OLIVIER DOULIERY/AFP via Getty Images
Last year wasnt exactly short of threats facing humanity, but Zoombombing was an especially 2020 kind of disruption, one that sought to hijack one of the most prominent means of communication by which people stayed in touch with everyone from co-workers to friends and family during lockdown.
Zoombombing, for those unfamiliar with it, works like this: An unwanted participant or participants access a Zoom call without being invited, against the wishes of the participants, and cause problems. One Massachusetts-based high schools Zoom session was hijacked by an individual who screamed profanities and then shouted the teachers home address. On social media, some users reported that their Zoom session had been taken over and used to show pornographic content.
Zoom, whose usage exploded during the pandemic, was suddenly at the center of what appeared to be a glaring vulnerability problem: It was as if the leading manufacturer of front door locks revealed a high failure rate during a home invasion epidemic.
But researchers from Binghamton University in New York say theres more to this story than meets the eye. According to a worlds-first study they have carried out, the majority of Zoombombing incidents are actually inside jobs. To draw an analogy with creepy campfire stories about terrified babysitters: The calls are coming from inside the house. Well, kind of.
There were a lot of people that thought that maybe this was some kind of clever hacking, or else [the result of attackers] finding people that would accidentally post Zoom links on social media or sending out email blasts, Jeremy Blackburn, an assistant professor of computer science at Binghamton University, told Digital Trends. [People figured it was] these outsiders who were randomly showing up, somehow finding a link to a meeting. It was an act of attack that the Zoombombers were perpetuating, just by themselves.
Blackburns major research interest, his university website profile notes, involves understanding jerks on the internet, from toxic behavior and hate speech to fringe and extremist web communities. He was intrigued by the rise of Zoombombing as a phenomenon, but also not entirely convinced by the theories.
How were they getting in? They could be brute-forcing the call IDs, but given the size of the search space, it seemed unlikely that they would be able to consistently find active calls to target. And while human error was certainly possible, in terms of people leaving Zoom links lying around, this also seemed improbable.
To quote Sherlock Holmes popular aphorism: When you have eliminated the impossible, whatever remains, must be the truth. Or, in this case, if people arent breaking into Zoom calls on their own, someone on the call must be willfully letting them in.
As it turns out, what we found is that Zoombombings were perpetuated by people that were legitimately in the call, Blackburn said. What would happen is that [a member of the call] would go ahead and share the meeting link on some fringe websites and say, Hey guys, show up and, you know, say the N-word or whatever in the call. Pretty much every time, it was a student asking people to come [and] Zoombomb lectures. They would also do things like say, Hey, use this name when you connect, because thats the name of somebody else in the class.'
To reach this conclusion, the researchers scoured tens of millions of social media posts, uncovering more than 200 calls for Zoombombing between Twitter and 4chan during the first seven months of 2020 alone. Between January and July that year, they identified 12,000 tweets and 434 4chan threads that discussed online meeting rooms, then used thematic qualitative analysis to identify the posts calling for Zoombombing. As Blackburn noted, the majority of the calls for Zoombombing in their dataset targeted online lectures, with evidence of both universities and high schools being the most heavily targeted groups.
In addition to Zoom, they also found evidence of similar bombing attacks on other popular communication platforms including Hangouts, Google Meet, Skype, Jitsi, GoToMeeting, Microsoft Teams, Cisco Webex, BlueJeans, and StarLeaf.
[For a company like Zoom], unless they perform the type of investigation we did, on their end it seems really difficult to detect this type of thing, Blackburn said. Because its not really a technical vulnerability. Its kind of a sociotechnical vulnerability If they were just looking at traffic [or whatever other] metrics they have, Im not sure it would be possible to purely detect this. You would need a study like ours that goes out and specifically tries to understand how this sociotechnical problem is unfolding.
(Digital Trends reached out to Zoom for comment, and we will update this story when we hear back.)
The results pose a challenge for communication platforms like Zoom. Their ease of use makes them appealing. Just click a link and youre suddenly talking to your friends or joining the morning huddle at work. But this also necessitates lowering security measures that could eradicate this behavior.
