After drawings of penises began speckling the screen and racial slurs flooded the chat box, UF professor Xiang Bi decided to shut down her virtual Zoom class last week. She reopened a new classroom requiring a password a few minutes later and resumed teaching.
But the incident wasn’t reported to the university.
And now that UF classes and meetings have moved online to minimize the spread of COVID-19, some students and staff at UF are reliant on the video application to continue daily life.
But logging onto the video conferencing platform, Zoom, to connect for work and class exposes many users to offensive disruptions and security and privacy threats, according to a blog post from the company’s CEO and Zoom’s annual report to its stockholders.
Bi’s class was “Zoom bombed,” one of the rising issues facing the application since new users began flocking to the video conferencing service to stay connected while social distancing, according to the blogpost.
Hackers enter and derail meetings on a sliding scale from pranks to hate speech such as drawing swastikas, writing racial slurs, displaying pornographic images and sharing other offensive content. And at UF, there have been at least four cases of “Zoom bombing” since the university went virtual in two public events and during two classes.
“Zoom bombings” have been reported across the country, including in schools, big business meetings, religious events and even Chipotle's new virtual hangout series, according to The New York Times.
Hackers entered Bi’s virtual classroom about 15 minutes after she started her agribusiness and food marketing management class, she said. They drew penises on the screen and wrote a racial slur in the chat box.
When the hackers began using Bi’s screen, she disabled the share screen feature, she said.
Although, she did leave the chat box feature on so students could ask questions. Bi also forgot to turn off the scratchpad feature, which allows participants to draw on the screen. She only shared the link to the Zoom call with her students, Bi said, so she doesn’t know how the hackers found it.
But this wasn’t the first instance of an online hack that was connected to UF.
Bi didn’t report the incident to the university because she heard from a colleague that UF was already working on updates after a similar incident happened just a day before at a Student Government Senate meeting.
Shortly after, she received an email from the university with Zoom safety recommendations. Despite this, the hacks continued to gain momentum.
UF’s first incident: A Student Government Senate meeting
The first known case of a “Zoom bombing” was last week at a publicized UF Student Government Senate meeting. Hackers entered the meeting and began sharing pornographic pictures through the screen-share function, drew swastikas on the screen and sexually harassed student senators, calling them sexually explicit slurs.
SG Senate’s case is also the only “Zoom bombing” case that was reported to the University of Florida Police Department, UF spokesperson Steve Orlando wrote in an email. The university is asking these hijacks to be reported to UF Information Technology and UPD.
The FBI released a warning the day before the UF Student Government Senate incident last week about these hijacks and reported two similar incidents that happened in Massachusetts schools.
Since these incidents, UF has encouraged faculty to use its Zoom security features following the SG hacking and highlighted two safety policies, according to its Keep Zoom Secure page.
Faculty can adjust their settings to only allow “authenticated users” to join meetings, requiring participants in Zoom to be signed in and have a university-affiliated account, according to the Keep Zoom Secure page.
“Student safety, privacy, and security is of the utmost concern to the University of Florida,” Orlando wrote. “UF had already implemented this technology two years ago. Our implementation was and continue to be guided by IT security and privacy protocols to safeguard students and University intellectual property.”
UF monitors Zoom’s performance and evaluates security issues daily, Orlando said. UF Information Technology recommends reading its latest advice before setting up meetings, he said. The latest update warns faculty, staff and students to be mindful of the information they share to avoid violating federal law restricting the release of medical information and the Family Educational Rights and Privacy Act privacy rules, as of Wednesday evening.
On Friday afternoon, UF announced via email that local and federal authorities in Gainesville identified a 13-year-old girl in Memphis, Tennessee, as one of the hackers behind the intentional interruption of the SG meeting.
The investigation is ongoing and no charges have been filed, according to an email from the university.
UPD got help from the FBI in Gainesville and followed a lead it had in the case to the girl in Tennessee, the email read. The girl said it was supposed to be a joke.
“This is absolutely not a joke,” UPD Chief Linda Stump-Kurnick said. “We take these matters very seriously, and we will pursue any and all leads to help ensure anyone involved in incidents like this is held accountable.”
When asked if UF considered “Zoom bombings” as an internal or external threat or what kind of information these hackers can collect when intruding on a class or meeting, Orlando wrote that UPD is “continuing to assess the nature of the incident.” He wrote that charges will be included if the situation is determined to be a hate crime.
Zoom weighs in on surge of recent hacks
Zoom has discouraged making meetings or classrooms public, recommending users avoid sharing meeting links publicly on social media, only allowing the host to use the screen-sharing feature and using the updated version of the application.
Zoom founder and CEO Eric S. Yuan apologized for not meeting privacy and security standards and revealed a 90-day plan to improve in a blog post on the company’s site on April 1, including halting the addition of any new features and shifting all engineering resources to fix privacy and safety issues.
