When University of California, Los Angeles student Jessica Jackson attended her astronomy course’s first Zoom lecture, she said an interruption from a stranger throwing around racial slurs “was the last thing on anyone’s mind.”
“We had just figured out how to get the lecture going, and someone came in and presented as if they had a question for our professor,” Jackson said. “Our professor took a minute to hear him. Immediately following that, whoever the guy was starting calling [our professor] the n-word.”
These incidents of harassment by uninvited participants — known as “Zoombombing” — have disrupted classes at a number of universities across the country, including Colgate University, Columbia University and the University of Southern California.
The FBI released a statement on March 30 warning of hijacking on video-teleconferencing platforms like Zoom and providing recommendations for prevention. While no cases of Zoombombing have been reported at Dartmouth, the information, technology and consulting team has introduced similar guidelines to protect classes from potential interruptions. Specifically, the guidelines encourage professors to require Dartmouth authentication to join a Zoom meeting, which effectively prevents third-party intrusions. Students should use their Dartmouth Zoom account rather than a personal login, the guidelines advise.
Dartmouth interim senior director of information security Sean McNamara said that Zoombombing also includes intruders who may not be openly disruptive, but join meetings with the hope of obtaining private information.
“If you're a government institution or you're a company and you're discussing really sensitive intellectual property, an attacker might jump onto that meeting and just sit there and listen in,” McNamara said. “They’ll see what they can gather and potentially sell on the black market.”
Because Zoom was first launched in 2011 primarily as a teleconferencing application for businesses, it was “regulated to enterprises” which “don’t create an open environment,” for these attacks, according to vice president of information, technology and consulting Mitchel Davis. He said that, within companies, Zoom links would likely only be distributed internally rather than be made publicly available.
Davis said that, in the midst of the COVID-19 pandemic, Zoom users have jumped to 200 million in the span of two weeks.
“Whenever you have a crisis like we are going through right now, there are people out there who take it as an opportunity to abuse the technology,” McNamara said.
He added that meeting URLs and IDs should be treated “as a password” and only shared to meeting participants, as public listings provide uninvited users an opportunity to join.
“People have gone out and harvested lists of meeting URLs from public websites where people with good intention try to help their peers,” McNamara said. “[Attackers] gather that information and then use it to Zoombomb the meetings.”
Even given the guidelines from ITC, professors have the flexibility to set up class meetings without additional security measures.
“Some of my professors are definitely more worried than others,” Chloe Fugle ’23 said. “My [COSC 10, “Introduction to Object-Oriented Programming”] class has a password, and my first-year seminar professor began using authentication. But my other professors, you can click the link and you’re in.”
Several academic departments, including biology and engineering, currently list Zoom links or Canvas and Google Drive pages with subsequent Zoom information on their websites, access to which requires Dartmouth web authentication. Students also circulated a Google spreadsheet within campus group chats during the add/drop period with Zoom URLs and passwords, which was originally accessible to anyone who had the link.
Because Dartmouth used Zoom for administrative purposes prior to the transition to remote learning, Davis said the College “had a pretty good handle on how [Zoom] worked” and it “wasn’t a big step for us.” Dartmouth currently owns an enterprise license, which has “guaranteed levels of security.” However, McNamara warns against Zoom invitations from users outside Dartmouth, as there’s “no guarantee that a third party would be following the same safety standards.”
Internally, Zoom uses point-to-point encryption, which means that all content is encrypted at the sending client and only decrypted when the information reaches the receiving user.
“You'll hear some claims that the form of encryption that Zoom is using is not necessarily the most secure, but that information is not really accurate,” McNamara said. “With the way that Zoom is architected, someone sitting in the middle of a transmission would not be able to decrypt or receive or understand the contents of a Zoom meeting.”
According to an April 1 press release from Zoom, the company will spend the next 90 days focusing on issues of trust, safety and privacy. Because updates and fixes have been released within a few days, McNamara emphasized the importance of keeping Zoom applications up to date.
“Prevention is our best weapon here,” McNamara said. “When we have the ability to prevent [Zoombombing] from happening by making pretty simple changes … we should really be focusing on that.”