It is uncovered that thousands of confidential Bundeswehr video conference links were publicly accessible due to predictable URLs.
The Bundeswehr addressed this security flaw within 24 hours of its discovery, although their practice of not deleting old recordings persisted, posing ongoing risks.
What happened?
Zeit Online‘s investigation revealed that as of last Friday, the internet had several thousand accessible links to video conferences containing sensitive Bundeswehr details, with many marked confidential. The military confirmed that this vulnerability was rectified within a day of becoming aware.
A military spokesperson assured AFP that unauthorized access to these video conferences was not feasible without the attendees being aware or without proper permissions. Additionally, the Bundeswehr had a practice of not routinely removing old video recordings. Metadata such as the timing, attendees, and subjects of the meetings held via the Cisco Webex system were exposed to external parties for several months.
It is highlighted in the report that the meeting URLs, which were sequentially numbered, could potentially be predicted, exposing details about past and future sessions. Additionally, it was possible to compile datasets of email addresses using identifiers like first and last names from the system.
The inclusion of telephone dial-in options for the conferences introduced further vulnerabilities due to the absence of encryption and robust identification measures for participants. The research by Zeit Online was prompted by findings from the Netzbegrünung association’s security experts. Netzbegrünung has voiced concerns over the reliance on Cisco’s Webex platform, pointing out that alternative open-source video conferencing tools offer superior privacy settings by default.
The report also underscores Cisco’s ongoing issues in IT security, which have negatively impacted its reputation. It is likely that Cisco engineers familiar with the Webex system were aware of the fundamental issue related to the predictability of meeting IDs. However, rather than addressing this flaw directly in the software or informing customers about the vulnerability, Cisco’s marketing efforts appear focused on promoting a new, costly product named Hypershield, which is touted with the appealing yet questionable use of AI. This approach seems to prioritize sales over genuine security solutions.
Featured image credit: Blake Connally/Unsplash