Last week saw the U.S. Senate join the ever-growing chorus of federal officials advising staff against using Zoom, with one top official calling the video software a “privacy and security concern.” And while there are myriad reasons to be concerned about the video-call platform—from the potential for foreign snooping to its issues with encryption, to, well, everything else—it looks like the turning point for some federal officials boils down to one thing: shitty teens.
But what, exactly, is allowing these shitty teens to troll members of Congress and others around the country? Turns out, in many cases at least, it’s just a bit of clever googling. More worrisome: The same search tactics for finding Zoom calls can apply to the company’s product specifically built for government use.
The “Zoom-bombing” problem hit a new apex last week when Ohio Republican Rep. Jim Jordan sent a memo to the House Oversight Committee, asking Chairwoman Caroline Maloney, a New York Democrat, to shut down the committee’s ties to Zoom. Jordan’s letter came less than a day after the Senate’s seargeant at arms warned the chamber’s members and staff to not use the service. The reason? Pranksters on the platform interrupting a congressional meeting. As Jordan wrote:
“[I]n spite of the warnings by the FBI and media outlets, on April 3, 2020, you held a Zoom-hosted Member briefing on women’s rights in Afghanistan with the Special Inspector General for Afghanistan Reconstruction (SIGAR),” Jordan wrote. During this important briefing, the session was ‘Zoom-bombed’ at least three times.
Jordan added that the impact of potential “hacking and malware” on the devices of meeting attendees is “still being determined.” But as most of the kiddie culprits behind these sorts of attacks will tell you, it’s ridiculously easy to find Zoom meetings to trash. And from a little bit of analysis, I found that the adage this doesn’t just go for the calls held in classrooms and among recovering alcoholics, but also for those held on Capitol Hill.
The case Jordan complained about is the first publicized instance of these attacks reaching the federal level, but attacks on local government have been happening for weeks. Trolls have reportedly descended on city council meetings happening across pretty much every state you can name, to shitpost porn, Nazi memorabilia, and presumably, Nazi-themed porn.
In response to these attacks (and others), Zoom beefed up its security practices, giving each meeting a virtual waiting room by default, allowing hosts to pre-screen potential participants and boot out any obvious trolls with names like “Ben Dover” and “Hugh Jass.” Though the threat of these pre-screenings—not to mention potential jail time—deterred a chunk of these trolls, just as many went and…. adopted benign names to sneak into these rooms the same way that they always had.
I’m not pretending to be a zoom-bombing scholar, but after kicking it with zoom bombers for about a day, I was able to figure out how a lot of these kids were finding these codes to begin with. The overwhelming majority come from tween and teenage students just passing their own class’s codes amongst themselves to screw with their teachers. A few of the more enterprising types created scrapers or bots to mine any invites to Zoom meetings off of major social platforms.
Another popular method, as it turns out, is “google dorking”—essentially using certain keywords in Google’s search bar to dredge up vulnerable intel from the web. Dorks (as these keywords are called) aren’t just the bread and butter of hacking aficionados or cybercriminals, but of certain investigative journalists, including myself—which means that I could theoretically “hack” into the same congressional meetings these teens were a part of.
So I decided to give it a try—not to bomb any meetings myself, but just to see if I could find where these asshats were digging them up.
Unless you take a few extra steps to bury stuff from search engines like Google, just about everything you post online is indexed and stored in a searchable, digital record. When it comes to sites run by folks that are a tinge less tech-savvy—like, say, the website of a given local government—knowing the right words to search can turn up anything from the site’s entire history, even if it’s hidden behind some sort of password protector. And as I’d found previously, all public-facing Zoom links share a similar searchable string—making it easy to find an endless buffet of upcoming meetings that have been posted somewhere online.
Gizmodo first reached out to Zoom about its Google dorking problem two weeks ago, but those inquiries went unanswered until today when we tipped them off to the fact that the same issue applies to Zoom For Government meetings.
“Zoom takes security extremely seriously,” a spokesperson for the company said. “Zoom is aware that in some instances where users have shared links to meetings publicly, they may be indexed by search engines—and we are working hard to de-index those links and have the results taken down.”
The spokesperson added, “We strongly encourage all users to not post links to sensitive meetings on public websites, and we recommend the use of password protection and virtual waiting rooms to ensure uninvited users are not able to join.”
To be fair, the reason that more than a few city municipalities had their meetings crop up in my search results was because they were using plain, vanilla Zoom. For the folks that have a bit more cash to burn—or a few more state secrets to keep under wraps—it’s more likely they’re using Zoom For Government, the elite offshoot that was endorsed by the Department of Homeland Security last year as a “secure cloud solution.” According to publicly available documentation, this branch of Zoom also counts other notable partners like the Centres for Disease Control, Customs and Border Patrol, and the Department of Agriculture.
Naturally, I assumed that the teleconferencing software of choice for the Pentagon and ICE would make its meetings a bit more difficult to find, but just like before, these meetings were only a few clicks away. Five minutes in, I’d found a few links for meetings held at the USDA, the NSF, and a handful of coronavirus conference calls hosted by the CDC.
It’s worth noting that none of these links were particularly juicy, so to speak—you’re (probably, hopefully) not going to be finding any internal meetings between the top brass in the U.S. military by poking around at Google search. But you will find calls aimed at the public: think USDA calls with local farmers, CDC calls with local hospitals, or NSF calls with local universities. In cases like these, the waiting room feature doesn’t do jack shit—if a Zoom bomber can fudge their name to sneak into AA meetings under the guise of a fake alcoholic, they can damn well do the same to sneak into a CDC meeting under the guise of a fake hospital employee, or a fake federal contractor.
In Zoom’s defence, a lot of this is out of their hands, since it’s the federal authority that’s putting these links out into the world for all search engines to see. But if the company can completely revamp its data centre structure in the name of national security, the least it can do is tip off its clientele about what they might be accidentally airing on the open web.