Following the “Taurus leaks”, a green net-political organisation has discovered further vulnerabilities in the Bundeswehr’s Webex system and suggests open source video conferencing providers.
After Russian media published the “Taurus leaks” from a confidential Webex chat at the beginning of March, the German Ministry of Defence promised to do better. The gateway for the hackers of the telephone conference was an unprotected connection of a Bundeswehr general in Singapore, it was said at the time, which all employees should be made aware of. According to Defence Minister Boris Pistorius (Social Democratic Party, SPD), there were no personnel consequences for the time being.
A research by the green-affiliated association “Netzbegrünung” has now once again cast a negative light on the cyber capabilities of the Bundeswehr. According to the findings, more than 6000 links to previous and future Webex video meetings were until last week openly available on the Internet, many of which were classified as “confidential”. The titles, times and invitees of important meetings were visible – but the content was not. It was also reportedly not possible to dial in from outside.
The security vulnerability was first reported by “Zeit Online” editor Eva Wolfangel, who specialises in cyber security. According to her, the links to video meetings could be guessed by counting up or down, and the same applied to fixed personal meeting rooms. These were not protected by a password. For example, the journalist came across a meeting called “Review Milestone Plan Taurus and Finalisation” and also found the meeting room of the head of the German Air Force, Ingo Gerhartz. A meeting with Gerhartz and other high-ranking members of the Bundeswehr had been hacked during the “Taurus leaks” at the beginning of March.
Wolfangel writes that the Bundeswehr only became aware of the new security problem after enquiries from “Zeit” and completely disconnected the Webex system from the internet as a precaution. The “Cyber and Information Space” (CIR) command claims to have eliminated the “vulnerability” within 24 hours, according to an enquiry from the German Press Agency. According to “Zeit”, the Bundeswehr cannot rule out the possibility that confidential information has been leaked to unauthorised persons.
The Webex communication platform is provided by the US provider Cisco and is used by the German government, its security agencies and parliament. According to its own information, the Bundeswehr alone holds around 1,500 meetings on it every day. The military uses Webex as an on-premises solution, which can be installed on its own servers and operated in an internal network.
However, the use of a commercial US product would not even be necessary, criticises the “Netzbegrünung” association and refers to open source video conferencing solutions that practice extremely high data economy in the standard settings.
‘Zeit Online’ also claims to have found and ‘visited’ the personal Webex meeting rooms of Chancellor Olaf Scholz (SPD), Economics Minister Robert Habeck (Greens) and Finance Minister Christian Lindner ( Liberal Democrats, FDP). Following reports to the federal government’s IT security emergency team, the latter was closed then.
Published in German in „nd“.
Image: The Bundeswehr’s “Cyber and Information Space” command in a virtual meeting (CIR).
Leave a Reply