Most zoombombing incidents are inside jobs

Most zoombombing incidents are “inside jobs” according to a study featuring researchers at Binghamton University, State University of New York.

As the COVID-19 virus spread worldwide in early 2020, much of our lives went virtual, including meetings, classes and social gatherings.

The videoconferencing app Zoom became an online home for many of these activities, but the migration also led to incidents of zoombombing – disruptors joining online meetings to share racist or obscene content and cause chaos. Similar apps such as Google Meet and Skype also saw problems.

Cybersecurity experts expressed concerns about the apps’ ability to thwart hackers. A study, however, shows that most zoombombing incidents are “inside jobs.”

Assistant Professor Jeremy Blackburn and PhD student Utkucan Balci from the Department of Computer Science at Binghamton’s Thomas J. Watson College of Engineering and Applied Science teamed up with Boston University Assistant Professor Gianluca Stringhini and PhD student Chen Ling to analyze more than 200 calls from the first seven months of 2020.

Attackers don’t just stumble upon meeting invitations

They found that the vast majority of zoombombing are not caused by attackers stumbling upon meeting invitations or “bruteforcing” their ID numbers, but rather by insiders who have legitimate access to these meetings, particularly students in high school and college classes. Authorized users share links, passwords and other information on sites such as Twitter and 4chan, along with a call to stir up trouble.

“Some of the measures that people would think stops zoombombing — such as requiring a password to enter a class or meeting — did not deter anybody,” Blackburn said. “Posters just post the password online as well.

“Even the waiting rooms in Zoom aren’t a deterrent if zoombombers name themselves after people who are actually in the class to confuse the teacher. These strategies that circumvent the technical measures in place are interesting. It’s not like they’re hacking anything — they’re taking advantage of the weaknesses of people that we can’t do anything about.”

Because almost all targeting of Zoom meetings happens in real time (93% on 4chan and 98% on Twitter), the attacks seem to happen in an opportunistic fashion. Zoombombing posts cannot be identified ahead of time, so hosts have little or no time to prepare.

“It’s unlikely that there can be a purely technical solution that isn’t so tightly locked up that it becomes unusable,” Blackburn said. “Passwords don’t work – that’s the three-word summary of our research. We need to think harder about mitigation strategies.”

The problem is not restricted to just one country or time zone

Because of the worldwide reach of the internet, the research team found that the problem is not restricted to just one country or time zone.

“We found zoombombing calls from Turkey, Chile, Bulgaria, Italy and the United States,” Balci said. “It’s a globalized problem now because of the circumstances of COVID.”

Examining the dark corners of the internet has been Blackburn’s main research for the past decade, but as anonymity breeds antisocial behavior and hate, there are – sadly – always new topics to consider.

“When we start turning over rocks, it’s amazing what crawls out from under them,” he said. “We’re trying to look for one problem, but we’ll also find five other problems under there that are somehow related, and we have to look at that, too.”

One big drawback to this kind of study is having to do both quantitative and qualitative analyses on vile hate speech. It even has to be published with a warning so that readers can brace themselves for what’s ahead.

UPDATE: Tuesday, February 9, 2021 – 10:23 AM PT

A Zoom spokesperson reached out to Help Net Security following publication:

“We have been deeply upset to hear about these types of incidents, and Zoom strongly condemns such behavior. Zoom offers unique link capabilities when meeting registration is turned on. We have also recently updated a number of default settings and added features to help hosts more easily access in-meeting security controls, including controlling screen sharing, removing and reporting participants, and locking meetings, among other actions.”

“We have also been educating users on security best practices for setting up their meetings, including requiring registration, only allowing access to authenticated users, and preventing participants from renaming themselves. We encourage anyone hosting large-scale or public events to utilize Zoom’s webinar solution. We take meeting disruptions extremely seriously and we encourage users to report any incidents of this kind to Zoom and law enforcement authorities so the appropriate action can be taken against offenders.”