Zoom bombing: Definition and prevention

Zoom bombing is the act of sabotaging a conference call through the use of inappropriate, disruptive, or even dangerous material (for example, by shouting slurs or putting an offensive video on screen). Despite the name, Zoom bombing is not limited to the Zoom platform — it can be carried out over any conferencing app if the event organizer does not implement sufficient countermeasures.

In Zoom bombing, malicious actors join an online meeting for the sole purpose of bringing it down. These people are rarely criminal masterminds or genius hackers — in fact, most acts of Zoom bombing are carried out by abusing common Zoom features or the default settings (such as Zoom’s tendency to automatically show the screen of the person talking).

Many Zoom bombers are outsiders who find the event through a meeting link posted on social media or public forums, but Zoom bombing can be done by insiders, too. Disgruntled employees may try to sabotage their team by turning meetings into a farce, or office bullies could try to ruin a colleague’s presentation as a cruel prank.

After entering the meeting, Zoom bombers will check the settings to see what security measures have been put in place — for example, have the meeting hosts restricted the ability of guests to share files? Is everyone but the speaker muted? Once they’ve established one or more avenues of attack, the attackers will lie in wait for an opportunity to cause chaos.

Dropping a Zoom bomb can involve suddenly shouting racist slurs, hijacking a presentation by streaming explicit content, or even sharing infected files with the other attendees. The bomber may have conspirators waiting in the wings, ready to continue the attack if the former is identified and muted. By the time the host has reestablished order, the guests are usually too exhausted and distracted to be productive.

The best way to understand Zoom bombing is through a simple example. In this hypothetical scenario, Alice is the Zoom meeting host, Bob is her colleague, and Crimesey is one of many internet trolls that want to have a laugh at their expense. Here’s what happens:

1. Having returned from a business trip, Alice wants to share tips on productivity with her colleagues. She sets up a Zoom meeting and sends invitations to everyone in the office using her Personal Meeting ID.
2. Bob thinks the meeting would be useful to people outside of work and shares the meeting link in a public group for professionals on Facebook. Unbeknownst to him, the group is followed by Crimesey, who immediately snatches up the link.
3. At the appointed time, Crimesey and other internet trolls join the meeting and wait until the attendees have gathered. He notices that Alice has allowed anyone to speak up in order to answer questions during the presentation.
4. A few minutes into the meeting, Crimesey starts playing loud music that drowns out Alice’s presentation. At first, everyone assumes this is simply an embarrassing gaffe, sharing a laugh. As the attack continues, Alice is finally forced to mute Crimesey.
5. At that point, one of Crimesey’s friends begins shouting sexually explicit slurs. Shocked, Alice quickly identifies and mutes the offender — but just as she does, another picks up the torch.
6. By now, the meeting is a loss — Alice, Bob, and the other guests are too shaken to continue. Because the meeting link was shared in a public space, the incident becomes known outside of work and results in a public-relations disaster.

While highly disruptive, most acts of Zoom bombing are not illegal. The public and even some lawmakers see Zoom bombing as a mean-spirited but ultimately harmless prank — and often the victim’s own fault for not taking proper precautions. However, it is illegal to disrupt Zoom meetings through criminal means.

The most common way to get on the wrong side of the law through Zoom bombing is by sharing illegal content — for example, a San Francisco resident was arrested in 2020 for possession of child pornography after it was seen on his screen in Zoom meetings. In a similar vein, disrupting certain public Zoom meetings (such as official online classes) may result in the prankster being charged with disturbing the peace.

Fortunately, you can prevent Zoom bombing attacks with a few simple security measures. Here’s what you can do to make sure your Zoom meetings are free from interruption.

Do not use your Personal Meeting ID

A Personal Meeting ID (PMI) lets you access your Personal Meeting Room on Zoom — a permanent virtual space reserved just for you. Anyone in possession of your PMI can hop into this space at any time without an invitation. To avoid unwelcome party crashers, select “Generate automatically” for your “Meeting ID” in Zoom “Meeting settings” when creating the event.

Add a waiting a room

Zoom’s waiting room feature can give you time to tweak the security settings before the meeting officially starts. Once you’re ready, you can admit the waiting guests one by one or all at once. To create a waiting room for your meeting, follow these steps:

1. Sign in to the Zoom web portal and choose “Settings” from the main menu.
2. Open the “Meeting” tab, find “Security,” and click the “Waiting room” toggle.
3. When presented with a pop-up, click “Enable” to confirm you want to implement the waiting room feature.
4. Click on “Edit options” to customize waiting room settings.

Use in-meeting security controls

Zoom has a number of security features that allow victims of Zoom bombing to take back control of their meeting. In particular, by clicking on “Security” in the Zoom controls toolbar, you will find options for:

• Screen sharing. You can stop others from sharing their Zoom screen without permission, preventing Zoom bombers from showing inappropriate signs or engaging in distracting activities in the background.
• Unmuting. If you prevent guests from randomly chiming in without the host’s permission, Zoom bombers will not be able to interrupt presentations with rude remarks, loud music, or startling noises.
• Starting videos. Restrict the participants’ ability to start videos without the host permissions to avoid having Zoom bombers stream lewd or otherwise inappropriate material during the meeting.
• Locking the meeting. If you lock the meeting, participants will not be able to join (or rejoin) while the event is in progress. This option is useful if you have shared the meeting link in a public space and don’t want troublemakers that you throw out to keep coming back under different names.

Use more secure conferencing apps

Zoom may be one of the most popular video conferencing apps, but it’s not the only game in town. In fact, there are plenty of secure alternatives to Zoom for you to choose from, including crowd favorites like WhatsApp and FaceTime. These apps have learned from Zoom security issues — so if you delete your Zoom account for any reason, it’s not the end of the world.

Zoom has taken a number of steps to improve its security against Zoom bombing and other cyberattacks. In January 2020, Zoom made password protection the default option for meetings and disabled the ability to scan for open meetings. In April, the Zoom app was also updated to send guests to a waiting room by default. These changes were made to protect Zoom meetings from random intruders wanting to cause havoc.

On the technical side of things, Zoom introduced new encryption and privacy measures to make it harder to hijack meetings. Zoom eventually upgraded its app encryption to the Advanced Encryption Standard (AES) 256-bit Galois/Counter Mode (GCM) and protected user communications with end-to-end encryption.

Zoom has come a long way since the early days of the pandemic, but Zoom bombing remains a very real threat. Remember — the best way to stop Zoom bombers is simply being careful about where you share meeting links and how you manage your Zoom meeting settings.