Space Invaders: The Networked Terrain of Zoom Bombing
Within days of the virtual meeting platform Zoom becoming a household name, news spread that meetings were being hijacked by uninvited guests. The practice was quickly dubbed Zoom bombing. Zoom bombing is a novel form of raiding or bombing, a common type of coordinated online attack. In this report, we examine how Zoom bombing works, the sociotechnical systems that enabled it, and the networked terrain of the attacks. Zoom bombing illustrates that networked participatory technology is often used in malicious or mischievous ways its creators and clients did not — but should have — foreseen.
When workers across the US first began staying home in order to flatten the COVID-19 curve in early March, 2020, a huge proportion of them began using Zoom. This rapid explosion in popularity was met with pre-existing sociotechnical conditions that created the perfect environment for Zoom bombing: lax security settings in the software, inadequate training for new users who inaccurately assumed the software was more private than it was, bored teenagers home from school, social proclivities toward trolling, and easy outlets for the the bombs to go viral. Therefore, Zoom bombing isn’t technically “hacking,” but rather a misuse of Zoom’s core functionality. It is a sociotechnical exploit that combines sociocultural and technical conditions to deliver a threat.
We trace Zoom bombs through their life cycle across multiple platforms and show how the phenomenon morphed from a low-stakes gag to a coordinated effort to cause real social harm by spreading noxious and hateful content to unexpecting audiences.
This paper explains what Zoom bombings is, who Zoom bombers and their targets are, where and how they coordinate, execute and share attacks, and how press attention on the phenomenon has changed the information ecosystem. We seek to shed light on these processes to offer a comprehensive and nuanced explanation of the vulnerabilities that drive Zoom bombing and to offer suggestions for how the makers of communication technologies can better anticipate these kinds of misuses to protect their users.