Anything involving security is always kind of a trade-off between ease of use and the robustness of the security, Blackburn said. I dont think people [would want to] go through a whole process of registering individual users and creating one-time links [in a more time-intensive manner]. Its much easier, and much more straightforward for non-tech-savvy people, to just have a link, click it, and it opens the program. That is certainly a big reason that Zoom gained the type of adoption it did. If it would have had a much more complicated, but secure, registration system, I would imagine something else would have [become] the dominant application.
Zoom does offer passwords as a login option. However, given the complicity of users, they would seem unlikely have to blocked Zoombombers with the right advanced knowledge. The same is true for waiting rooms, in which the host must manually approve people for entrance. While this would seem to be a more secure option, they are insufficient if the Zoombombers name themselves after people in a class in order to confuse the teacher or lecturer. (Thanks to a recent update, hosts can, however, pause their meetings to manually remove troublesome participants.)
Blackburn describes Zoombombing behavior as raiding, and says that it has always been a part of online life. Now, its using Zoom, but if you go back even to the IRC days (read: Internet Relay Chat, an early text-based chat protocol created in 1988), there were [online] wars where people would try and take over different channels, he said. Any time you have computer-mediated communication on the web [thats] instant and semi-anonymous, youre going to have people that get into conflict and attempt to disrupt things. In that sense, its not new, its the same basic sociotechnical problem with the internet. If theres an available mechanism to cause trouble, somebodys going to cause trouble.
In addition to Blackburn, other researchers on the project include Chen Ling, Utkucan Balc, and Gianluca Stringhini. A paper describing the work, titled A First Look at Zoombombing, is available to read online.
Link:
Inside job: Why Zoombombing isnt as random as you might think - Digital Trends
- How to Deploy Jitsi Meet with Docker on Ubuntu 20.04 - March 31st, 2023 [March 31st, 2023]
- Jitsi Meet review | TechRadar - February 18th, 2023 [February 18th, 2023]
- Zoom vs Jitsi for video conferencing? | ONLYOFFICE Blog - February 18th, 2023 [February 18th, 2023]
- IFrame API | Jitsi Meet - GitHub Pages - November 25th, 2022 [November 25th, 2022]
- Self-Hosting Guide - Debian/Ubuntu server | Jitsi Meet - October 17th, 2022 [October 17th, 2022]
- Best Video Calling Apps: Zoom, Skype, Hangouts, Jitsi And More On Test - Which? - Which? - October 11th, 2022 [October 11th, 2022]
- When is it a good idea to turn off the camera during a video call - Aviation Analysis Wing - March 18th, 2022 [March 18th, 2022]
- Rwanda: Wave of Free Speech Prosecutions - Human Rights Watch - March 18th, 2022 [March 18th, 2022]
- 8x8 Video Conferencing API | 8x8 - February 19th, 2022 [February 19th, 2022]
- Video-as-a-Service Market is Expected to Generate Huge Profits by 2021 2026 Bulk Solids Handling - Bulk Solids Handling - October 3rd, 2021 [October 3rd, 2021]
- Android SDK Jitsi Meet Handbook - September 29th, 2021 [September 29th, 2021]
- Brave is taking the video conferencing fight to Zoom - Techradar - September 27th, 2021 [September 27th, 2021]
- Braves non-tracking, browser-based video conferencing tool is out of beta - TechCrunch - September 24th, 2021 [September 24th, 2021]
