[German]Webex communication software from Cisco have had a security flaw. Research by journalists of German media "Die Zeit" revealed that the software has more vulnerabilities than the developer Cisco has publicly confirmed. According to Zeit research by Eva Wolfangel, "thousands of video conferences from ministries" were found accessible for publing – and she joined some of these meeting rooms. The issue, which I have already touched in my German blog in the context of the Bundeswehr Taurus wiretapping affair, is thus expanding significantly and developing into a worst-case scenario for German authorities.
What is Webex?
Webex is the name of a web and video conferencing software distributed by the US company Cisco. The software is used by many authorities, ministries and companies. Cisco Webex currently sees itself as the leading corporate solution for video and web conferencing. It is advertised as a secure software-based platform for video and audio conferences, group messaging and webinars. Participants can take part in conferences (meetings) via all browsers, devices and systems by simply accepting a call.
The first Webex incident
However, I have noticed Webex more often in the past due to its vulnerabilities, regardless of what the manufacturer says about a "secure software-based platform". In this German article, netzbegrünung pointed out that the use of closed-source conferencing software such as Webex by authorities and the German Armed Forces is problematic. Nobody knows the code and the fact that the conferences run on servers from US providers may also be a problem – especially when it comes to matters relating to the German armed forces or ministries.
Netzbegrünung then discovered that the Webex by Cisco conference system has the problem that assignment numbers are assigned to meeting instances in ascending numerical order. With knowledge of the assignment number of a reasonably current Webex conference, the assignment numbers of further conferences can be guessed.
In this way, information about upcoming or past meetings is disclosed. netzbegrünung writes here that the title of the meeting, the name of the person who created the meeting, the telephone dial-in data, the time of the meeting and any other information is publicly available – unless otherwise set by the user.
Hundreds of thousands of meetings affected
Zeit Online then investigated further and found that hundreds of thousands of WebEx meetings from public authorities and companies in Germany, the Netherlands, Italy, Austria, France, Switzerland, Ireland and Denmark were potentially publicly accessible. The same mechanism as described above was probably used to identify the meetings and dial into them at random.
Zeit Online published the results of the research in the article "Webex: Mithören, wenn Beamte sprechen" (unfortunately behind a paywall) and describes how it was possible to dial into the so-called "daily" meetings of the Federal Office for Migration and Refugees (BAMF) and a meeting at the Barmer health insurance company. Participation was possible via a link with an assignment number and did not require a password.
After Eva Wolfangel informed the provider Cisco, Cisco closed the vulnerability at the end of May 2024. Apart from the Zeit research, this vulnerability has not yet been exploited, writes German magazine heise in this article, which summarizes the findings from the Zeit Online article.