The most calls to disrupt videoconferences originate with the participants, especially in high schools and colleges.
While the videoconferencing platform offered a lifeline for the socially distanced, it soon suffered rampant intrusions from trolls crashing Zoom calls to insult participants, shout racist slurs, and display obscene images.
At the USENIX Enigma security conference today, Boston University computer scientist Gianluca Stringhini plans to present the results of research that he and a team from BU and Binghamton University carried out over the past year to get to the root of the Zoom-bombing plague, one that affects not only Zoom but also other videoconferencing services like Cisco WebEx and Google Meet. Stringhini and his fellow researchers, who specialize in how online communities coordinate malicious activity, monitored the organization of mass Zoom-bombing actions on both Twitter and 4chan over the course of 2020.
Their findings point to a surprising conclusion: The majority of Zoom-bombing cases the researchers observed began with a participant in the call posting the link publicly and inviting trolls and miscreants to attack it. Seventy percent of calls for Zoom-bombing that researchers found on 4chan and 82 percent found on Twitter appeared to be this sort of inside job. The phenomenon is explained in part by another, less surprising finding: The majority of Zoom-bombing incidents—74 percent of those organized on 4chan and 59 percent on Twitter—targeted high school and college classes.
Many security measures intended to lock out Zoom-bombers have turned out to be ineffective against that majority of attacks initiated by insiders, Stringhini says. Password protection doesn’t help, he points out, when a participant is sharing the password publicly with attackers. Nor does a waiting room for screening entrants into the call; insiders who colluded with Zoom-bombers often shared lists of legitimate invitees in the call to allow attackers to easily impersonate them. “Basically all the defenses that have been proposed against Zoom-bombing assume they’re coming from the outside,” Stringhini says. “But actually, the fact that insiders are calling for these attacks calls these mitigations into question.”
Notably, Zoom’s primary response to the problem—turning on password protection for calls by default on March 30—didn’t slow the rate of Zoom-bombing the researchers measured. In the weeks before that change, they saw an average of eight attacks a week targeting Zoom calls rather than other services. In the weeks afterward, they observed an average of 8.6 of those Zoom-bombings. While that increase is no doubt explained in part by Zoom’s massive rate of adoption at the same time, it demonstrates that password protection hardly solved the problem.
Both Stringhini and Zoom itself recommend that users secure their calls against Zoom-bombing with not only the default password protection, but also requiring that users be logged in and authenticated.
What are you searching for?
By helping clients understand digital communications and media we work together to effectively use and leverage the power of the Internet for their business objectives. This could be for sales, transactions, lead prospecting, building awareness, and more. We do both search engine optimization (SEO) and search engine marketing (SEM). Visual design, strategic digital communications and marketing, usability engineering, podcasting, and video are some of the services we offer. Others include eBusiness solutions, transactional processes, and digital media. We also monitor our clients’ sites analytics and make content, navigation, and other visual design recommendations. Our clients include small and medium successful offline businesses for whom we develop and use the online world as a part of their future success. Their industries include health, medical, politics, manufacturing, retail, financial, legal, restaurants, gaming, sports, water filtration, real estate, non-profit, and newly financed start-up ventures. In addition, we form partnerships with particular businesses to sell their products and or services online and via digital media.