Zoombombing: Is Our Security Dead?

The pandemic has quickly spread its reach far and wide, facilitating the need for stringent social distancing norms. At such a time, it’s no wonder that we are all looking for ways to interact and keep in touch with our colleagues, friends, and family. Just waiting to emerge into the limelight, video conferencing apps have found their moment. Whether one needs to attend lectures, plan meetings, or talk to loved ones—these apps have unquestionably been beneficial. Zoom, a Silicon Valley-based technology company, is one among many such platforms.

However, it’s not only families and friends using Zoom. With its immense boom in popularity, Zoom has become the number one video conferencing app for educational institutes. Since in-person classes cannot take place during the current pandemic, all education has taken to an online medium, with classes being held regularly for students. 

While Zoom has a lot to offer, its vulnerabilities have caught global attention. 

Zoom had come under scrutiny for its security and privacy issues, ranging from leakage of personal information to lack of end-to-end encryption (which ensures that nobody other than the participants—not even Zoom itself—can know the contents of a meeting.) Perhaps, the most significant of these is what allowed a phenomenon termed as ‘Zoombombing’ to take place. 

It’s fairly simple for anyone to join a Zoom meeting; all it requires is just one click on the provided link, with or without a password. However, this very convenience turned from being a strong selling point to a compromise on users’ security. Public meeting links posted on social media sites like Twitter or Reddit were easily accessible, allowing hijackers to disrupt a video call. 

A more pressing issue had emerged in the form of anyone’s capability to guess a few random numbers and barge into any meeting. Earlier, for instance, a Zoom meeting URL was of the form—‘Zoom.us/’ followed by a string of digits. Any pattern of these numbers would have been sufficient for you to accidentally enter a meeting, provided there was no password protection. Even keeping passwords isn’t entirely safe as they can be easily shared or leaked online by any of the participants. 

While there are certain measures that can be taken to make access to classes a bit harder, such as enabling ‘Entry on Permission’ settings, all people cannot be expected to know how to do so. Teachers were thrust into a complete shift to online platforms as teaching mediums without any prior training. Due to this, a lot of them lack the knowledge of how to make their classrooms a little more secure and closed off to intruders.

Soon enough, hijacking classes was no longer a silly past time sport. It is now a market for content—a cheap and disruptive way of earning some money. YouTubers have taken to filming themselves as they join random classes and interfere in academics. 

This has become a trend within the YouTube community—the Zoombombing content ranges from people with small audiences to those who are considered Internet celebrities. 

While creating content is great, it should not come at the expense of someone else. These YouTubers joining random classes is extremely disruptive to the academics of students who are already struggling with new platforms. It also makes teachers’ jobs harder. Educators all over the world are already trying hard enough to keep their students’ attention and make their educational experiences seamless. Not only are they doing this while being overburdened with work but also while acclimating to a completely new method of teaching.

Interrupting classes for the sake of one’s entertainment is distasteful and extremely disrespectful to those who work so hard to teach future generations. 

However, Zoom isn’t just being used to disrupt classes. The app, which has now become the face of socialisation in this Covid-affected time has been weaponised by so-called ‘trolls’ and has become a brand new ground for online abuse. 

Anyone and everyone who uses Zoom can be subjected to all sorts of unwarranted behaviour. The platform is being used to spread hate speech and targeted harassment. People use the screenshare option within the app to share adult imagery and videos. 

A lot of this online abuse is a planned event.
The New York Times did an investigation into this matter and in their words, “found 153 Instagram accounts, dozens of Twitter accounts and private chats, and several active message boards on Reddit and 4Chan where thousands of people had gathered to organize Zoom harassment campaigns, sharing meeting passwords and plans for sowing chaos in public and private meetings.”

These online abusers have turned Zoom harassment into a game. There are several groups on Discord where people assign each other points based on the intensity of the harassment in order to drive competition. The New York Times found 14 such discord servers with the largest group having over 2000 members. 

The matter reached such severity that the Federal Bureau of Investigations (FBI) had to interject and release a public warning against the threat of ‘Zoombombing’ on March 30th. After the occurrence of multiple cases, it is now even termed as a federal offence, leading to the possibility of legal charges. The FBI had also issued a set of guidelines to help the users make videoconferencing secure and prevent themselves from being victimised.

The specific recommendations can be summed up by the following: 

  • Don’t make the meetings public. It would be best if you either made the requirement of a password mandatory or use the waiting room—which allows only the host to let the participants enter the meeting.
  • Please refrain from posting meeting links on social media sites; instead, send them out personally.
  • The screen sharing settings should be set to allow only the host to share their screen. This prevents anyone from taking unwarranted access. 
  • Ensure that updated versions of any such applications are used.

Several other social media platforms such as Reddit, Instagram and Discord have started banning hashtags, accounts, and serves associated with these activities and have released statements stating that they do not condone such behaviour. 

Rather than inbuilt software defects, the problem lied in the inaccessibility of the features Zoom has had to offer. The waiting rooms and meeting passwords were already available; they were just not employed in the platform’s default settings. Using Zoom can be quite daunting for some at first, which explains their lack of knowledge about these special features. Enabling the proper settings can help a user to secure their meetings. 

After bearing the brunt of heavy criticism, Zoom’s founder and CEO, Eric Yuan, had expressed his apologies—admitting that they hadn’t been ready for such a vast number of users. He acknowledged that the platform had “fallen short of the community’s – and our own – privacy and security expectations”.

However, he was indeed quick to respond. Following the promise of a 90-day plan focusing on user security, the app was updated. The new update makes the platform easily accessible. It provides some new features and makes every security setting default. A ‘Report a User’ option, has been made available via a Security icon. If reported, it sends the complaint to Zoom, whose team starts an investigation. The platform has also added 11-digit meeting ID, to prevent potential hackers from guessing the ID. It’s recommended to not share or use personal meeting IDs for public meetings. The user can even opt to change the ID and password for every new meeting.

While Zoom, along with all other videoconference apps, is responsible for providing utmost security and privacy to its users, even the users are accountable for their behaviour. Incidents of Zoombombing have sharply brought out the negative aspects of the ways we use the Internet.


Written by Tanya Jain and Tulika Somani for MTTN
Featured Image from www.DukeChronicle.com

Leave a Reply

Proudly powered by WordPress | Theme: Baskerville 2 by Anders Noren.

Up ↑