Webex security vulnerability
Thousands of Bundeswehr meetings were floating around openly on the Internet
May 4, 2024, 3:21 p.m
Listen to article
This audio version was artificially generated. More info | Send feedback
Only a few months ago, Russia was able to record a video conference of senior Bundeswehr officers. Now research is uncovering further security gaps in the Bundeswehr’s use of Webex. These occur across authorities – but have now been resolved.
Two months after the Webex scandal involving a conference recording by Russia, there were further potentially serious security gaps in the Bundeswehr. “Zeit Online” reports that at least 6,000 Webex meetings were recently easy to find, even for outsiders. This meant that you could see the title, time and who was inviting you to important meetings. One from April 25th was called “Review of the Taurus milestone plan and finalization”.
In addition, personal meeting rooms, which usually exist permanently without a specific reason, were easy to find and even entered without a password. According to their own statements, journalists from the medium entered a personal meeting room of Air Force Chief Ingo Gerhartz, one of the participants in the Taurus conversation that was leaked by Russian media in March.
Bad links as a gateway?
A spokesman for the Bundeswehr’s cyber and information space force confirmed upon request that there had been a “vulnerability” over the course of the week, but that it had been eliminated within 24 hours. Meta data such as times and participants could previously be viewed via the Webex communications platform. However, it was not possible to dial in and access any confidential content.
According to “Zeit Online”, the Bundeswehr only became aware of the security gap through the media inquiry and then disconnected the Webex instance, through which more than 1,000 meetings a day are held in the authority, from the Internet. The weak points themselves were discovered by a team from the Net Greening Association. The medium verified it through its own samples.
A security hole is said to have been that the links to Bundeswehr video meetings could be guessed by counting up or down. In the IT security industry, however, according to “Zeit Online”, it is recommended to distribute numbers in web addresses randomly, so that you cannot simply count your way from one meeting to the next.
At the beginning of March, a Webex conference call recorded by Russia between four high-ranking officers, including Air Force Chief Ingo Gerhartz, caused a stir. In it, they discussed operational scenarios for the Taurus missiles in the event that they were to be delivered to Ukraine. The Defense Ministry later blamed the leak on the carelessness of a Bundeswehr general in Singapore.