What is zoombombing or video conference bombing?

Posted by Greten on 21 Dec 2020 under Terms

Video conference bombing, or more commonly known as zoombombing, is an unpleasant practice in which an uninvited user gatecrashes a video conference to make inappropriate actions that disrupt the meeting.

Such actions can be subtle such as posting expletives in chat (when most of the interactions happen through voice) and setting up the virtual background to display offensive images. It can also be blatant, such as using the annotation tools to write offensive messages or the share screen function to display pornographic materials.

Zoombombing is the more popular term, but I will use the term video conference bombing or just "bombing" because these disruptions happen not only in Zoom but also in other video conferencing applications such as Google Meet and Microsoft Teams. Moreover, I disdain genericized trademarks.

With the ongoing Wuhan virus (COVID-19) pandemic, learning institutions and the students enrolled in them use video conferencing applications to conduct virtual classes. Companies use video conferencing applications mainly for team meetings and also to conduct instructor-led trainings.

Why would trolls bomb video conferencing?

Most of the trolls are kids, teenagers, or young adults who are being mischievous. As with most trolling, the aim is to do something that can trigger a reaction and then watch how people react. Trolls use to thrive in public forums and chatrooms, but video conferences are a green pasture where trolls can get their kicks.

Forums and online chats require registration, and thus, banning might work on some trolls. Moreover, forums and online chats are online communities, and some trolls may develop a sense of belonging to that community. However, video conferences are ephemeral, and its attendees are people who know one another in real life. The threat of banning will not work on any intruders, and they cannot form any sense of belongingness among people who personally know one another.

In a virtual class, a student or a group of students themselves can bomb the video conference, but this is unlikely because teachers can deal with them like any misbehaving student in a physical classroom. Light, mischievous behavior can be dealt with by restricting access to video conference functions, disabling the video, or muting the student. Repeat and severe offensive behavior (such as broadcasting sexually explicit materials) can face suspension or expulsion. Fortunately, I haven't heard of a student who had a one-on-one video conference with the principal due to behavior issues (If you have, please let us know in the comment section.).

A more common scenario in a virtual class bombing is for mischievous students to bomb classes that are not their own. If their class is in the morning, they have time to bomb virtual classes in the afternoon.

One possible motivation for video conference bombing is that people are becoming more bored with extended stays at home and are looking for some excitement.

How can online trolls enter a virtual clasroom?

The access to virtual classrooms are sent to students in private, usually through emails or private chat rooms. Thus, it's wonder how anyone who is not part of the class can gatecrash. Some of the ways online trolls can discover online classes that they can bomb are as follows.

Guessing the URL code

Zoom meetings have URLs with the following format¹:

https://us02web.zoom.us/j/nnnnnnnnnnn
(11-digit number)

Google Meet meetings have URLs with the following format:

https://meet.google.com/xxx-yyyy-zzz
(10-letter string; x, y, and z are any lowercase letters)

With these URL formats, online trolls can try different combinations and see if one of them matches an existing or ongoing online meeting. The process seems tedious, but we're talking about bored people who have plenty of time in their hands. Moreover, they can automate the process using brute force attacks.

In the 90s and early 2000, there is a hacking method called brute force attack. A brute force attack works by entering different combinations of possible passwords in the password field at a very fast rate using a software application that the attacker either developed or obtained from another attacker. The longer the password, the longer time it takes to crack it using brute force attack. Most online accounts that require passwords have protections against brute force attacks, such as locking the account after a certain number of incorrect log-in attempts.²

It's not too hard to imagine that the software programs used to launch brute force attack on passwords can be repurposed to find Zoom and Google Meet video conferences instead. Unlike passwords, which can be of any length and may include letters, numbers, and special characters, Zoom and Google Meet URLs have limitations: 11-digit number for Zoom and 10-letter string for Gogle Meet; these combinations are all that a brute force attacker needs to try. Also, Zoom and Google Meet are quick to provide feedback if no meeting matched the URL, and they do not lock people out for a certain number of incorrect URLs or meeting codes. Google Meet requires an existing Google account, but it will ask only if no meeting matched the Google Meet URL you entered. Meanwhile Zoom does not require Zoom account to attend a meeting and thus, more vulnerable to brute force attack.

Virtual classes conducted through Microsoft Teams seem to be the least vulnerable to video conference bombers' brute force attack. However, it's not entirely immune to video conference bombing.