In the company’s annual report on the Zoom investors’ site, Zoom acknowledged the brand’s security may be a risk factor for stockholders. The report was released just a few weeks before UF’s first “Zoom bombing” cases and just as many started to transition their classrooms to the provider.
“Our security measures have been compromised in the past and may be compromised in the future,” the report said. “If our security measures are compromised in the future, this could damage our reputation, impair our sales, and harm our business.”
Failures to comply with privacy, data protection and information security rules –– whether they actually happen or are perceived to have happened –– were also predicted as a possibility that could harm the company, according to the report.
While Zoom aims to meet these standards, it wrote, the “regulatory framework for privacy and data protection worldwide is, and is likely to remain, uncertain for the foreseeable future.”
COVID-19 webinar falls victim but still continues
Hackers also attacked a Zoom webinar on April 2, just two days after the SG Senate incident, hosted by the Dana-Farber Cancer Institute, on the data science behind COVID-19. The presentation featured Natalie Dean, a UF biostatistics assistant professor who spoke about COVID-19 vaccines and therapeutics development, as well as other experts.
The UF College of Public Health and Health Professionals advertised the stream in a tweet at 11 a.m. March 31, hours before the SG Senate meeting was hacked. The account also retweeted a post from Dean on the day of the stream, encouraging people to join the call without acknowledging the recent university-affiliated “Zoom bombing” that happened on the same streaming platform as the webinar.
As Rafael Irizarry, a Harvard University biostatistics professor, was explaining the stream’s positive and educational intentions to the nearly 500 people on the call, he was interrupted. Hackers wrote vulgar, racist and anti-Semitic comments in the chat feature.
Irizarry said they had disabled viewers’ ability to join video before the presentation, but they could still type messages in the chat. This changed when the bombers spammed the chat, which was quickly muted after the stream began.
Hackers shifted their focus to sending more racist and homophobic messages to the stream’s separate Q&A chat. They abruptly stopped sending messages about 15 minutes into the stream and before Dean gave her presentation and answered questions about COVID-19 without any further interruptions.
‘We’re trying to learn, bro’: ‘Zoom bombing’ compromises another online class
Assuming the aliases of Riley Reid, a pornography star, and Donlad Trump, a misspelling of the U.S. president’s name, two hackers also joined a UF class on revolution and reconciliation in the U.S. They began screaming disruptively in the Zoom class.
The hacker using Trump’s name wore a “bong mask,” or a face mask with a closed glass cylinder attached to the mouth area to minimize the release of smoke. The other recorded their encounter with the class on their phone.
Raúl Vera and his classmates weren’t a fan of the prank.
“We're kinda like, ‘Hey, can you just like get the f*** off the call,’” the 20-year-old UF history sophomore said. “‘This is really childish. We're not 14 and we're not, you know, prank calling Domino’s anymore. We're trying to learn, bro.’”
The hackers appeared to be college-aged males, Vera said. He thinks they were friends, and it looked like the Trump hacker was smoking marijuana.
Vera said he and some classmates were agitated by the hackers at first, but then decided to ask the pair to leave and just ignore them so they could continue class, he said.
The Trump hacker left the chat first after being ignored for about five minutes, Vera said. The other followed suit a few minutes later.
“It just became a nuisance after a point,” he said. “Because we were trying to genuinely get our coursework done.”
Vera received a Canvas mail from his professor Monday that said students will have to enter a password and be held in a waiting room until an instructor lets them in.
“With the rise of Zoombombing, I’m going to add some security to prevent interloping trolls,” Elizabeth Ross, an associate professor in the UF School of Art + Art History, wrote in the message.
Mark Hodge, a teaching assistant, was leading a class discussion when the incident occurred. When the hackers started to cause disruptions, he said he tried to kick them out of the class.
But the application told him he wasn’t the host anymore, Hodge said, and required him to log back in to regain hosting privileges. He thinks the hackers became the hosts.
The 31-year-old art history doctoral candidate said despite his seven years of teaching experience, he didn’t know what to say after the hackers left. The class didn’t talk about the intrusion after. They just continued instruction.
“I just wondered how my students would take that kind of invasion of privacy,” he said.
Students’ Zoom accounts are provided through the university, Hodge said. He wondered if “Zoom bombing” a class could give hackers access to the students’ personal information, like their social security numbers.
“You want people to be comfortable in the environment,” he said. “And that was like complete invasion. Even though there was no physical danger, it still felt really, really weird.”
Email Chasity Maynard at email@example.com and follow her on Twitter at @chasitymaynard0.
SG Senate has used Zoom to meet during the COVID-19 pandemic, but it has not met over the platform since it was "Zoom bombed" on March 31.