- Brave Talk, a new private video conferencing service tied to the web browser - InTallaght - September 24th, 2021 [September 24th, 2021]
- Brave gets a video call service integrated with the browser and leaves no traces The Clare People - The Clare People - September 24th, 2021 [September 24th, 2021]
- How To Install Jitsi Meet on Ubuntu 18.04 | DigitalOcean - August 2nd, 2021 [August 2nd, 2021]
- Zoom launches Zoom Apps and Zoom Events 'to empower the hybrid workforce' - iTWire - July 25th, 2021 [July 25th, 2021]
- Google Meets limiting free group calls to an hour what are your options? - The Next Web - July 14th, 2021 [July 14th, 2021]
- Its Official: We ODd on the Internet - OneZero - OneZero - June 13th, 2021 [June 13th, 2021]
- Is it the same as google duo? Explica .co - Explica - June 13th, 2021 [June 13th, 2021]
- Tips on Cybersecurity for Students and Teachers - Al-Fanar Media - June 4th, 2021 [June 4th, 2021]
- What is Jitsi Meet and how does it work the best free open source alternative to Zoom and Google Meet | Technology Explica .co - Explica - May 14th, 2021 [May 14th, 2021]
- Choose Your Own Adventure in the Virtual World - Observatory of Educational Innovation - April 19th, 2021 [April 19th, 2021]
- How Artists Used the Discord App to Build Community During COVID-19 - Hyperallergic - March 31st, 2021 [March 31st, 2021]
- How to Self Host Jitsi Meet With Docker [Step by Step Guide] - March 11th, 2021 [March 11th, 2021]
- Protesting in the Age of Mass Surveillance - EFF - March 11th, 2021 [March 11th, 2021]
- Jitsi | Quick Install | Advance Configuraton | Some Fixes - March 7th, 2021 [March 7th, 2021]
- Market trends and outlook coupled with factors driving and restraining the growth of the Web Conferencing market Jumbo News - Jumbo News - February 16th, 2021 [February 16th, 2021]
- Jenny Turner Ready to Go Off LRB 18 February 2021 - London Review of Books - February 16th, 2021 [February 16th, 2021]
- Want a goat to stand in for you on Zoom? Itll cost you around R102 for 5 minutes - SowetanLIVE - February 8th, 2021 [February 8th, 2021]
- Keeping mindfulness and employee health at the forefront: app reviews - Tech Wire Asia - February 8th, 2021 [February 8th, 2021]
- Tech Trends 2021: All You Need To Know - CCM - January 17th, 2021 [January 17th, 2021]
- Comprehensive Report on Web Conferencing Market 2021 | Trends, Growth Demand, Opportunities & Forecast To 2027 |IBM, ReadyTalk, Adobe, ezTalks,... - January 9th, 2021 [January 9th, 2021]
- Jitsi Meet: Open Source Zoom Alternative - December 19th, 2020 [December 19th, 2020]
- Jitsi Meet - Download - December 19th, 2020 [December 19th, 2020]
- How to Install Jitsi Meet on CentOS 8 - RoseHosting - December 19th, 2020 [December 19th, 2020]
- New 8x8 CEO expected to improve business operations - TechTarget - December 19th, 2020 [December 19th, 2020]
- Is HelmChat Free Helmet Comm Solution A Good Alternative? - RideApart - September 18th, 2020 [September 18th, 2020]
- How to recreate water cooler moments in the virtual workplace - Quartz - August 13th, 2020 [August 13th, 2020]
- Our right to health and the COVID-19 pandemic - Davao Today - June 13th, 2020 [June 13th, 2020]
- A look at how Jitsi became a 'secure' open-source alternative to Zoom - The Next Web - May 24th, 2020 [May 24th, 2020]
- How the Covid-19 Lockdown Is Reshaping Uighur Activism - The Nation - May 24th, 2020 [May 24th, 2020]
- TikTok now gives you one-tap access to streaming app Resso - The Next Web - May 24th, 2020 [May 24th, 2020]
- Tips on Running a Remote Animation Studio - Animation World Network - May 24th, 2020 [May 24th, 2020]