Inside job

Students usually do not video conference bomb a virtual class in which they attend. Teachers require their students to use their real name, or real first names, to enter the video conference, and thus, any trolling activity they do are easy to attribute to them. If they try to use an alias to troll their own class, the teacher can mark them as absent because their real name is not seen among the attendees.

However, nothing prevents two or more bored and mischievous students who do not belong to the same class to exchange meeting URLs to bomb each other's classes. To make the situation worse, there are students who want to make their online class more exciting by posting their meeting URLs on social media and explicitly invite online trolls to bomb them.³

Meeting URLs posted on public webpages

Some schools posts meeting URLs to webpages or social media pages where everyone can see them, not just their students. A school posts the meeting URLs of their classes on their Facebook page for the students to see; it's just that the post is set to public. Some schools may also use their school websites to provide links to online classes on web pages indexable by search engines.

Try to search the following in Google (include the quotes):

"us02web.zoom.us/j"

"meet.google.com/q" (you can replace q with any other letter)

"teams.microsoft.com/_#"

You will see a handful of meeting URLS, with many of them connected to schools if not outright virtual classes. These virtual classes are easy for online trolls to gatecrash unless there are additional security measures in place.

We cannot really blame these schools if their meeting URLs are exposed for the world to see. After all, when the pandemic came, most schools were rushing to to setup online learning facilities. Where to post announcements is probably the least priority in their mind. However, if you're a teacher reading this entry, now that you know, you should inform your school to provide meeting URLs in a secure manner. The next section discusses the different ways of minimizing the risk of video conference bombing.

I don't see many company trainings posted on public pages. Companies usually have an IT personnel or an entire department who advise them on making their online meetings and virtual trainings more secure.

How to protect your virtual classrooms from video conference bombing?

As a teacher or facilitator of your virtual classroom, here are some of the things that you can do to minimize the risk of having your video conference bombed:

• Assign functions that everyone can immediately see, such as screen sharing and annotation, to yourself alone. Depending on the video conferencing application you are using, this may or may not be the default. If it's not the default, configure your settings.
• Do not share meeting URLs in a location where anyone other than your learners can see, such as the publicly accessible school website. Send the URLs to your students' emails or mobile phones, or post them in a web page that requires a username and a password, such as LMS.
• Require all learners to use their real names. Depending on the size of the class, you may decide to let them use their first names only. This requirement helps you point out if everyone is a legitimate learner or if gatecrashers managed to sneak in.
• Setup the meeting such that you need to let the learners in before they can join the virtual classroom; this is the default setup in Google Meet and Microsoft Teams, while Zoom allows you to do this by setting up a Waiting Room.
• Disable the video and question those who are showing offensive images in their videos.
• Regularly check the chat. Some students are shy to speak, and they might ask questions using it. You also need to check if anyone is posting offensive messages.

Conclusion

The pandemic turns everything, including our education system and corporate trainings. While virtual classes and virtual instructor-led trainings provided solutions that can let us learn while staying safe, it comes with its own challenges, such as video conference bombing. Fortunately, most video conferencing applications come with tools and features that can minimize these challenges' impact on the learning experience.

References

1. Tuffley D. (2020) "'Zoombombers' want to troll your online meetings. Here's how to stop them", The Conversation, retrieved 20 December 2020
2. Shankdhar P. (2020) "Popular tools for brute-force attacks", Infosec Resources, retrieved 21 December 2020
3. Conklin A. (2020) "'Zoombombing' is an inside job? Meeting codes shared on Twitter", Fox Business, retrieved 20 December 2020

Bibliography

• Duffy J. (2020) "How to prevent Zoom-bombing", PCMag Asia, retrieved 20 December 2020
• Humphries M. (2020) "Google Meet adds 'Zoom-bombing' protection for educators", Mashable, retrieved 20 December 2020
• Marquette University (2020) "Preventing & addressing videoconference bombing in Microsoft Teams", Marquette University, retrieved 20 December 2020
• Redden E. (2020) "‘Zoombombing’ attacks disrupt classes", Inside Higher Ed, retrieved 20 December 2020
• Rouse M. (2020) "Zoombombing", TechTarget, retrieved 20 December 2020

Last updated on 02 Feb 2021.

Share your thoughts

* Required. Your email will never be displayed in public.