Why Insider Job ‘Zoom Bombs’ Are So Hard to Stop

When Covid-19 spread globally last spring, it made Zoom an immediate household name . But while the videoconferencing platform offered a lifeline for the socially distanced, it soon suffered rampant intrusions from trolls crashing Zoom calls to insult participants, shout racist slurs, and display obscene images. Even after Zoom password-protected its calls by default , the so-called Zoom-bombing continued. Now one team of researchers has an answer for why many of the measures to secure Zoom calls haven't stopped the scourge: In many cases—perhaps even most of them—the culprit is someone on the inside.
At the USENIX Enigma security conference today, Boston University computer scientist Gianluca Stringhini plans to present the results of research that he and a team from BU and Binghamton University carried out over the past year to get to the root of the Zoom-bombing plague, one that affects not only Zoom but also other videoconferencing services like Cisco WebEx and Google Meet. Stringhini and his fellow researchers, who specialize in how online communities coordinate malicious activity, monitored the organization of mass Zoom-bombing actions on both Twitter and 4chan over the course of 2020.
Their findings point to a surprising conclusion: The majority of Zoom-bombing cases the researchers observed began with a participant in the call posting the link publicly and inviting trolls and miscreants to attack it. Seventy percent of calls for Zoom-bombing that researchers found on 4chan and 82 percent found on Twitter appeared to be this sort of inside job. The phenomenon is explained in part by another, less surprising finding: The majority of Zoom-bombing incidents—74 percent of those organized on 4chan and 59 percent on Twitter—targeted high school and college classes.
“Our findings are basically that most of these calls seem to be targeting online classes, and they seem to be called by insiders,” says Stringhini. "Students in the class are bored or want to piss off their lecturer or whatever, so they basically post details of their own classes online and ask people to join and disrupt them."Many security measures intended to lock out Zoom-bombers have turned out to be ineffective against that majority of Zoom-bombings initiated by insiders, Stringhini says. Password protection doesn't help, he points out, when a participant is sharing the password publicly with attackers. Nor does a waiting room for screening entrants into the call; insiders who colluded with Zoom-bombers often shared lists of legitimate invitees in the call to allow attackers to easily impersonate them. "Basically all the defenses that have been proposed against Zoom-bombing assume they’re coming from the outside," Stringhini says. "But actually, the fact that insiders are calling for these attacks calls these mitigations into question."
Starting in December 2019 and continuing through July 2020, the researchers collected every post they could find on 4chan and Twitter that seemed to discuss a specific online meeting, tallying 434 4chan threads and more than 12,000 tweets. They then manually analyzed and annotated the results to identify more than 200 instances of users sharing videoconference links and calling for others to swarm and disrupt the call. (Since Zoom-bombing only began in earnest in March 2020, they focused most of their attention on the four months that followed, when they observed around 50 Zoom bombs per month across all videoconferencing services.)
Stringhini concedes that the zoombombing messages they observed likely represent only a minority of total zoombombings over the time period they studied. Some incidents may have eluded their measurement, such as one-person zoombombings carried out by individual hackers who are able to brute-force guess the URL of a zoom call that's not password protected—a phenomenon documented as recently as last April. And a larger number of mass zoombombings may be organized on other platforms they didn't measure, too, such as Discord or IRC, Stringhini notes. But he argues that their data set should be broadly representative of these attacks too.