Town and Academy Respond to ‘Zoombombings’

By Tanya Das, Otto Do, Jeannie Eom and Tina Huang

In light of the coronavirus pandemic and new uses of video conferencing, cyber attacks called “Zoombombings” have targeted educational and municipal institutions. Through security flaws in Zoom and publicly available meeting links, individuals have entered private or public meetings and projected inappropriate or vulgar messages and imagery.

One such instance occurred in a recent town meeting. On April 13, the Exeter Select Board met via Zoom. In accordance to 91a laws, which require virtual forums to be accessible to all, the meeting invitation was available to the public. Approximately 45 minutes in, an intruder disrupted the Zoom video call with pornographic images and hateful language. 

According to Town IT Director Robert Glowacky, the perpetrator—a pre-teen male—not only “yelled racial and homophobic slurs” but continued to “show their bare bottom on camera.” Community members, including children, had been participating in the call, and Exeter TV, the town’s public access channel, was broadcasting the forum live. 

Exeter Police traced the caller’s IP address to Seattle, Washington. Investigations continue.

Exeter Select Board Chair Niko Papakonstantis condemned all offensive behavior on Zoom, apologizing to those who witnessed the town’s intrusion. “I think that anybody who is directly or indirectly the subject of such hateful language and actions would feel angry, upset and violated. As Chair of the Select Board, I accept the responsibility that this incident occurred,” he said. Originally, moderators aspired to fully mimic the free nature of in-person discussions by allowing participants to unmute at will. 

After the incident, Glowacky acknowledged that a free participation Zoom was not the best course of action. He explained that virtual meetings provide a unique opportunity to agitators. “In a real meeting in the Nowak Room, outbursts like this could happen, but people wouldn't be able to hide behind the anonymity provided by the internet,” Glowacky said. 

Academy Director of Technology Services Scott Heffner stressed that local officials were in a difficult position. “Like the rest of us, the town has had to become Zoom security experts in a hurry,” he said. “Zoom grew from 10M users to 200M users almost overnight, [meaning that] their support and sales teams have been almost completely inaccessible.”

Though this was the first “bombing” of an Exeter town meeting, faculty at the Academy have reported similar interruptions. Modern Languages Instructor Katherine Fair encountered a non-Academy affiliated individual in one of her classes. “I had one ‘Zoombomber’ in a class early in the term,” she said. “The legitimate members of the group all recognized the intrusion pretty much simultaneously, and I simply closed and re-opened the meeting and finished the class.”

Such instances may lead to severe consequences. “In the event that an attack is particularly egregious, we can press federal and state charges,” Heffner said. “That’d be a last resort and would only be done after consulting with the school administration and legal counsel.” Exeter Police Chief Stephan Poulin told the Exeter News-letter that formal charges will be considered for the perpetrator of the town meeting attack.

While some incidents may be attributed to public sharing of meeting invitations, others are the result of lax security protocols with Zoom. The University of Toronto recently published a report indicating major flaws in the security encryption of Zoom’s cloud-based meetings. Zoom previously apologized on a blog for overstating their security properties. 

In response to these instances, the Academy Information Technology Department and Zoom have tightened security. “IT quickly found a solution: they now have us set meetings only to accept people with an Exeter email address. I haven’t had any other invasions since, and we’re all hoping that the fix will continue to do the trick,” Fair said. For its part, Zoom has made “waiting rooms” for calls a default setting.

The Academy has also instituted investigation and mitigation systems in the event of further ‘Zoombombings.’ “We take Zoom audit logs, track down the Internet Service Providers for the attackers and submit formal complaints with those companies,” Heffner said. “We follow up with the faculty member who reported the incident and work with them to secure their future classes. We include legal counsel on all communications and provide updates to the Dean of Students Office as appropriate.” Such investigations occur over one or two hours under the direction of an individual staff member within the department.

While meetings are ideal for Harkness learning, Heffner noted that Zoom webinar licenses are more secure. “The webinar license restricts attendees from doing things like sharing their cameras, unmuting themselves and sharing their desktops. Those licenses are more expensive,” he said. 

From now on, the town will use such webinars. “By going to webinars, we're still allowing public participation, but in a much more controlled and filtered way… [We are in a] better position to respond going forward,” Glowacky said.

Town Manager Russ Dean noted that additional security measures will also be enforced. “We plan to closely scan for strange IP addresses. The system can't be 100% locked down, but we feel as though we’ve made as many adjustments as we can,” Dean said. The Town of Exeter will continue to meet the public participation standard.

Similarly, the Academy remains committed to ensuring that virtual classes are safe spaces for students. “As we investigate and gather our evidence, we work on containment, eradication and recovery,” Heffner said. “The goal is to make sure no further damage is done and then get [everything] back to normal.”