BINGHAMTON, N.Y. — With much of the world switching to remote work due to COVID-19, video conferences and virtual chats using platforms like Zoom have exploded in popularity over the last year. Not all Zoom meetings go as planned, however. In some instances, which researchers at Binghamton University call “zoombombings,” disruptors enter the video session and start making racist or obscene comments. While common sense might suggest these bad actors are uninvited guests who hack into online meetings, a new study concludes most zoombombing incidents are actually “inside jobs.”
After analyzing over 200 online video sessions over the first seven months of 2020, researchers discovered that the vast majority of zoombombings do not involve hackers finding their way into private meetings or “bruteforcing” ID numbers. Instead, the study finds most unwanted interrupters receive an invitation from at least one legitimate member of the meeting. In many cases, high schoolers or teenagers are part of the scheme. In other scenarios, invitees share links and passwords on message boards or social media along with a call to action — inciting chaos.
“Some of the measures that people would think stops zoombombing — such as requiring a password to enter a class or meeting — did not deter anybody,” says study co-author Jeremy Blackburn, in a university release. “Posters just post the password online as well.”
“Even the waiting rooms in Zoom aren’t a deterrent if zoombombers name themselves after people who are actually in the class to confuse the teacher. These strategies that circumvent the technical measures in place are interesting. It’s not like they’re hacking anything — they’re taking advantage of the weaknesses of people that we can’t do anything about,” adds the associate professor from the Department of Computer Science at Binghamton’s Thomas J. Watson College of Engineering and Applied Science.
‘Passwords don’t work’ against zoombombings
Study authors say the majority of these attacks occur spontaneously, which suggests most occur whenever an opportunity presents itself. This leaves legitimate Zoom users little time to prepare or adapt.
“It’s unlikely that there can be a purely technical solution that isn’t so tightly locked up that it becomes unusable,” Blackburn comments. “Passwords don’t work — that’s the three-word summary of our research. We need to think harder about mitigation strategies.”
This isn’t just an issue in the U.S. either; it’s happening all over the planet.
“We found zoombombing calls from Turkey, Chile, Bulgaria, Italy and the United States,” study co-author Utkucan Balci reports. “It’s a globalized problem now because of the circumstances of COVID.”
“When we start turning over rocks, it’s amazing what crawls out from under them,” Blackburn adds. “We’re trying to look for one problem, but we’ll also find five other problems under there that are somehow related, and we have to look at that, too.”
The internet can be a dark and hurtful place
On a human level, even the study authors themselves admit it’s tough performing research for this study, due to all of the hurtful and bigoted statements they had to expose themselves to.
“We do our best to make sure everybody is not taking it too personally,” Blackburn says. “If you don’t look at the content, you can’t really do research about it, but if you look at the content too much or too deeply — you stare into the abyss a bit too long — you might fall into it. It’s hard walking that line.”
“Sometimes I don’t want to look at Twitter too much because the content is too overwhelming. It might depress me. However, from a research perspective, I’m curious about why these things happen. I just need to look at it in a more objective way,” Balci concludes.
The study was published by the IEEE Symposium on Security and Privacy (Oakland), 2021.