Bundeswehr Webex conferences were accessible for months
There was a security vulnerability in the Bundeswehr's Webex instance, which has been closed according to the cyber force CIR. The incident is serious.
The use of Webex by the German Armed Forces is now likely to once again concern the military counterintelligence service MAD.
(Bild: dpa, Oliver Berg/dpa)
For months, the dates, participants and topics of Bundeswehr conferences planned via the Cisco Webex system were openly available on the internet. This was reported by Zeit Online, which investigated the case together with the Netzbegrünung association.
As a spokesperson for the cyber and information space force confirmed on Saturday when asked by Deutsche Pressagentur, there had been a "vulnerability" during the week, but this had been rectified within 24 hours. Previously, metadata such as times and participants had been accessible via the Webex communication platform. However, it was not possible to dial in or access confidential content.
Although this reads quite harmless in the agency report, it is not, according to Die Zeit. The gap is said to have existed for months, and the meetings were numbered consecutively - the corresponding URLs could apparently be guessed. Over 6000 appointments were available. In addition, the topics of a conference alone represented confidential information on the troops, which was publicly accessible and therefore a perfect target for spies.
Topics and meeting rooms openly online
According to Zeit, there was a meeting on 25 April with the subject "Review Taurus milestone plan and finalization" as well as other conferences that were also classified as "Classified information - for official use only" (VS-NfD). According to Federal Minister of Defense Oscar in March 2023, this is also permitted for Webex discussions. Higher classifications such as "Secret" may not be used via Webex.
The appointments could be tracked until the beginning of November 2023. The fixed meeting rooms of some officers were also visible, such as that of the Air Force Chief of Staff, Lieutenant General Ingo Gerhartz. He was one of the participants in the Webex conversation leaked by Russian actors in March on the possible deployment of the Taurus cruise missile in Ukraine. As Netzbegrünung explains, identifiers such as first name.surname could also potentially be used to create "complete or almost complete email data sets". What's more, Die Zeit was also able to enter Gerhartz's meeting room, according to its own account.
This apparently careless use of Webex by the Bundeswehr also raises new questions, which those responsible wanted to clear up quickly after the Taurus leak. At the time, Pistorius emphasized that the troops were using a "Webex for Bundeswehr" that was operated on their own systems. However, if these computers, which are operated on their own networks, spit out publicly accessible websites, none of this is of any use.
(nie)
