A meeting on working conditions at the Ministry of Security and Justice, a consultation on crisis management organized by Minister Dilan Yeşilgöz-Zegerius or a consultation with the director general of the IND: German ethical hackers could easily consult the meeting agenda of the central government thanks to a vulnerability in the Webex meeting software.
German researchers collected information on some ten thousand Dutch meetings. They announced their conclusions in order to close the leaks in question, as has already happened.
About the Author
Frank Rensen is a science journalist and writes for by Volkskrant about technology, from cybersecurity and legislation to gaming and cryptocurrencies.
Researchers found the leak in Webex meeting software, widely used by governments and companies around the world. They even demonstrated that German meetings could be listened to, according to a publication in Time. The leak has now been closed, but it is unknown to what extent it has been abused in the Netherlands.
“It seems unacceptable to me that this has happened and that these vulnerabilities in the central government have reached us through the German media, rather than through the provider,” writes the outgoing Secretary of State for Digitalisation, Alexandra van Huffelen. (D66), in a letter to Parliament. about the leak.
Russian intelligence may also have abused the vulnerability in Webex in late February to eavesdrop on a meeting of high-ranking German soldiers regarding the deployment of Taurus missiles in Ukraine. This was possible by calling over the phone during Webex meetings. This method of joining a meeting was not password protected.
Van Huffelen writes that “given the way the Dutch government’s video environment is set up,” it is unlikely that outsiders will also be able to log in to video conferences here. She is launching an investigation to determine whether “data such as meeting passwords or the content of meetings, chats or shared files have been revealing.”
Webex is a program from the American company Cisco. Leaks have also been found in Italy, Austria, France, Switzerland, Ireland and Denmark. Although Cisco advertises it as a secure program, it is easy to guess meeting web addresses and gather information about them.
Ten thousand meetings
German ethical hackers were able to obtain information about more than ten thousand Webex meetings from the Dutch government. Screenshots of descriptions of these meetings have been viewed by by Volkskrant. This shows what time a meeting starts, how long it lasts, and who created it. This also applies to meetings organized by Ministers Yeşilgöz-Zegerius, Weerwind and State Secretary Van Huffelen.
In Germany, researchers were able to connect to German meetings and listen in without being noticed. They haven’t tested it in the Netherlands. Dial-up access no longer appears possible, but it used to be an option, says a source with knowledge of Webex use in the government. Therefore, it cannot be ruled out that foreign intelligence services attended the meetings unseen. “Especially when there are many participants in a meeting, you don’t notice when a stranger calls,” the source says.
Since the leak has now been closed, “this incident currently has no consequences for the central government’s use of Webex,” writes the Ministry of the Interior in a press release. The ministry asked Cisco for clarification and summoned him to the ministry at short notice. The government does not use Webex for inquiries about confidential and other “extremely sensitive” information, the ministry reports.
Cisco said in a statement: “Our investigation is ongoing and we will provide updates as necessary through our usual channels.” “We value and appreciate collaboration with the broader security research community and consider this relationship essential to protecting our customers’ networks.”