Categories
Ξ TREND

Deal : Bundeswehr scandal: How secure are Webex conferences?

Russian authorities listened in as Bundeswehr officers discussed the use of weapons in Ukraine via Webex video conference. Is the software safe or were the soldiers using the program incorrectly?

It was a first for political Berlin: On April 22, 2020, due to the Corona restrictions, a committee met completely digitally for the first time in the history of the Bundestag. For this purpose, the Bundestag administration quickly procured the Webex video conferencing solution from the US network specialist Cisco so that the members of the digital committee could at least meet virtually. Since then, not only the Bundestag has relied on Webex, but also all federal authorities, including the Bundeswehr. Now she is at the center of the Air Force wiretapping scandal.

Webex: Not without controversy despite BSI approval

The Federal Office for Information Security (BSI) had already enabled the Cisco solution to be used in the federal government in 2019 with a so-called C5 certificate. In the Cloud Computing Requirements Catalog (Cloud Computing Compliance Controls Catalog, C5 for short), the BSI specifies which requirements cloud providers should meet to ensure a high level of security. Despite the BSI certification, Cisco’s communications solution was not without controversy. However, security, which is now in focus with the Air Force wiretapping scandal, was generally not questioned. Confidentiality appeared to be guaranteed by end-to-end encryption. With this process, the communication content is encrypted on the end devices and only decrypted again on the other participants’ end devices. Even Cisco cannot decrypt this content. Rather, there was controversy as to whether the provisions of the European General Data Protection Regulation (GDPR) were being complied with because data could be transferred to the USA during Webex operations.

Wiretapping scandal: Was Webex used too carelessly?

In October 2022, however, the then Lower Saxony state data protection officer Barbara Thiel pointed out that video conferencing solutions not only had to be data protection compliant, but also secure. “Without IT security, the goals of data protection cannot be achieved, as IT security covers some of the essential protection goals of data protection.” How secure a video conferencing solution is is directly related to the way it is used. Video switching with Cisco Webex is encrypted. However, this encryption must also be activated. In addition, protection is no longer available if participants do not participate via the Webex app but instead dial in using a normal telephone connection. A high-ranking soldier from a hotel in Singapore is said to have joined the intercepted conversation between the Air Force officers.

Why wasn’t the eavesdropping attack noticed?

The workflow with which a conference is set up via Webex Meetings is also vulnerable to security: only the so-called host needs to be logged in to the service. All other participants can simply join in via a link. For example, if this link is transmitted in an unencrypted email, the door is wide open. However, Air Force Inspector Ingo Gerhartz and the other participants should have noticed that a stranger was virtually sitting at the table. However, it is also conceivable that Webex was not the weak point at all, but that classic eavesdropping methods such as bugging the hotel room led to the explosive content falling into the hands of the Russian secret services.

Bundeswehr: Is there a lack of security expertise?

Of the federal institutions, the Bundeswehr would actually be best equipped to identify and close vulnerabilities in IT security. According to a response from the federal government to a parliamentary question from left-wing MP Anke Domscheit-Berg, the federal government currently has 4,575 IT security positions, one in three of which are in the defense sector. “But the incident also shows that we still have to reduce the deficit in IT security competence. At all hierarchical levels. And not just in the Bundeswehr, but in all other authorities,” Domscheit-Berg told the dpa. One must be aware of the danger that a war could also be waged at the information level. “That’s why you don’t just have to keep talking about tanks, but also about information security.” (With material from dpa.)


By Peter Hughes

industrial designer with a passion for creativity and innovation. Since 2015, he has dedicated his expertise to shaping the world through his designs. Prior to his current role, Peter served as a teaching assistant at the NY Institute of Information Technology, sharing his knowledge and guiding aspiring minds. Additionally, he holds the esteemed position of Editor-in-Chief at PlayStation Game Station LLC, fueling his love for gaming and the digital world. Beyond his professional pursuits, Peter embraces life as an explorer, immersing himself in new experiences, a social media fanatic, a travel geek, an alcohol enthusiast, and a specialist in music. Through his multifaceted interests, Peter continually seeks to broaden his horizons and make a positive impact on the world around him.