background
The Bundeswehr officers who were intercepted used the Webex cloud service at their conference. How secure is the system? What back doors are there? Or could it be individual misconduct?
It was a first for political Berlin: On April 22, 2020, due to the Corona restrictions, a committee met completely digitally for the first time in the history of the Bundestag. For this purpose, the Bundestag administration quickly procured the Webex video conferencing solution from the US network specialist Cisco so that the members of the digital committee could at least meet virtually.
Since then, not only the Bundestag has relied on Webex, but also all federal authorities, including the Bundeswehr. Now she is at the center of the Air Force wiretapping scandal.
BSI certifies that Webex is sufficiently secure
The Federal Office for Information Security (BSI) had already enabled the Cisco solution to be used in the federal government in 2019. In the “Cloud Computing” requirements catalog, the BSI specifies which requirements cloud providers should meet to ensure a high level of security.
Despite the BSI certification, Cisco’s communications solution was not without controversy. However, security, which is now in focus with the Air Force wiretapping scandal, was generally not questioned. Confidentiality appeared to be guaranteed by end-to-end encryption. With this process, the communication content is encrypted on the end devices and only decrypted again on the other participants’ end devices. Even Cisco cannot decrypt this content.
Rather, there was controversy as to whether the provisions of the European General Data Protection Regulation (GDPR) were being complied with because data could be transferred to the USA during Webex operations.
Several possible entry points
How secure a video conferencing solution is is directly related to the way it is used. Video switching with Cisco Webex is encrypted, but this encryption must also be activated. In addition, the protection no longer applies if participants do not participate via the Webex app but instead dial in with a normal telephone connection. A high-ranking soldier from a hotel in Singapore is said to have joined the intercepted conversation between the Air Force officers.
The workflow with which a conference is set up via Webex Meetings is also vulnerable to security: only the so-called host needs to be logged in to the service. All other participants can simply join in via a link. For example, if this link is transmitted in an unencrypted email, the door is wide open. However, Air Force Inspector Ingo Gerhartz and the other participants should have noticed that a stranger was virtually sitting at the table.
It is also possible that the hotel room could be bugged
However, it is also conceivable that Webex was not the weak point at all, but that classic eavesdropping methods such as bugging the hotel room led to the explosive content falling into the hands of the Russian secret services. Of the federal institutions, the Bundeswehr would actually be best equipped to identify and close vulnerabilities in IT security: According to a response from the federal government to a parliamentary question from left-wing MP Anke Domscheit-Berg, the federal government currently has 4,575 IT systems -Security positions, one in three of which are in the defense sector.
“But the incident also shows that we still have to reduce the deficit in IT security competence. At all hierarchical levels. And not just in the Bundeswehr, but in all other authorities,” Domscheit-Berg told the dpa news agency . One must be aware of the danger that a war could also be waged at the information level. “That’s why you don’t just have to keep talking about tanks, but also about information security.”
Source: dpa