
As the popularity of video-conferencing software like Zoom has surged during the coronavirus pandemic, so, too, has the phenomenon of virtual gatecrashing, commonly known as Zoombombing.
This has included harassment, hate speech and offensive images being suddenly streamed into a virtual meeting, behaviour that has sometimes been tied to coordinated campaigns organised on internet message boards. In March, the US Federal Bureau of Investigation that it had “received multiple reports of conferences being disrupted by pornographic and/or hate images and threatening language”, and warned users to take security precautions to limit public access to private meetings.
Yet it appears that in the majority of online meetings disrupted by Zoombombing, the disturbances originate from insiders rather than external hackers.
Advertisement
Chen Ling at Boston University in Massachusetts and her colleagues analysed more than 200 requests to engage in Zoombombing posted to Twitter and the forum website 4chan in the first seven months of 2020.
They sifted through 12,000 tweets and 434 4chan threads that discussed online meeting rooms to find the Zoombombing requests. Seventy per cent of those asking on 4chan and 82 per cent of those doing so on Twitter had legitimate access to the meetings.
Most requests came from students in high school and university. Seventy four per cent of the posts on 4chan and 59 per cent of the posts on Twitter were calls to target online lectures.
In many cases, the insider shared information such as the names of real students in the class, asking Zoombombers to use those names in order to dupe teachers or meeting moderators into allowing them to join the call. Almost all of the requests for Zoombombing occurred in real time, with the link to a meeting posted as it was occurring.
“We have been deeply upset to hear about these types of incidents, and Zoom strongly condemns such behaviour,” said a Zoom spokesperson in a statement. The company says it has recently added security features including the ability to control screen-sharing, remove participants and lock meetings.
“It is very hard to prevent this kind of attack,” says Ling. “Providing a unique link for each participant can reduce the chances of success.” This would allow only one person to join for a given link and reduce the likelihood of disruption en masse.
The team also analysed the security features of 10 popular video-conferencing platforms, including Skype, Google Meet and Microsoft Teams. At the time of the analysis, only Zoom and Webex offered the possibility of each participant joining a meeting using a one-off personalised link.
Reference: