When Covid-19 spread globally last spring, it made Zoom an immediate household name. But while the videoconferencing platform offered a lifeline for the socially distanced, it soon suffered rampant intrusions from trolls crashing Zoom calls to insult participants, shout racist slurs, and display obscene images. Even after Zoom password-protected its calls by default, the so-called Zoom-bombing continued. Now one team of researchers has an answer for why many of the measures to secure Zoom calls haven't stopped the scourge: In many cases—perhaps even most of them—the culprit is someone on the inside.
At the USENIX Enigma security conference today, Boston University computer scientist Gianluca Stringhini plans to present the results of research that he and a team from BU and Binghamton University carried out over the past year to get to the root of the Zoom-bombing plague, one that affects not only Zoom but also other videoconferencing services like Cisco WebEx and Google Meet. Stringhini and his fellow researchers, who specialize in how online communities coordinate malicious activity, monitored the organization of mass Zoom-bombing actions on both Twitter and 4chan over the course of 2020.
Their findings point to a surprising conclusion: The majority of Zoom-bombing cases the researchers observed began with a participant in the call posting the link publicly and inviting trolls and miscreants to attack it. Seventy percent of calls for Zoom-bombing that researchers found on 4chan and 82 percent found on Twitter appeared to be this sort of inside job. The phenomenon is explained in part by another, less surprising finding: The majority of Zoom-bombing incidents—74 percent of those organized on 4chan and 59 percent on Twitter—targeted high school and college classes.
“Our findings are basically that most of these calls seem to be targeting online classes, and they seem to be called by insiders,” says Stringhini. "Students in the class are bored or want to piss off their lecturer or whatever, so they basically post details of their own classes online and ask people to join and disrupt them."
Many security measures intended to lock out Zoom-bombers have turned out to be ineffective against that majority of attacks initiated by insiders, Stringhini says. Password protection doesn't help, he points out, when a participant is sharing the password publicly with attackers. Nor does a waiting room for screening entrants into the call; insiders who colluded with Zoom-bombers often shared lists of legitimate invitees in the call to allow attackers to easily impersonate them. "Basically all the defenses that have been proposed against Zoom-bombing assume they’re coming from the outside," Stringhini says. "But actually, the fact that insiders are calling for these attacks calls these mitigations into question."
Starting in December 2019 and continuing through July 2020, the researchers collected every post they could find on 4chan and Twitter that seemed to discuss a specific online meeting, tallying 434 4chan threads and more than 12,000 tweets. They then manually analyzed and annotated the results to identify more than 200 instances of users sharing videoconference links and calling for others to swarm and disrupt the call. (Since Zoom-bombing only began in earnest in March 2020, they focused most of their attention on the four months that followed, when they observed around 50 Zoom bombs per month across all videoconferencing services.)
Stringhini concedes that the Zoom-bombing messages they observed likely represent only a minority of total attacks over the time period they studied. Some incidents may have eluded their measurement, such as one-person Zoom-bombings carried out by hackers who are able to brute-force guess the URL of a Zoom call that's not password protected—a phenomenon documented as recently as last April. And a larger number of mass Zoom-bombings may be organized on other platforms they didn't look at, such as Discord or IRC, Stringhini notes. But he argues that their data set should be broadly representative of these attacks too.
Their study includes excerpts of some of the Zoom-bombing raids they saw documented on those social media outlets: "My English class, come in and trolley for a while," one reads, along with a link. "“Raid our school live call class, i believe in you [obscenity]," reads another. "Anyone wanna join our online lesson? Our teacher is black. Its gonna be in 20 mins," reads another comment, immediately followed by a racial epithet from another commenter.
Notably, Zoom's primary response to the problem—turning on password protection for calls by default on March 30—didn't slow the rate of Zoom-bombing the researchers measured. In the weeks before that change, they saw an average of eight attacks a week targeting Zoom calls rather than other services. In the weeks afterward, they observed an average of 8.6 of those Zoom-bombings. While that increase is no doubt explained in part by Zoom's massive rate of adoption at the same time, it demonstrates that password protection hardly solved the problem.
Both Stringhini and Zoom itself recommend that users secure their calls against Zoom-bombing with not only the default password protection, but also requiring that users be logged in and authenticated. That setting, described as "Only authenticated users can join meetings from web client," also generates a unique link for every user, and it can be switched on in Zoom's security settings here.
When WIRED reached out to Zoom about Stringhini's study, the company responded in a statement that pointed to many of the security features on that settings page, and it also encouraged users hosting large-scale or public events to use Zoom's webinar feature that restricts audience members' ability to speak or show their video and screen. "We have been deeply upset to hear about these types of incidents, and Zoom strongly condemns such behavior," a spokesperson wrote. "We take meeting disruptions extremely seriously, and we encourage users to report any incidents of this kind to Zoom and law enforcement authorities so the appropriate action can be taken against offenders." Google responded in a statement pointing to security restrictions for Google Meet such as allowing only users logged in to their Google account to join, and allowing hosts to screen anyone who wasn't included on a calendar invite. Cisco's general manager of WebEx, Abhay Kulkarni, wrote in an email that WebEx offers similar safeguards such as restricting users to their own organization, restricting calls to authenticated users, and "locking" calls after they've begun.
Stringhini notes that Zoom's focus on password protection may have stopped actual, individual hackers from disrupting meetings—though it's difficult to assess how many of those attacks ever took place, since they're not organized in a public forum. In fact, they may have never been the majority of Zoom-bombing incidents in the first place, he argues. Zoom, along with thousands of meeting hosts around the world, would be wise to protect calls against a much simpler but ever present threat: hordes of bored, nihilistic kids looking for lulz.
- 📩 The latest on tech, science, and more: Get our newsletters!
- 2034, Part I: Peril in the South China Sea
- Fleeing WhatsApp for better privacy? Don't turn to Telegram
- A new way to trace the history of sci-fi’s made-up words
- Stop ignoring the evidence on Covid-19 treatments
- The best tablets for work and play
- 🎮 WIRED Games: Get the latest tips, reviews, and more
- ✨ Optimize your home life with our Gear team’s best picks, from robot vacuums to affordable mattresses to smart speakers
