Like many professors, Karen Wilson (not her real name) was teaching a college class online for the first time in late March, since the COVID-19 outbreak had sidelined in-person classes. She was using the videoconferencing platform Zoom for her presentation.
"Ten minutes into my lecture, I started hearing laughter and giggling. Then a voice drops into the classroom asking, 'What class is this?'" she says via email. When Wilson asked what was going on, "a couple of girls answered in unison that they were supposed to be in a high school online class, and they were confused. They asked a few questions and they promptly left."
But things were just getting started.
"A while later, another anonymous person, this time a male, started commenting about smoking marijuana and the kind of great weed he'd found last week. Only the audio was heard and he wasn't seen. I asked him to identify himself. When he would not, I asked him to leave which, thankfully, he promptly did."
She says that because she was brand-new to Zoom, the experience was confusing and disorienting.
"I wasn't sure where the audio was coming from and thought it might be background noise from one of my students," she says. "If I had been more familiar with Zoom, I would have immediately muted everyone's audio, but I was a newbie using it online. I had never considered other people could get the Zoom number and 'drop into' a classroom."
Wilson had just been Zoom bombed. Zoom bombing is shorthand for when strangers intrude on others' meetings on Zoom. Sometimes, these folks might just listen in without anyone knowing they're there. Other times, they totally disrupt the meetings in silly or even threatening ways.
Ultimately, Wilson was lucky. Other victims of Zoom bombing have been subjected to hate speech, profanities, threats and pornographic images.
But how could someone just "drop into" a private meeting?
"Zoom bombing is nothing more than enumerating different URL combinations in the browser," says Dan Desko, a cybersecurity expert from accounting firm Schneider Downs, in Columbus, Ohio.
He gives an example: To find a Zoom meeting, you enter the URL Zoom.us/ plus a string of numbers, which serves as the meeting identification number (e.g., https://zoom.us/j/55555523222).
"The problem becomes when people don't have their meetings protected by passwords, and just by flipping a couple of numbers," you could potentially get lucky and suddenly enter someone else's meeting, he says. "Now obviously, you'd have to do that at the right time [when] the meeting's taking place," he adds.
Just to test the flaw, he tried it himself. Within just a minute or so, he stumbled onto a legitimate meeting ID – but the meeting wasn't happening at that particular moment. "It's technically sort of like wiretapping or being able to spy on somebody," says Desko.
But why would Zoom have this particular flaw? It was exposed partly because Zoom exploded exponentially in popularity during the coronavirus pandemic, going from 10 million daily users in December 2019 to 200 million daily users in March. The company simply wasn't prepared for the rush of people wanting to use it for classes, meetings and virtual happy hours with friends.
"Zoom is primarily a corporate collaboration tool that allows people to collaborate without hindrance. Unlike social media platforms, it was not a service that had to engineer ways to manage the bad behavior of users – until now," says David Tuffley, a lecturer in Applied Ethics & SocioTechnical Studies at Griffith University in Australia, in an email interview. "Their user base has grown enormously, and there [is] bound to be bad behavior."
The sudden traffic surge exposed other security flaws, too, like dark web accounts and lack of encryption. The FBI put out an advisory warning of Zoom bombing on March 30. Some organizations have opted to ban Zoom. Google won't let its employees use it on their laptops. It's all fallout because Zoom failed to address its flaws quickly enough, says Desko.
"In information security and cybersecurity, we talk about three things: We talk about confidentiality, integrity and availability," says Desko. People want to keep their meetings (especially in business) extremely confidential.
Furthermore, he says, the Citizen Lab at the University of Toronto "showed that the encryption technology that Zoom purported to use wasn't as strong as they say [it was]. They're actually using an encryption technology that was fairly crackable."
And as for integrity?
As Zoom has expanded its server capacity, it has begun to use servers based in China, with Chinese employees. "There are a lot of people calling the confidentiality of the tools into question," Desko says. That's one reason the U.S. Senate asked members to refrain from using Zoom. The Pentagon also followed suit on April 10.