‘Zoombombing,’ an early university concern, continues to plague campuses
The threat of uninvited users crashing online meetings and lectures was the top security concern when the pandemic forced professors to adopt online learning last year, according to one of Cornell University’s technology directors.
Christopher Hufnagel, an IT director leading a team of about 35 technology employees at Cornell’s agriculture and life sciences college, said Tuesday that controlling rumors and educating faculty on how to use new tools, like Zoom, was one of the most important IT security tasks for the university.
“Using Zoom and ‘Zoombombing’ was probably one of our biggest concerns and one of our main focuses as we first went remote,” Hufnagel said during an online event hosted on Tuesday by the higher education technology magazine Campus Technology.
Rumors circulated about which platforms faculty would be forced to use, he said, and educating users on the university’s technology plans, along with how to avoid Zoombombing, consumed much of his time.
Reports of Zoombombing, which often involve the unwanted guests shouting and typing racist or homophobic comments, have been consistent since universities began adopting the video conferencing tool in greater numbers last year. Incidents have been reported at dozens of universities over the past year, including an interruption of Pennsylvania State University’s Black Caucus last January, when more than 50 users screamed obscenities into their microphones, played loud music or exposed themselves.
Gerard Au, the deputy chief information officer and chief information security officer at California State University, San Bernardino said during the event his university was Zoombombed early in the pandemic and that he’s seen an uptick again recently.
“Even as recently as some of our recent Black History Month events, as well,” Au said. “It has not subsided.”
In some cases, Au said, the perpetrators had malicious intent and a clear plan, while others were merely trying to cause mischief. Being part of a 23-campus state university system, though, provided CSU San Bernardino with an additional method to track down interlopers.
“We have taken efforts in correlating login events with those sister campuses to try and see if those perpetrators that were coming from certain IP addresses had security events on some of the other campuses,” Au said.
As with most IT security issues, general information on how to avoid these types of incidents is widespread; many universities have standing websites with advice on how to avoid such interruptions, while Zoom itself has provided continual updates since the trend kicked off early last year. Cornell provides advice on default settings for Zoom, while Penn State releases reminders every few weeks and has gone as far as offering one-on-one consultations for staff and students specifically to address the issue.
Aside from disrupting many student-led events and undermining the inclusive atmospheres that many universities seek to foster, the prevalence these interruptions has also limited the ability of event organizers to publicize their activities. Many schools, including Penn State, now discourage organizers from posting event links on social media, which can have the effect of driving down legitimate participation.
According to recent research out of Binghamton University, most Zoombombing incidents are perpetrated by “insiders who have legitimate access to these meetings, particularly students in high school and college classes.” And the usual advice on deterrence, such as using Zoom’s waiting room function, isn’t effective, the researchers said.
“Some of the measures that people would think stops Zoombombing — such as requiring a password to enter a class or meeting — did not deter anybody,” said Jeremy Blackburn, an assistant professor at Binghamton’s computer science college who led the work. “Posters just post the password online as well.”
Most attacks are opportunistic and aren’t planned far in advance, the researchers found.
“It’s unlikely that there can be a purely technical solution that isn’t so tightly locked up that it becomes unusable,” Blackburn said.