom until these security issues are ironed out,” said Loh.

MOE said that home-based learning will continue and teachers will continue to use a range of resources available under the Singapore Student Learning Space, an online learning portal by the MOE which contains learning resources. Teachers will also continue to use offline teaching and learning.

“MOE will continue to work with parents to ensure a safe learning environment, and schools will also guide students on appropriate behaviours when attending online lessons,” Loh said.

The application rose in popularity as the Covid-19 pandemic forced people around the world to stay home, but there have been security concerns amid reported incidents of “Zoombombing”, in which uninvited guests gatecrash meetings.

Google on Wednesday became the latest organisation to ban its employees from installing the application of their laptops, citing security concerns.

Earlier this week, Zoom accounts were found on the dark web, including information such as email addresses, passwords and meeting IDs.

This came days after The Washington Post found that thousands of recordings of Zoom video calls were unprotected and viewable on the open web.

Breach likely due to lack of familiarity with settings

Yihao Lim, a principal intelligence analyst at cybersecurity firm FireEye, said that the incident involving the student is not the fault of Zoom’s software, but rather that of users’ “imperfect command” of the application’s privacy setting.

Such incidents, which are not unique to schools in Singapore, are usually because teachers are not familiar with the software, said Lim.

“If a Zoom meeting is set to public, it can be accessed by anyone with the correct link,” said Lim.

In this case, someone with the link such as a student may have accidentally posted it on social media platforms such as Instagram or Facebook or websites like Reddit, he said.

Cybersecurity expert Chuck White said that even though Zoom has now made its settings for meetings private by default, meaning that users require a password to enter a meeting, many users continued to set meetings to public for ease of use and accessibility.

Once these links are made available to hackers, they can use the information and open sessions to join Zoom meetings, said White, who is the chief technology officer of cybersecurity company Fornetix.

“They can add links to pornography or offensive web sites. The worst case is if they add links to sites that can load malicious software,” he said.

To avoid such situations, Lim said that the host of the meeting, which is typically the teacher in home-based learning, should ensure that the link to the meeting is restricted to its attendees.

Students should also make sure they do not make the link available to others, while teachers should use the “lock” function on Zoom so that no new participants can join, he added.

White said that if a hacker hijacks a Zoom meeting during home-based learning, the best course of action is to shut down the meeting: “A hacker cannot attack something that is not there.”

He also advised students not to click on hyperlinks during Zoom meetings as they could lead to malicious sites.

TODAY has reached out to Zoom for comment. — TODAY

Related Articles