Security gaps in Germany’s military left more than 6,000 meetings, some of them classified, leaking online.
According to research by Zeit Online, several thousand links to video meetings discussing internal Bundeswehr information were open on the internet as of Friday evening. Many of them were classified as confidential.
After the military was made aware of the issue, it said the bug was fixed within 24 hours.
A spokesperson for the military told the French news agency AFP that “it was not possible to participate in the video conferences without the knowledge of the participants or without authorization.”
The Bundeswehr did not regularly delete old videos, either.
For months, outsiders were able to peek at metadata that included times, participants, and topics of Bundeswehr conferences that were held using the Cisco Webex system.
The meetings, according to a report, were numbered consecutively, and corresponding URLs could apparently be guessed, revealing information about past or upcoming meetings.
Other identifiers consisting of first and last names could also potentially be used to create email address data sets. Conferences had phone dial-in options, which posed additional risks, as they lacked encryption and proper participant identification.
Zeit based their research on a discovery by security experts from the Netzbegrünung association.
“Many meeting titles were visible, some of which explicitly contained the classification “classified information – only for official use” in the title,” the report stresses.
Netzbegrünung also criticizes the use of Cisco’s Webex platform, as there are open-source video conferencing alternatives with better privacy defaults.
“Cisco's failure towards its customers reinforces once again the poor reputation that Cisco already has in IT security circles. All engineers at Cisco who are likely to have worked on Webex are likely to be aware of the architectural problem of the enumerability of meeting IDs. But instead of solving the problem in its software or at least clearly warning customers about the problem, Cisco's marketing department is trying to sell another expensive and probably not very useful product with the buzzword ‘AI’ and the grandiose-sounding name Hypershield,” the report reads.
Bundeswehr’s security practices came into question in March after Russian spies joined the Webex conference and recorded top German military officials discussing possible deliveries of Taurus cruise missiles to Ukraine.
Your email address will not be published. Required fields are markedmarked