'Zoom-bombing' attacks on video conferencing platform leave victims shaken

Zoomhas emerged as an indispensablevideo conferencing tool for remote workand study as millions of people are forced to stay home during the COVID-19 pandemic. But a growing number of so-called Zoom-bombingincidents isprompting warnings from the FBI and from the victims themselves.

People participating in meetings and lessons via video conference platforms like Zoomcan find their screens hijacked by malicious actors who can put words and images on the screen and in the chat box or create havoc with the audio.

Dennis Johnson said he was in the middle of a video conference defending his doctoraldissertation about the struggles of African Americansin California's education system when he started seeing profanity appear on the screen.

"I'm talking about ...students of colour, specifically black students," said Johnson, 28, in a Skype interview from Long Beach, Calif." As I'm talking about this, I see a circle on my screen ... then another circle and then I see another shape.It's a penis."

Then he saw letters spelling out the N-word.

Johnson says he froze. Seconds later,pornographic images began appearing all overthe shared screen. Eventually, someone on the call was able to remove the uninvited culprit from the group.

WATCH | Dennis Johnson is helpless to stop an online attack during his doctoraldefence (graphic images and language have been blurred)

Watch this Doctoral candidate get "zoom-bombed"

4 years ago

Duration 1:41

Dennis Johnson was helpless to stop a racial slur and pornography appear on screen as he defended a dissertation Mar. 26 in Long Beach, Calif.

He is the first college graduate in his family, sohis mother and 68-year-old grandmother were watching the presentation alongwith his professors. He says even after he regained his composure and was told he had passed, feelings of sadness replaced what should have been pride.

"I spent three years working on this paper, you know, working on this research," he said. "This moment was taken away from me in front of my family, in front of my friends. I was disrespected on a level that I couldnever imagine."

Zoom-bombing is becoming more frequent in Canada, as well, with unidentifiedvisitors entering private online meetings and classrooms to spew racial and sexist slurs.

Russ Klein, the head of aJewish high school in Vancouver, told CBC News that a community gathering the school was hosting on Zoom on Tuesday wasinfiltrated.

Earlier this week, a 250-guest virtual town hallheld by YWCA Canada to discuss the impact of COVID-19 on womenwas Zoom-bombed as well.

"They started shouting racial epithets, they shouted the N-word," said YWCA CanadaCEO, Maya Roy. "Two YWCA employees were sexually harassed. Comments were made about them in the chat function."

FBI issues warning,tips

The number of incidents, known among security experts as "video teleconferencing (VTC)hijacking,"has been alarming enough that it prompted a warning from theFBIearlier this week.

"The best mitigation strategy at this point is just to let a lot of the users know that this is going on, because they're going to be the ones that are able to protect themselves best," Boston-based FBI special agent Doug Domin, who primarily works on cyber cases, told CBC News.

The agency also released a tip sheet that included the following:

• Keep VTC meetings private by issuing users a password or employing the "waiting room" function, which requires the host to invite each guest individually.
• Don't share invitation links on social media.
• Keep software updated to stay on top of any security patches providedby VTC companies.

Response from Zoom

But both Roy and Johnson say they took precautions:Johnson says his faculty used the waiting room function to monitor who was part of the dissertation meeting, and Roy says while the YWCA town hall was promoted on Twitter, joining it was password-protected.

They say Zoom whose shares have doubled in price since the COVID-19 crisis erupted in January and has experienced record downloads should take more responsibility.

Johnson started an online petitionto compel the VTC company to improve its security features.By Thursday night, it hadamassed more than 30,000 signatures.

Zoom, which has already been forced to apologize for not being forthcoming about its security limitations,says it's providing guidance to help virtual classrooms and meetings stay safe. But it hasn't specified any plans to offeradditional controls for users to prevent harassment and online attacks.

"We strongly encourage hosts to review their settings, confirm that only the host can share their screen, and utilize features like host mute controls and 'Waiting Room,'" Zoom said in a statement to CBC News.

A report released Friday by the Citizen Lab, a tech and security research group based at the University of Toronto, says there is a "vulnerability" associated withZoom's "waiting room" function. But no details were provided in the research to ensure hackers don't take advantage of it. Experts at the lab said they're in talks with Zoom to help fix the issue.

The report also says Zoom's encryption, which the company has previously claimed to be "end-to-end" and robust, does not meet industry-standard techniques and is not suitable for confidentialcommunications, such as health appointments or legal meetings.

"If there's a need to discuss confidential or sensitive data over Zoom, I'd recommendpotentially to look for another way to do that until Zoom makes the security updates in their app that they've promised,"said Bill Marczak, a Califorinia-based senior research fellow at Citizen Lab and co-author ofthe report.

Marginalized groups a target

Johnson and Roy say Zoom-bombing should be investigated as hate speech because marginalized groups appear to be the main targets.

"Women, people of colour, Jewish community groups and the queer community," said Roy. "Theonus shouldn't be on us to protect ourselves against hate online."

While Domin says the FBI is looking into a handful of incidents in Boston, "it's a difficult process to conduct an investigation over borders."

"There's no accountability online," he said.

The FBI also saysit's hard to quantify how these types of security invasions can affect people personally, but children in particular who are exposed to graphic material or racist messages in an online classroom, for example, can have a tough time understanding what happened and why.

Johnson says even as an adult, it's been difficult to process his own experience. He says the incidentwill have a lasting effect.

"Whenever somebody says 'Dr. Dennis Johnson,'I'm going toremember that moment and I'm going to be saddened a little," said Johnson."But I'm also going to remember that you have to push and you have to continue and don't stop."