Blake Nissen/The Boston Globe/Getty Images
The Zoombombing trend, where digital disruptors join online meetings and spew hateful comments, play loud music and share lewd content, thankfully seems to have died down in recent months.
As staff, students and faculty at some colleges approach nearly a year of working and studying remotely, perhaps the novelty of ruining someone’s day by inviting strangers to commandeer their conference call has worn off. Some would-be intruders may have been spooked by the FBI encouraging people to report incidents of Zoombombing as cybercrimes. Or perhaps meeting hosts have simply taken measures to make it more difficult for unwanted visitors to gain access.
But how did the trend take off in the first place?
Researchers at Binghamton University and Boston University think they may have found the answer. A preprint study recently published by the IEEE Symposium on Security and Privacy found that most attacks on videoconference calls were not the result of people stumbling across meeting invitations online or using a trial-and-error technique known as brute forcing to guess meeting ID numbers, as some cybersecurity experts and analysts suspected. Rather, the attacks in early 2020 were inside jobs. This has significant ramifications for instructors looking to secure their Zoom classrooms.
The study, which has not yet been peer reviewed, suggests that most Zoombombing attacks begin with a legitimate attendee of a meeting inviting others to come and disrupt it, said Jeremy Blackburn, assistant professor of computer science at Binghamton University, who co-authored the study.
The study's authors looked at 10 popular online meeting platforms, including Zoom and Google Meet, and identified social media posts sharing invitations to meetings on the platforms. The social media analysis focused on Twitter and 4chan -- a fringe online community where many Zoombombing attacks were coordinated.
Researchers examined over 200 invitations to gate-crash conference calls between January and July of 2020. Most targeted online lectures, with a rate of 74 percent on 4chan and 59 percent on Twitter. The researchers found evidence of both universities and high schools being targeted.
The social media messages cited in the study were both quantitatively and qualitatively analyzed, meaning the team had to read through some uncomfortable content. Some such content is included in the report following a content warning. The comments include racist, ableist, homophobic and anti-Semitic language.
"We do our best to make sure everybody is not taking it too personally," Blackburn said in a news release. "If you don't look at the content, you can't really do research about it, but if you look at the content too much or too deeply -- you stare into the abyss a bit too long -- you might fall into it. It's hard walking that line."
Zoom meeting attackers often feel emboldened to do and say outrageous things under the cloak of anonymity, Blackburn said. He described a psychological effect known as online toxic disinhibition, which is the tendency of internet users to say worse things online than they would when speaking to someone face-to-face.
While students were almost exclusively responsible for spurring the Zoombombing attacks, according to the study findings, some may not have realized quite what they were getting themselves into when they invited the internet to come and play. What might start as a lighthearted prank can quickly spiral out of control online, said Blackburn.
The study findings have important security implications because they illustrate that common protections against Zoombombing, such as the use of passwords, are ineffective. Meeting attendees may simply share passwords online alongside the meeting link, Blackburn said.
In the higher ed context, Blackburn and his colleagues found cases of students instructing intruders to join online classes using the names of real students in those classes to avoid detection -- making the practice of setting up a virtual waiting room to vet students less effective.
Because of the opportunistic nature of Zoombombing incidents, it is very difficult for hosts to prepare against attacks ahead of time, Blackburn said. Almost all targeting of Zoom meetings happens in real time, the study found -- 93 percent of the time on 4chan and 98 percent of the time on Twitter.
The study advises that the only truly effective defense against Zoombombing is creating unique meeting invitation links for each meeting participant. At higher education institutions, Blackburn also recommends restricting access to participants with institutional email addresses. But Blackburn cautions against introducing so many restrictions that classes become difficult to access.
“There has to be a trade-off between convenience and security,” Blackburn said. “We need to find a tolerable medium.”