Inside job: Why Zoombombing isn’t as random as you might think

OLIVIER DOULIERY/AFP via Getty Images

Last year wasn’t exactly short of threats facing humanity, but “Zoombombing” was an especially 2020 kind of disruption, one that sought to hijack one of the most prominent means of communication by which people stayed in touch with everyone from co-workers to friends and family during lockdown.

Zoombombing, for those unfamiliar with it, works like this: An unwanted participant or participants access a Zoom call without being invited, against the wishes of the participants, and cause problems. One Massachusetts-based high school’s Zoom session was hijacked by an individual who screamed profanities and then shouted the teacher’s home address. On social media, some users reported that their Zoom session had been taken over and used to show pornographic content.

Zoom, whose usage exploded during the pandemic, was suddenly at the center of what appeared to be a glaring vulnerability problem: It was as if the leading manufacturer of front door locks revealed a high failure rate during a home invasion epidemic.

But researchers from Binghamton University in New York say there’s more to this story than meets the eye. According to a world’s-first study they have carried out, the majority of Zoombombing incidents are actually inside jobs. To draw an analogy with creepy campfire stories about terrified babysitters: “The calls are coming from inside the house.” Well, kind of.

“There were a lot of people that thought that maybe this was some kind of clever hacking, or else [the result of attackers] finding people that would accidentally post Zoom links on social media or sending out email blasts,” Jeremy Blackburn, an assistant professor of computer science at Binghamton University, told Digital Trends. “[People figured it was] these outsiders who were randomly showing up, somehow finding a link to a meeting. It was an act of attack that the Zoombombers were perpetuating, just by themselves.”

Lone wolves, online packs

Blackburn’s major research interest, his university website profile notes, involves “understanding jerks on the internet,” from toxic behavior and hate speech to fringe and extremist web communities. He was intrigued by the rise of Zoombombing as a phenomenon, but also not entirely convinced by the theories.

How were they getting in? They could be brute-forcing the call IDs, but given the size of the search space, it seemed unlikely that they would be able to consistently find active calls to target. And while human error was certainly possible, in terms of people leaving Zoom links lying around, this also seemed improbable.

To quote Sherlock Holmes’ popular aphorism: When you have eliminated the impossible, whatever remains, must be the truth. Or, in this case, if people aren’t breaking into Zoom calls on their own, someone on the call must be willfully letting them in.

“As it turns out, what we found is that Zoombombings were perpetuated by people that were legitimately in the call,” Blackburn said. “What would happen is that [a member of the call] would go ahead and share the meeting link on some fringe websites and say, ‘Hey guys, show up and, you know, say the ‘N-word’ or whatever in the call.’ Pretty much every time, it was a student asking people to come [and] Zoombomb lectures. They would also do things like say, ‘Hey, use this name when you connect, because that’s the name of somebody else in the class.'”

OLIVIER DOULIERY/AFP via Getty Images

To reach this conclusion, the researchers scoured tens of millions of social media posts, uncovering more than 200 calls for Zoombombing between Twitter and 4chan during the first seven months of 2020 alone. Between January and July that year, they identified 12,000 tweets and 434 4chan threads that discussed online meeting rooms, then used thematic qualitative analysis to identify the posts calling for Zoombombing. As Blackburn noted, the majority of the calls for Zoombombing in their dataset targeted online lectures, with evidence of both universities and high schools being the most heavily targeted groups.

In addition to Zoom, they also found evidence of similar “bombing” attacks on other popular communication platforms including Hangouts, Google Meet, Skype, Jitsi, GoToMeeting, Microsoft Teams, Cisco Webex, BlueJeans, and StarLeaf.

“[For a company like Zoom], unless they perform the type of investigation we did, on their end it seems really difficult to detect this type of thing,” Blackburn said. “Because it’s not really a technical vulnerability. It’s kind of a sociotechnical vulnerability … If they were just looking at traffic [or whatever other] metrics they have, I’m not sure it would be possible to purely detect this. You would need a study like ours that goes out and specifically tries to understand how this sociotechnical problem is unfolding.”

(Digital Trends reached out to Zoom for comment, and we will update this story when we hear back.)

Security trade-offs

The results pose a challenge for communication platforms like Zoom. Their ease of use makes them appealing. Just click a link and you’re suddenly talking to your friends or joining the morning huddle at work. But this also necessitates lowering security measures that could eradicate this behavior.

“Anything involving security is always kind of a trade-off between ease of use and the robustness of the security,” Blackburn said. “I don’t think people [would want to] go through a whole process of registering individual users and creating one-time links [in a more time-intensive manner]. It’s much easier, and much more straightforward for non-tech-savvy people, to just have a link, click it, and it opens the program. That is certainly a big reason that Zoom gained the type of adoption it did. If it would have had a much more complicated, but secure, registration system, I would imagine something else would have [become] the dominant application.”

Zoom does offer passwords as a login option. However, given the complicity of users, they would seem unlikely have to blocked Zoombombers with the right advanced knowledge. The same is true for waiting rooms, in which the host must manually approve people for entrance. While this would seem to be a more secure option, they are insufficient if the Zoombombers name themselves after people in a class in order to confuse the teacher or lecturer. (Thanks to a recent update, hosts can, however, pause their meetings to manually remove troublesome participants.)

Blackburn describes Zoombombing behavior as “raiding,” and says that it has always been a part of online life. “Now, it’s using Zoom, but if you go back even to the IRC days (read: Internet Relay Chat, an early text-based chat protocol created in 1988), there were [online] wars where people would try and take over different channels,” he said. “Any time you have computer-mediated communication on the web … [that’s] instant and semi-anonymous, you’re going to have people that get into conflict and attempt to disrupt things. In that sense, it’s not new, it’s the same basic sociotechnical problem with the internet. If there’s an available mechanism to cause trouble, somebody’s going to cause trouble.”

In addition to Blackburn, other researchers on the project include Chen Ling, Utkucan Balcı, and Gianluca Stringhini. A paper describing the work, titled “A First Look at Zoombombing,” is available to read online.

Editors' Recommendations