Why ‘Inside Job’ Zoombombs Are So Hard to Stop

Sec_zoombombing_722229509.jpg

When Covid-19 spread globally last spring, it made Zoom an immediate household name. But while the videoconferencing platform offered a lifeline for the socially distanced, it soon suffered rampant intrusions from trolls crashing Zoom calls to insult participants, shout racist slurs, and display obscene images. Even after Zoom password-protected its calls by default, the so-called zoombombing continued. Now one team of researchers has an answer for why many of the measures to secure Zoom calls haven’t stopped the scourge: In many cases—if not most of them—the real culprit is someone on the inside.

At the USENIX Enigma security conference today, Boston University computer scientist Gianluca Stringhini plans to present the results of research that he and a team from BU and Binghamton University carried out over the last year to get to the root of the zoombombing plague, one that affects not only Zoom but other videoconferencing services like Cisco WebEx and Google Meet. Stringhini and his fellow researchers, who specialize in how online communities coordinate malicious activity, monitored the organization of mass zoombombing actions on both Twitter and 4chan over the course of 2020.

Their findings point to a surprising conclusion: The majority of zoombombing cases the researchers observed began with a participant in the call posting the link publicly and inviting trolls and miscreants to attack it. Seventy percent of calls for zoombombing the researchers found on 4chan and 82 percent found on Twitter appeared to be this sort of inside job. The phenomenon is explained in part by another, less surprising finding: The majority of zoombombing—74 percent of those organized on 4chan and 59 percent on Twitter—targeted high school and college classes. 

“Our findings are basically that most of these calls seem to be targeting online classes, and they seem to be called by insiders,” says Stringhini. “Students in the class are bored or want to piss off their lecturer or whatever, so they basically post details of their own classes online and ask people to join and disrupt them.”

Many security measures intended to lock out zoombombers have turned out to be ineffective against that majority of zoombombings initiated by insiders, Stringhini says. Password protection doesn’t help, he points out, when a participant is sharing the password publicly with attackers. Nor does a waiting room for screening entrants into the call; insiders who colluded with zoombombers often shared lists of legitimate invitees in the call to allow attackers to easily impersonate them. “Basically all the defenses that have been proposed against zoombombing assume they’re coming from the outside,” Stringhini says. “But actually the fact that insiders are calling for these attacks calls these mitigations into question.”

Starting in December 2019 through July of 2020 the researchers collected every post they could find on both 4chan and Twitter that seemed to discuss a specific online meeting, tallying 434 4chan threads and more than 12,000 tweets. They then manually analyzed and annotated the results to identify more than 200 instances of users sharing videoconference links and calling for others to swarm and disrupt the call. (Since zoombombing only began in earnest in March of 2020, they focused most of their attention on the four months that followed, when they observed around 50 zoombombs per month across all video conferencing services.)

Stringhini concedes that the zoombombing messages they observed likely represent only a minority of total zoombombings over the time period they studied. Some incidents may have eluded their measurement, such as one-person zoombombings carried out by individual hackers who are able to brute-force guess the URL of a zoom call that’s not password protected—a phenomenon documented as recently as last April. And a larger number of mass zoombombings may be organized on other platforms they didn’t measure, too, such as Discord or IRC, Stringhini notes. But he argues that their dataset should be broadly representative of these attacks, too.

Credit: Source link