Technology & Science

'Zoom-bombing' attacks on video conferencing platform leave victims shaken

Zoom has emerged as an indispensable video conferencing tool for remote work and study during the COVID-19 pandemic, but a growing number of so-called Zoom-bombing incidents is prompting warnings from the FBI and from the victims themselves.

Doctoral candidate says profanity, porn appeared on the screen during his dissertation defence

A series of ‘Zoom-bombings’ have hijacked calls on the video conferencing app with porn and profanity, as more use it to connect with friends, family, work and school. 1:49

Zoom has emerged as an indispensable video conferencing tool for remote work and study as millions of people  are forced to stay home during the COVID-19 pandemic. But a growing number of so-called Zoom-bombing incidents is prompting warnings from the FBI and from the victims themselves.

People participating in meetings and lessons via video conference platforms like Zoom can find their screens hijacked by malicious actors who can put words and images on the screen and in the chat box or create havoc with the audio.  

Dennis Johnson said he was in the middle of a video conference defending his doctoral dissertation — about the struggles of African Americans in California's education system — when he started seeing profanity appear on the screen.

"I'm talking about ... students of colour, specifically black students," said Johnson, 28, in a Skype interview from Long Beach, Calif. " As I'm talking about this, I see a circle on my screen ... then another circle and then I see another shape. It's a penis."

Then he saw letters spelling out the N-word.

Johnson says he froze. Seconds later, pornographic images began appearing all over the shared screen. Eventually, someone on the call was able to remove the uninvited culprit from the group.

WATCH | Dennis Johnson is helpless to stop an online attack during his doctoral defence (graphic images and language have been blurred)

 
Dennis Johnson was helpless to stop a racial slur and pornography appear on screen as he defended a dissertation Mar. 26 in Long Beach, Calif. 1:41

He is the first college graduate in his family, so his mother and 68-year-old grandmother were watching the presentation along with his professors. He says even after he regained his composure and was told he had passed, feelings of sadness replaced what should have been pride.

"I spent three years working on this paper, you know, working on this research," he said. "This moment was taken away from me in front of my family, in front of my friends. I was disrespected on a level that I could never imagine."

Zoom-bombing is becoming more frequent in Canada, as well, with unidentified visitors entering private online meetings and classrooms to spew racial and sexist slurs.

Russ Klein, the head of a Jewish high school in Vancouver, told CBC News that a community gathering the school was hosting on Zoom on Tuesday was infiltrated.

Earlier this week, a 250-guest virtual town hall held by YWCA Canada to discuss the impact of COVID-19 on women was Zoom-bombed as well. 

"They started shouting racial epithets, they shouted the N-word," said YWCA Canada CEO, Maya Roy. "Two YWCA employees were sexually harassed. Comments were made about them in the chat function."

FBI issues warning, tips

The number of incidents, known among security experts as "video teleconferencing (VTC) hijacking," has been alarming enough that it prompted a warning from the FBI earlier this week.

"The best mitigation strategy at this point is just to let a lot of the users know that this is going on, because they're going to be the ones that are able to protect themselves best," Boston-based FBI special agent Doug Domin, who primarily works on cyber cases, told CBC News.

The agency also released a tip sheet that included the following:

  • Keep VTC meetings private by issuing users a password or employing the "waiting room" function, which requires the host to invite each guest individually.
  • Don't share invitation links on social media.
  • Keep software updated to stay on top of any security patches provided by VTC companies.

Response from Zoom

But both Roy and Johnson say they took precautions: Johnson says his faculty used the waiting room function to monitor who was part of the dissertation meeting, and Roy says while the YWCA town hall was promoted on Twitter, joining it was password-protected.

Dennis Johnson, the first college graduate in his family, says the racist Zoom-bombing during his dissertation defence affected him emotionally. (Submitted by Dennis Johnson)

They say Zoom — whose shares have doubled in price since the COVID-19 crisis erupted in January and has experienced record downloads — should take more responsibility.

Johnson started an online petition to compel the VTC company to improve its security features. By Thursday night, it had amassed more than 30,000 signatures.

Zoom, which has already been forced to apologize for not being forthcoming about its security limitations, says it's providing guidance to help virtual classrooms and meetings stay safe. But it hasn't specified any plans to offer additional controls for users to prevent harassment and online attacks.

"We strongly encourage hosts to review their settings, confirm that only the host can share their screen, and utilize features like host mute controls and 'Waiting Room,'" Zoom said in a statement to CBC News.

A report released Friday by the Citizen Lab, a tech and security research group based at the University of Toronto, says there is a "vulnerability" associated with Zoom's "waiting room" function. But no details were provided in the research to ensure hackers don't take advantage of it. Experts at the lab said they're in talks with Zoom to help fix the issue.

The report also says Zoom's encryption, which the company has previously claimed to be "end-to-end" and robust, does not meet industry-standard techniques and is not suitable for confidential communications, such as health appointments or legal meetings.

"If there's a need to discuss confidential or sensitive data over Zoom, I'd recommend potentially to look for another way to do that until Zoom makes the security updates in their app that they've promised," said Bill Marczak, a Califorinia-based senior research fellow at Citizen Lab and co-author of the report.

Marginalized groups a target

Johnson and Roy say Zoom-bombing should be investigated as hate speech because marginalized groups appear to be the main targets.

"Women, people of colour, Jewish community groups and the queer community," said Roy. "The onus shouldn't be on us to protect ourselves against hate online."

While Domin says the FBI is looking into a handful of incidents in Boston, "it's a difficult process to conduct an investigation over borders."

"There's no accountability online," he said.

The FBI also says it's hard to quantify how these types of security invasions can affect people personally, but children in particular who are exposed to graphic material or racist messages in an online classroom, for example, can have a tough time understanding what happened and why.

Johnson says even as an adult, it's been difficult to process his own experience. He says the incident will have a lasting effect.

"Whenever somebody says 'Dr. Dennis Johnson,' I'm going to remember that moment and I'm going to be saddened a little," said Johnson. "But I'm also going to remember that you have to push and you have to continue and don't stop."

About the Author

Zulekha Nathoo

Digital/Broadcast reporter, L.A.

Zulekha Nathoo is a breaking news and entertainment reporter based in Los Angeles. From the Oscars to the Grammys, she's interviewed some of the biggest names in showbiz including Celine Dion and Denzel Washington. She also works on-air covering news events and spent more than a decade at CBC stations across Canada, including Toronto and Calgary. Follow her on Twitter/Instagram: @zulekhanathoo.

Add some “good” to your morning and evening.

A variety of newsletters you'll love, delivered straight to you.

Sign up now

Comments

To encourage thoughtful and respectful conversations, first and last names will appear with each submission to CBC/Radio-Canada's online communities (except in children and youth-oriented communities). Pseudonyms will no longer be permitted.

By submitting a comment, you accept that CBC has the right to reproduce and publish that comment in whole or in part, in any manner CBC chooses. Please note that CBC does not endorse the opinions expressed in comments. Comments on this story are moderated according to our Submission Guidelines. Comments are welcome while open. We reserve the right to close comments at any time.