Bundeswehr suspends use of Webex for external communication
At the weekend, it became known that Webex conferences of the German Armed Forces were accessible. Webex has now been blocked for external communication.
Cisco Webex web conferences of the German Armed Forces were viewable.
(Bild: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
After it became known last weekend that Bundeswehr Webex conferences had been accessible for months, the Federal Ministry of Defense pulled the emergency brake. The use of Cisco Webex conference software is blocked for external communication for the time being.
A spokesperson for the Cyber and Information Space Command (CIR) responded to an inquiry from heise online and provided further information on the latest incidents. He confirmed that by means of enumeration, i.e. going through a known numbering scheme, the names of the invitees, topics of conversation and time of the meetings could be accessed by unauthorized persons. Waiting rooms in front of the meeting rooms were open to the public, but their owners had to actively let waiting people into the conference. No unnoticed or unauthorized participation in video conferences was possible due to the known vulnerability.
Bundeswehr: Webex problem solution
The CIR was informed of the new vulnerability on April 29. It concerns the standard configuration of the Cisco software: the personal, but not private, meeting rooms "outside the actual conference environment are created by the system when the user registers and are a feature of the product implemented by the company", explains the spokesperson. He adds: "Even when using "Commercial Of The Shelf" products, which are considered secure, it cannot be ruled out that additional security measures will have to be taken afterwards" - in this case, the Webex settings were apparently neglected to be checked.
The current solution is: "The use of Webex software will remain blocked for external communication at least until further analysis has been completed and additional protection mechanisms have been established." The Federal Ministry of Defense has its own network in which "Webex can continue to be fully used for internal communication".
With regard to the potentially leaked communication metadata, from which email addresses, for example, can be easily derived, an increased risk of targeted spear phishing is likely. The CIR spokesperson explains that "members of the Bundeswehr are regularly sensitized with training courses and campaigns. One of these campaigns, for example, is Phishing as a Service, with which CIR informs its employees about the dangers by means of innocuous, specially forged emails". Furthermore, there are numerous technical protective measures in place; important military IT systems cannot be accessed from the internet, for example. "The Bundeswehr will once again take the current incident as an opportunity to sensitize employees to spear phishing in particular," the spokesperson continued.
When asked whether the Bundeswehr will now turn away from Cisco Webex, the spokesperson replied: "The product portfolio in use is constantly being evaluated and adjusted if necessary". "In the area of use with external participants, we are in discussions with the manufacturer," he continues. However, replacing it with BwMessenger, for example, is out of the question: "BwMessenger is very good for its purposes, but does not have the range of functions that Webex has and is therefore not an alternative".
(dmk)