Most zoombombing incidents are “inside jobs” according to a new study featuring researchers at Binghamton University and the State University of New York.
As the Covid-19 virus spread worldwide in early 2020, much of our lives went virtual, including meetings, classes and social gatherings.
The videoconferencing app, Zoom, became an online platform for many of these activities, but the migration also led to incidents of “zoombombing” — disruptors joining online meetings to share racist or obscene content and cause chaos. Similar apps such as Google Meet and Skype also experienced the same issues.
Assistant Professor Jeremy Blackburn and PhD student, Utkucan Balcı, from the Department of Computer Science at Binghamton’s Thomas J. Watson College of Engineering and Applied Science teamed up with Boston University Assistant Professor Gianluca Stringhini and PhD student Chen Ling to analyse more than 200 calls from the first seven months of 2020.
They found that the majority of zoombombing were not caused by attackers stumbling upon meeting invitations or “bruteforcing” their ID numbers, but rather by insiders who have legitimate access to these meetings, particularly students in high school and college classes. Authorized users share links, passwords and other information on sites such as Twitter and 4chan, along with a call to cause trouble.
“Some of the measures that people would think stops zoombombing — such as requiring a password to enter a class or meeting — did not deter anybody,” says Blackburn. “Posters just post the password online as well.
“Even the waiting rooms in Zoom aren’t a deterrent if zoombombers name themselves after people who are actually in the class to confuse the teacher. These strategies that circumvent the technical measures in place are interesting. It’s not like they’re hacking anything — they’re taking advantage of the weaknesses of people that we can’t do anything about.”
Due to the majority of targeting of Zoom meetings happens in real time (93% on 4chan and 98% on Twitter), the attacks seem to be plotted in an opportunistic fashion. Zoombombing posts cannot be identified ahead of time, leaving hosts with little or no time to prepare.
“It’s unlikely that there can be a purely technical solution that isn’t so tightly locked up that it becomes unusable,” says Blackburn. “Passwords don’t work — that’s the three-word summary of our research. We need to think harder about mitigation strategies.”
Because of the worldwide reach of the internet, the research team found that the problem is not restricted to just one country or time zone.
“We found zoombombing calls from Turkey, Chile, Bulgaria, Italy and the United States,” Balcı said. “It’s a globalized problem now because of the circumstances of Covid.”
Examining the dark corners of the internet has been Blackburn’s main research for the past decade, but as anonymity breeds antisocial behavior and hate, there are new topics to consider.
“When we start turning over rocks, it’s amazing what crawls out from under them,” says Blackburn. “We’re trying to look for one problem, but we’ll also find five other problems under there that are somehow related, and we have to look at that, too.”
A drawback of such a study is having to do both quantitative and qualitative analyses on hate speech. It even has to be published with a warning so that readers can brace themselves for what’s ahead.
Blackburn and Balcı both said that the camaraderie and open conversations at Blackburn’s lab keeps everyone on an even keel.
“We do our best to make sure everybody is not taking it too personally,” says Blackburn. “If you don’t look at the content, you can’t really do research about it, but if you look at the content too much or too deeply — you stare into the abyss a bit too long — you might fall into it. It’s hard walking that line.”
Balcı says: “Sometimes I don’t want to look at Twitter too much because the content is too overwhelming. It might depress me. However, from a research perspective, I’m curious about why these things happen. I just need to look at it in a more objective way.”
The research, A First Look at Zoombombing, was published by the IEEE Symposium on Security and Privacy (Oakland), 2021.