’Zoombombing’ research shows legitimate meeting attendees cause most attacks
Disruptors post links, passwords on social media and invite havoc
As the COVID-19 virus spread worldwide in early 2020, much of our lives went virtual, including meetings, classes and social gatherings.
The videoconferencing app Zoom became an online home for many of these activities, but the migration also led to incidents of 鈥渮oombombing鈥 鈥 disruptors joining online meetings to share racist or obscene content and cause chaos. Similar apps such as Google Meet and Skype also saw problems.
Cybersecurity experts expressed concerns about the apps鈥 ability to thwart hackers. A new study from researchers at 91社区 and Boston University, however, shows that most zoombombing incidents are 鈥渋nside jobs.鈥
Assistant Professor Jeremy Blackburn and PhD student Utkucan Balc谋 from the Department of Computer Science at 91社区鈥檚 Thomas J. Watson College of Engineering and Applied Science teamed up with and PhD student Chen Ling to analyze more than 200 calls from the first seven months of 2020.
They found that the vast majority of zoombombing are not caused by attackers stumbling upon meeting invitations or 鈥渂ruteforcing鈥 their ID numbers, but rather by insiders who have legitimate access to these meetings, particularly students in high school and college classes. Authorized users share links, passwords and other information on sites such as Twitter and 4chan, along with a call to stir up trouble.
鈥淪ome of the measures that people would think stops zoombombing 鈥 such as requiring a password to enter a class or meeting 鈥 did not deter anybody,鈥 Blackburn said. 鈥淧osters just post the password online as well.
鈥淓ven the waiting rooms in Zoom aren鈥檛 a deterrent if zoombombers name themselves after people who are actually in the class to confuse the teacher. These strategies that circumvent the technical measures in place are interesting. It鈥檚 not like they鈥檙e hacking anything 鈥 they鈥檙e taking advantage of the weaknesses of people that we can鈥檛 do anything about.鈥
Because almost all targeting of Zoom meetings happens in real time (93% on 4chan and 98% on Twitter), the attacks seem to happen in an opportunistic fashion. Zoombombing posts cannot be identified ahead of time, so hosts have little or no time to prepare.
鈥淚t鈥檚 unlikely that there can be a purely technical solution that isn鈥檛 so tightly locked up that it becomes unusable,鈥 Blackburn said. 鈥淧asswords don鈥檛 work 鈥 that鈥檚 the three-word summary of our research. We need to think harder about mitigation strategies.鈥
Because of the worldwide reach of the internet, the research team found that the problem is not restricted to just one country or time zone.
鈥淲e found zoombombing calls from Turkey, Chile, Bulgaria, Italy and the United States,鈥 Balc谋 said. 鈥淚t鈥檚 a globalized problem now because of the circumstances of COVID.鈥
Examining the dark corners of the internet has been Blackburn鈥檚 main research for the past decade, but as anonymity breeds antisocial behavior and hate, there are 鈥 sadly 鈥 always new topics to consider.
鈥淲hen we start turning over rocks, it鈥檚 amazing what crawls out from under them,鈥 he said. 鈥淲e鈥檙e trying to look for one problem, but we鈥檒l also find five other problems under there that are somehow related, and we have to look at that, too.鈥
One big drawback to this kind of study is having to do both quantitative and qualitative analyses on vile hate speech. It even has to be published with a warning so that readers can brace themselves for what鈥檚 ahead.
Blackburn and Balc谋 both said that the camaraderie and open conversations at Blackburn鈥檚 lab keeps everyone on an even keel.
鈥淲e do our best to make sure everybody is not taking it too personally,鈥 Blackburn said. 鈥淚f you don鈥檛 look at the content, you can鈥檛 really do research about it, but if you look at the content too much or too deeply 鈥 you stare into the abyss a bit too long 鈥 you might fall into it. It鈥檚 hard walking that line.鈥
Balc谋 added: 鈥淪ometimes I don鈥檛 want to look at Twitter too much because the content is too overwhelming. It might depress me. However, from a research perspective, I鈥檓 curious about why these things happen. I just need to look at it in a more objective way.鈥
The research, was published by the IEEE Symposium on Security and Privacy (Oakland), 2021.