Like many professors, "Karen Wilson" (not her real name) was teaching a college class online for the first time in late March, since the COVID-19 outbreak had sidelined in-person classes. She was using the videoconferencing platform Zoom for her presentation.
"Ten minutes into my lecture, I started hearing laughter and giggling. Then a voice drops into the classroom asking, 'What class is this?'" she says via email. When Wilson asked what was going on, "a couple of girls answered in unison that they were supposed to be in a high school online class, and they were confused. They asked a few questions and they promptly left."
But things were just getting started.
"A while later, another anonymous person, this time a male, started commenting about smoking marijuana and the kind of great weed he'd found last week. Only the audio was heard and he wasn't seen. I asked him to identify himself. When he would not, I asked him to leave which, thankfully, he promptly did."
She says that because she was brand-new to Zoom, the experience was confusing and disorienting.
"I wasn't sure where the audio was coming from and thought it might be background noise from one of my students," she says. "If I had been more familiar with Zoom, I would have immediately muted everyone's audio, but I was a newbie using it online. I had never considered other people could get the Zoom number and 'drop into' a classroom."
Wilson had just been Zoom bombed. Zoom bombing is shorthand for when strangers intrude on others' meetings on Zoom. Sometimes, these folks might just listen in without anyone knowing they're there. Other times, they totally disrupt the meetings in silly or even threatening ways.
Ultimately, Wilson was lucky. Other victims of Zoom bombing have been subjected to hate speech, profanities, threats and pornographic images.
But how could someone just "drop into" a private meeting?
"Zoom bombing is nothing more than enumerating different URL combinations in the browser," says Dan Desko, a cybersecurity expert from accounting firm Schneider Downs, in Columbus, Ohio.
He gives an example: To find a Zoom meeting, you enter the URL Zoom.us/ plus a string of numbers, which serves as the meeting identification number (e.g., https://zoom.us/j/55555523222).
"The problem becomes when people don't have their meetings protected by passwords, and just by flipping a couple of numbers," you could potentially get lucky and suddenly enter someone else's meeting, he says. "Now obviously, you'd have to do that at the right time [when] the meeting's taking place," he adds.
Just to test the flaw, he tried it himself. Within just a minute or so, he stumbled onto a legitimate meeting ID – but the meeting wasn't happening at that particular moment. "It's technically sort of like wiretapping or being able to spy on somebody," says Desko.
But why would Zoom have this particular flaw? It was exposed partly because Zoom exploded exponentially in popularity during the coronavirus pandemic, going from 10 million daily users in December 2019 to 200 million daily users in March. The company simply wasn't prepared for the rush of people wanting to use it for classes, meetings and virtual happy hours with friends.
"Zoom is primarily a corporate collaboration tool that allows people to collaborate without hindrance. Unlike social media platforms, it was not a service that had to engineer ways to manage the bad behavior of users – until now," says David Tuffley, a lecturer in Applied Ethics & SocioTechnical Studies at Griffith University in Australia, in an email interview. "Their user base has grown enormously, and there [is] bound to be bad behavior."
The sudden traffic surge exposed other security flaws, too, like dark web accounts and lack of encryption. The FBI put out an advisory warning of Zoom bombing on March 30. Some organizations have opted to ban Zoom. Google won't let its employees use it on their laptops. It's all fallout because Zoom failed to address its flaws quickly enough, says Desko.
"In information security and cybersecurity, we talk about three things: We talk about confidentiality, integrity and availability," says Desko. People want to keep their meetings (especially in business) extremely confidential.
Furthermore, he says, the Citizen Lab at the University of Toronto "showed that the encryption technology that Zoom purported to use wasn't as strong as they say [it was]. They're actually using an encryption technology that was fairly crackable."
It's something, he says, that will take months to fix. (Zoom hopes to do it in the next 90 days.)
And as for integrity?
As Zoom has expanded its server capacity, it has begun to use servers based in China, with Chinese employees. "There are a lot of people calling the confidentiality of the tools into question," Desko says. That's one reason the U.S. Senate asked members to refrain from using Zoom. The Pentagon also followed suit on April 10.
Stopping Zoom Bombing
Since Zoom bombing became a problem, Zoom has changed its default settings so that every meeting is automatically assigned a required password to enter it; also, the "waiting room" feature is now automatically enabled when you set up a meeting. This prevents users from joining a call before they've been screened by you, the host. Finally, the meeting ID code is not shown in the title bar during a Zoom meeting.
Desko thinks these measures will go a long way to stopping Zoom bombing. "It's good to keep the meeting ID private so that people can't associate your meeting ID with you or your company," he says. "Or if you are a high-profile person like Boris Johnson, sharing his meeting ID [as he did on a tweet as part of a Zoom screenshoton March 31] was like sharing the address to the bat cave. Even though the bat cave is secure, it is now a specific target. The password is then key to keeping the meeting secure."
He adds that "If you want to be super-secure you should change up your meeting ID with every call and password too. There is a setting to generate a new meeting ID automatically and you can also set the password personally as well."
At the very least, make sure that Zoom's new security features have actually been enabled on the meetings you're setting up.
"If you have a [recurring] meeting set up already that used the old default, you have to go back into Zoom and update those," says Desko. "That's easy enough to do."
Another way to prevent outsiders from hijacking your meeting is to make the "share screen" option only available to the host. You also can mute the microphones of everyone but the host or the speaker and lock the meeting when everyone has joined to prevent break-ins. These features can be done on the Zoom toolbar. And finally, don't post a public link to your meeting that may invite unwanted guests to try to enter.