Have You Been Zoom Bombed? Here's How to Stop It  

by Nathan Chandler Apr 14, 2020

Like many professors, "Karen Wilson" (not her real name) was teaching a college class online for the first time in late March, since the COVID-19 outbreak had sidelined in-person classes（边缘化面对面课程；sideline vt.使边缘化；迫使退出）. She was using the videoconferencing platform（视频会议平台） Zoom for her presentation.

"Ten minutes into my lecture, I started hearing laughter and giggling（咯咯地笑）. Then a voice drops into the classroom asking, 'What class is this?'" she says via email. When Wilson asked what was going on, "a couple of girls answered in unison（/ˈjuːnɪsn/ 统一，一致）that they were supposed to be in a high school online class, and they were confused. They asked a few questions and they promptly （迅速地）left."

But things were just getting started.

"A while later, another anonymous（/əˈnɒnɪməs/，匿名的；不知名的） person, this time a male, started commenting about smoking marijuana（英/ˌmærəˈwɑːnə/大麻）（and the kind of great weed he'd found last week. Only the audio was heard and he wasn't seen. I asked him to identify himself. When he would not, I asked him to leave which, thankfully, he promptly did."

She says that because she was brand-new （崭新的；未用过的）to Zoom, the experience was confusing and disorienting（迷失方向的）.

"I wasn't sure where the audio was coming from and thought it might be background noise from one of my students," she says. "If I had been more familiar with Zoom, I would have immediately muted everyone's audio（关闭每个人的声音）, but I was a newbie （/ˈnjuːbi/网络新手；新兵）using it online. I had never considered other people could get the Zoom number and 'drop into' a classroom."

Wilson had just been Zoom bombed. Zoom bombing is shorthand for when strangers intrude on others' meetings on Zoom. Sometimes, these folks might just listen in without anyone knowing they're there. Other times, they totally disrupt the meetings in silly or even threatening ways.

Ultimately, Wilson was lucky. Other victims of Zoom bombing have been subjected to hate speech, profanities（
/prəˈfænəti/仇恨言论）, threats and pornographic（ˌpɔːnəˈɡræfɪk/色情的） images.其他受害者遭受了仇恨言论、亵渎、威胁和色情图片的侵扰。

But how could someone just "drop into" a private meeting?

"Zoom bombing is nothing more than enumerating different URL combinations in the browser," says Dan Desko, a cybersecurity (网络安全）expert from accounting firm Schneider Downs, in Columbus, Ohio.

He gives an example: To find a Zoom meeting, you enter the URL Zoom.us/ plus a string of numbers, which serves as the meeting identification number（标识码） (e.g., https://zoom.us/j/55555523222).

"The problem becomes when people don't have their meetings protected by passwords, and just by flipping a couple of numbers," you could potentially get lucky and suddenly enter someone else's meeting, he says. "Now obviously, you'd have to do that at the right time [when] the meeting's taking place," he adds.

Just to test the flaw, he tried it himself. Within just a minute or so, he stumbled onto （偶然找到）a legitimate
（ /lɪˈdʒɪtɪmət / 合法的）meeting ID – but the meeting wasn't happening at that particular moment. "It's technically sort of like wiretapping（窃听）or being able to spy on somebody," says Desko.

But why would Zoom have this particular flaw? It was exposed partly because Zoom exploded exponentially
（/ˌekspəˈnenʃəli/以指数方式地）in popularity during the coronavirus pandemic, going from 10 million daily users in December 2019 to 200 million daily users in March. The company simply wasn't prepared for the rush of people wanting to use it for classes, meetings and virtual happy hours with friends.

"Zoom is primarily a corporate collaboration tool （企业协作工具）that allows people to collaborate without hindrance. Unlike social media platforms, it was not a service that had to engineer ways to manage the bad behavior of users – until now," says David Tuffley, a lecturer in Applied Ethics & SocioTechnical Studies at Griffith University in Australia, in an email interview. "Their user base has grown enormously, and there [is] bound to be bad behavior."

The sudden traffic surge（ 突然流量激增）exposed other security flaws（安全漏洞）, too, like dark web accounts and lack of encryption（/ɪnˈkrɪpʃn/加密）. The FBI put out an advisory warning of Zoom bombing on March 30. Some organizations have opted to ban Zoom. Google won't let its employees use it on their laptops. It's all fallout （后果，余波）because Zoom failed to address its flaws （解决其缺点）quickly enough, says Desko.

"In information security and cybersecurity, we talk about three things: We talk about confidentiality, integrity and availability,（保密性、完整性、可用性）" says Desko. People want to keep their meetings (especially in business) extremely confidential.（/ˌkɒnfɪˈdenʃl/ adj. 保密的；机密的）

Furthermore, he says, the Citizen Lab at the University of Toronto "showed that the encryption technology(加密技术） that Zoom purported to（声称要......；打算要......） use wasn't as strong as they say [it was]. They're actually using an encryption technology that was fairly crackable."

It's something, he says, that will take months to fix. (Zoom hopes to do it in the next 90 days.)

And as for integrity?

As Zoom has expanded its server capacity, it has begun to use servers based in China, with Chinese employees. "There are a lot of people calling the confidentiality of the tools into question," Desko says. That's one reason the U.S. Senate asked members to refrain from(抑制；停止） using Zoom. The Pentagon also followed suit （跟着做；效仿）on April 10.

Stopping Zoom Bombing

Since Zoom bombing became a problem, Zoom has changed its default settings （默认设置）so that every meeting is automatically assigned a required password to enter it; also, the "waiting room" feature is now automatically enabled when you set up a meeting. This prevents users from joining a call before they've been screened by you, the host. Finally, the meeting ID code is not shown in the title bar during a Zoom meeting.

Desko thinks these measures will go a long way to stopping Zoom bombing. "It's good to keep the meeting ID private so that people can't associate your meeting ID with （associate ...with...把.....和......联系起来）you or your company," he says. "Or if you are a high-profile person like Boris Johnson, sharing his meeting ID [as he did on a tweet as part of a Zoom screenshoton March 31] was like sharing the address to the bat cave. Even though the bat cave is secure, it is now a specific target. The password is then key to keeping the meeting secure."

He adds that "If you want to be super-secure you should change up your meeting ID with every call and password too. There is a setting to generate（产生；引起） a new meeting ID automatically and you can also set the password personally as well."

At the very least, make sure that Zoom's new security features have actually been enabled on the meetings you're setting up.

"If you have a [recurring] meeting set up already that used the old default, you have to go back into Zoom and update those," says Desko. "That's easy enough to do."

Another way to prevent outsiders from hijacking （hijack ，劫持）your meeting is to make the "share screen" option only available to the host. You also can mute the microphones of everyone but the host or the speaker and lock the meeting when everyone has joined to prevent break-ins. These features can be done on the Zoom toolbar. And finally, don't post a public link to your meeting that may invite unwanted guests to try to enter.

NOW THAT'S INTERESTING

Zoom has shouldered an incredible amount of bad press for its shortcomings during the pandemic. But other conferencing tools (like Skype, Webex and Google Hangout) have security issues, too – so no matter which software you choose, don't make any assumptions（做任何假设） about the privacy of your online meetings. Use some of the same tips we gave you for Zoom to make your other types of virtual meetings secure.