Menu Menu

Healing Rooms of Loveland
Online Ministry:
The Threat of “Zoom-Bombing”

Much has been said recently about "Zoom-bombing"—the practice of unwelcome people entering a Zoom meeting and disrupting the meeting with undesirable content and behavior, and many people are reacting in unwarranted fear, nervous about even using the Zoom app. I don't think this is an issue for the Healing Rooms of Loveland, and below are the reasons I have come to that conclusion.

The Meeting ID

Zoom-bombing can happen only if malicious people are able to join (enter) a meeting, and to do so, they will need the Meeting ID—that number that specifies which meeting is being joined. In cases where the Meeting ID is posted on social media or a well-known website, such a meeting is wide open, and of course anyone who happens to browse that web page or that social-media page has enough information to join the meeting and cause havoc. (This situation is what the uproar in the press is about.) Healing Rooms of Loveland does not post Meeting IDs. We create brand-new meetings as needed, whenever a ministry session starts, and a different, non-sequential Meeting ID is assigned every time.

But could someone stumble into our meetings and ministry sessions just by a lucky guess of our Meeting ID? Let's think about that.

Zoom Meeting IDs are 9, 10, or 11 digits long. Let's consider the "least" secure form: only 9 digits long. Since there are ten possible digits in each of the nine positions, this means there are 109, or one billion possibilities for the meeting number. How likely is it that someone could randomly stumble upon our meeting number? If a person tried a new 9-digit meeting number every single second, 24 hours a day and seven days a week, it would take, on average, more than 15 years to randomly guess our 9-digit Meeting ID and crash our meeting. And that's assuming we waited around long enough for him to stumble upon the correct Meeting ID (our ministry sessions are typically 30 minutes or less). Keep in mind, this 15-year average does not even take into account a password!

The Password

Zoom meetings have had the capability all along of applying another layer of security by adding a password to the Meeting ID, and for some time now, passwords have been required for all new meetings. Depending on the type of Zoom account, passwords may be six digits long—adding another one-in-a-million chance of randomly stumbling upon the right password. So after taking 15 years to get the right Meeting ID, such a password would add 5 more days, at one attempt per second, to break into our 30-minute-or-less meetings.

But other accounts—the kind used by almost all of the Healing Rooms ministry team members—have passwords that are six characters long, but each character is not limited to being a digit. Each character of these passwords can be an uppercase letter, a lowercase letter, or a digit; e.g. "5QeGw9". Since there are 26 uppercase letters, 26 lowercase letters, and 10 digits, there are 62 possible characters for each of the six positions in the password. This works out to 626, or about 57 billion combinations. Trying a new combination every second, as above, would add, on average, about 900 years to the time required to break into our 30-minute-or-less meetings. And that's if they already knew that the Meeting ID they were using was valid (which they wouldn't).

Clearly, malicious people are not going to be able to get into Zoom meetings without someone giving them the Meeting ID and password. Which we don't.

The Waiting Room

But suppose, just for the sake of discussion, that someone randomly picks a valid Meeting ID and correctly guesses its password before the meeting is over with (even though the likelihood of this is much less than you getting struck by lightning dozens of times in the same day). Suppose he's just a really good guesser. What then?

In Zoom meetings, there is this concept called the "waiting room," and it is turned on by default. What does the "waiting room" do? It holds new people, who are trying to join the meeting, in a separate holding area, and they cannot join the meeting for real until the meeting host explicitly and deliberately admits them into the meeting. So if someone tries to join a Healing Rooms ministry session and it's not one of the members of the ministry team, and it's not the person who requested ministry, not only can the host simply not let him in, but he can also forcibly remove the intruder even from the waiting room. And if the newcomer is not explicitly admitted to the meeting, he can't affect the meeting in any way.

But if the Waiting Room functionality were turned off, could comeone crash the meeting (assuming he was able to guess the Meeting ID and password)? Yes, if the Waiting Room was turned off. But we don't.

Locking the Door

There is another functionality in Zoom meetings that offers even more security: locking the meeting. Once the ministry team and the ministry requestor have joined the meeting, the meeting host can lock the meeting so no one else can join, even with the correct Meeting ID and password.

The Upshot

There are even more security features that Zoom offers, should anyone feel the need to use them above and beyond the security provided by the above items.

But is it technically possible for a malicious person to join a Healing Rooms ministry session and act inappropriately? Of course, under these conditions:

  1. If he correctly guesses the correct Meeting ID (which averages 15 years, at one attempt per second), and
  2. If he correctly guesses the password (which averages 900 years, at one attempt per second), and
  3. If the meeting host mistakenly admits the malicious person into the meeting,

. . .then yes, it would be possible to have your meeting Zoom-bombed. But for all practical purposes, it is impossible for someone to get into a Zoom meeting unbidden without being given the Meeting ID and password. You have a three times better chance of winning the Colorado Mega Millions Lottery (1 chance in 302 million) than having your Zoom meeting crashed by a malicious person, even if the meeting had no password!

Far easier, and far more likely than someone breaking into a Zoom meeting would be someone simply walking into Celebration Church after we are again ministering there in person, and starting to shout obscenities. So, Zoom's alleged "security issues" go away when people actually use the security features built into the software. Which we do.

If you have experienced unwanted content on your computer, it is much more likely that you clicked a link in an email that was disguised as something desirable (Walmart and Amazon Gift Cards are common choices), or you clicked on a link in social media (where anyone can upload things), or you visited a malicious website that installed malware on your system. It is extremely unlikely that Zoom is the culprit.

In short, don't be swept away by the panic in social-media and the hype in the news reports. "But they're talking about it all the time!" someone says. Yes, they are. Far be it from the news media to engage in sensationalism or fear-mongering, right?