- Adapting from Home: This Weeks View of Video Meeting Triumphs and Concerns - Yahoo Finance - March 31st, 2020 [March 31st, 2020]
- 8 Best Zoom Alternatives for Video Conferencing and Webinars - Beebom - March 31st, 2020 [March 31st, 2020]
- Jitsi Downloads - iOS & Android apps; Jitsi Meet, & Jitsi ... - March 26th, 2020 [March 26th, 2020]
- What Is the Most Secure Video Conferencing Software? - VICE - March 26th, 2020 [March 26th, 2020]
- Home schooling tips: The things I wish I'd known before the schools went into lockdown - Telegraph.co.uk - March 26th, 2020 [March 26th, 2020]
- Fox Sports 1 Utilized Video Call Center to Extend Reach of Shows Like The Herd with Colin Cowherd - Sports Video Group - December 22nd, 2019 [December 22nd, 2019]
- Fox Sports 1 Dials Up VCC for The Herd With Colin Cowherd - TV Technology - December 22nd, 2019 [December 22nd, 2019]
- Gladstone gold does club proud - Gladstone Observer - July 19th, 2017 [July 19th, 2017]
- Jitsi | Futurist Transhuman News Blog - euvolution.com - July 10th, 2017 [July 10th, 2017]
- FAQ | Jitsi | Prometheism.net euvolution.com | Futurist ... - July 5th, 2017 [July 5th, 2017]
- FAQ | Jitsi | Futurist Transhuman News Blog - June 29th, 2017 [June 29th, 2017]
- Tsirang vegetable vendors commit to selling local chillies - Kuensel, Buhutan's National Newspaper - June 27th, 2017 [June 27th, 2017]
- FAQ | Jitsi | Prometheism.net - euvolution.com - June 26th, 2017 [June 26th, 2017]
- FAQ | Jitsi - June 25th, 2017 [June 25th, 2017]
- Jitsi - PediaView.com - June 14th, 2017 [June 14th, 2017]
- How to Configure and Set-Up Jitsi - Liberty Under Attack - June 6th, 2017 [June 6th, 2017]
- Jitsi Meet (advanced) Projects - May 23rd, 2017 [May 23rd, 2017]
- Diaspora* and Other Free Software Are Available in the Occitan Language, Thanks to Volunteer Translators - Global Voices Online - May 23rd, 2017 [May 23rd, 2017]
- Online privacy guide for journalists - Radioinfo (subscription) - May 18th, 2017 [May 18th, 2017]
- Your Essential List of 7 Productivity Hacks and Time Management Tips - Business 2 Community - May 11th, 2017 [May 11th, 2017]
- Encrypted Chat Took Over. Let's Encrypt Calls, Too - Huffington Post - April 25th, 2017 [April 25th, 2017]
- 5 Apps You Didn't Know You Needed - Syracuse University News - April 3rd, 2017 [April 3rd, 2017]
- Jitsi Meet - Android Apps on Google Play - March 9th, 2017 [March 9th, 2017]
- Snowden helping develop tools to protect journalists and whistleblowers - 'to make the game a little more fair' - Press Gazette - February 15th, 2017 [February 15th, 2017]
- Edward Snowden's New Job: Protecting Reporters From Spies - WIRED - February 14th, 2017 [February 14th, 2017]
- Jitsi for Windows - Secure Instant Messaging and VoIP - February 11th, 2017 [February 11th, 2017]
- Jitsi for Mac - Download - jitsi.en.softonic.com - February 6th, 2017 [February 6th, 2017]
- Jitsi softphone for Windows OnSIP Support - November 23rd, 2016 [November 23rd, 2016]
- Trying to install jitsi meet with apache2 - Stack Overflow - October 29th, 2016 [October 29th, 2016]
- Jitsi - Wikipedia - October 27th, 2016 [October 27th, 2016]
- Jitsi - Mensajera instantnea segura de texto, audio y ... - August 10th, 2016 [August 10th, 2016]
- Jitsi - Quora - May 31st, 2016 [May 31st, 2016]
- Chocolatey Gallery | Jitsi 2.8.5426 - May 28th, 2016 [May 28th, 2016]
- Jitsi - - May 24th, 2016 [May 24th, 2016]
- Jitsi - FreeBSD Wiki - May 22nd, 2016 [May 22nd, 2016]
- Jitsi - OSTN - Guardian Project Open Dev - May 21st, 2016 [May 21st, 2016]