Why ‘Inside Job’ zoombombs are so hard to stop


When Covid-19 spread overall last spring, it makes Zoom an immediate last name. But while the video conferencing platform offered a lifeline to socially distant people, it quickly suffered rampant intrusions from trolls who crushed Zoom calls to curse attendees, shout racist slurs and display obscene images. . Even after Password protected zoom default calls, the so-called zoombombing continued. Now a team of researchers have an answer as to why so many measures to secure Zoom calls haven’t stopped the plague: In many cases, if not most of them, the real culprit is someone from there. inside.

At the USENIX Enigma Security Conference today, Boston University computer scientist Gianluca Stringhini plans to present the results of the research he and a team from BU and Binghamton University conducted during the past year to get to the root of the zoombombing plague, which affects not only Zoom, but other video conferencing services like Cisco WebEx and Google Meet. Stringhini and his fellow researchers, who specialize in how online communities coordinate malicious activity, have been monitoring the organization of massive zoom actions on Twitter and 4Chan during 2020.

Their results point to a startling conclusion: the majority of zoom bombing cases the researchers observed started with a participant in the appeal posting the link publicly and calling on trolls and disbelievers to attack him. Seventy percent of the zoombombing calls researchers found on 4chan and 82% on Twitter appeared to be this kind of internal work. The phenomenon is partly explained by another less surprising finding: the majority of zoombombing – 74% of those organized on 4chan and 59% on Twitter – targeted high school and middle school classes.

“Our findings are basically that most of these calls seem to be targeting online courses, and they appear to be called by insiders,” Stringhini says. “The students in the class are bored or want to piss off their teacher or whatever, so they’re basically posting details of their own lessons online and asking people to join in and disrupt them.

Many security measures intended to lock down zoom bombers have proven ineffective against this majority of insider-initiated zoom bombings, Stringhini says. Password protection doesn’t help, he points out, when a participant publicly shares the password with attackers. There is also no waiting room to screen the participants on the call; Insiders who colluded with zoombombers often shared lists of legitimate guests in the call to make it easy for attackers to impersonate them. “Basically all of the defenses that have been proposed against zoombombing assume that they come from the outside,” Stringhini explains. “But in fact, the fact that insiders are calling for these attacks calls these mitigations into question.”

From December 2019 to July 2020, the researchers collected any posts they could find on 4Chan and Twitter that appeared to be discussing a specific online meeting, counting 434 4Chan threads and more than 12,000 tweets. They then analyzed and manually annotated the results to identify over 200 instances of users sharing video conferencing links and calling others to invade and drop the call. (Since zoombombing didn’t really start until March 2020, they focused most of their attention on the next four months, when they saw around 50 zoombombs per month across all video conferencing services.)

Stringhini admits that the zoombombing messages they observed probably only represented a minority of the total zoombombings during the period studied. Some incidents may have escaped their notice, such as one-person zooms performed by individual hackers who can brute-force guess the URL of a zoom call that is not password protected. phenomenon documented as recently as last April. And more mass zoom bombings can be staged on other platforms they haven’t measured, like Discord or IRC, Stringhini notes. But he argues that their dataset should also be broadly representative of these attacks.

Leave a Reply

Your email address will not be published. Required fields are marked *