As the COVID-19 pandemic forced schools, colleges, and businesses to limit in-person meetings, the world quickly adopted video conferencing from services such as Zoom and Google Meet. That, in turn, gave way to “zoombombing,” the term for when Internet trolls join online meetings with the goal of disrupting them and harassing their participants. Meeting services have adopted a variety of countermeasures, but a new research paper finds that most of them are ineffective.
The most commonly used countermeasures include password-protecting meetings, using waiting rooms so that conference organizers can vet people before allowing them to participate, and counseling participants not to post meeting links in public forums.
The problem with these approaches is that they assume the wrong threat model. One common assumption, for instance, is that the harassment is organized by outsiders who weren’t privy to meeting details. Researchers at Boston University and the State University of New York at Binghamton studied zoombombing calls posted on social media for the first seven months of last year and found that wasn’t the case in most instances.
In a paper titled A First Look at Zoombombing, the researchers wrote:
Our findings indicate that the vast majority of calls for zoombombing are not made by attackers stumbling upon meeting invitations or bruteforcing their meeting ID, but rather by insiders who have legitimate access to these meetings, particularly students in high school and college classes. This has important security implications, because it makes common protections against zoombombing, such as password protection, ineffective. We also find instances of insiders instructing attackers to adopt the names of legitimate participants in the class to avoid detection, making countermeasures like setting up a waiting room and vetting participants less effective. Based on these observations, we argue that the only effective defense against zoombombing is creating unique join links for each participant.
The researchers reached their findings by analyzing posts on Twitter and 4chan.
A vexing problem
Zoombombing has been a concern for schools, universities, and other groups that have adopted video conferencing. At an August court hearing for a Florida teen accused of hacking Twitter, for instance, zoombombers interrupted the proceedings to hurl racial slurs and display pornographic videos. A Zoom conference hosting students from the Orange County Public Schools system in Florida was disrupted after an uninvited participant exposed himself to the class.
The outrage that events like these cause has prompted online meeting services to adopt measures designed to counter the harassment. Many publications, Ars included, have also provided posts explaining how meeting organizers can prevent zoombombing.
Countermeasures typically include:
- Making sure meetings are password protected
- When possible, not announcing meetings on social media or other public outlets
- Using the Waiting Room option to admit participants
The problem with these measures is that they don’t work well or at all when zoombombing is organized by insiders who have authorization to join a meeting. Anyone who’s authorized to join a meeting will obviously have a meeting password that they can then share with others.
Requiring participants to be vetted in a waiting room before they can join a meeting is only slightly more effective, since “insiders often share additional information with potential attackers, for example instructing them to select names that correspond to legitimate participants in the meeting,” the researchers wrote. “This reduces the effectiveness of a waiting room, because it makes it more difficult for hosts and moderators to identify intruders.”
What’s more, vetting people before admitting them often doesn’t scale for meetings with large numbers of users, making that option infeasible for many.
Another half-measure is providing a unique link for each participant. It won’t stop zoombombing if the meeting service still allows more than one person to join with the same link, but it does help the organizer to more easily identify the insider who provided the link to outsiders.
The researchers wrote:
An even better mitigation is to allow each participant to join using a personalized meeting link. This way, as long as the insider joins the meeting, unauthorized people will not be able to join using the same link. While this mitigation makes zoombombing unfeasible, not all meeting services have adopted it. At the moment of writing, only Zoom and Webex allow per-participant links that allow a single user to join at a time. To do this, Zoom requires participants to log in, and checks if the unique link is the same that was sent to that email address as a calendar invite. We encourage other meeting platforms to adopt similar access control measures to protect their meetings from insider threats.
In a statement, Zoom officials wrote:
We have been deeply upset to hear about these types of incidents, and Zoom strongly condemns such behavior. Zoom offers unique link capabilities when meeting registration is turned on. We have also recently updated a number of default settings and added features to help hosts more easily access in-meeting security controls, including controlling screen sharing, removing and reporting participants, and locking meetings, among other actions. We have also been educating users on security best practices for setting up their meetings, including requiring registration, only allowing access to authenticated users, and preventing participants from renaming themselves. We encourage anyone hosting large-scale or public events to utilize Zoom’s webinar solution. We take meeting disruptions extremely seriously and we encourage users to report any incidents of this kind to Zoom and law enforcement authorities so the appropriate action can be taken against offenders.
The researchers said their work is the first data-driven analysis of calls for zoombombing attacks made on social media. Given the continued and growing reliance on video conferencing, it’s not likely to be the last.