After the Bundeswehr Leak and the explanation of the Minister of Defense – some more questions …

Today I heard the explanation of the German Minister of Defense regarding the probable cause of the leak of last Friday. What I understood was:

  • WebEx is hosted in a special variant (WebEx BWI) on servers of the Bundeswehr.
  • Clear rules are in place, but were not followed. One participant attended the WebEx session via telephone.
  • Systems were not compromised.

Are these explanations sufficient? Do they cover all concerns described in my previous post
“Some simple questions after the Bundeswehr Leak …”
on this topic?

In my opinion some questions remained open:

  • Why and by whom was the WebEx session set up such that a participant could access it via telephone at all? With a zero-trust and MLS-based session this should have been excluded …
  • Did the participants get an invitation with an option that offered an access to the session via telephone? If yes: Who sent this information via which channels? Is it excluded that already the invitation was accessible to foreign powers?
  • Why did nobody check by which devices and communication channels the participants were attending the session? At the beginning and during the session? Why did a log- and intrusion system not react?
  • Why did none of the other participants react to the fact that the poor guy in Singapore talked over telephone? Despite the clear rules in place …
  • How did the eavesdropping happen? Were the telephone lines of the hotel tapped? Or did the participant use a wireless headset with Bluetooth?

So, if it was a human failure it may have happened due to mistakes and unawareness on multiple sides – on the side of IT-administrators responsible for the session setup, on the side of the person which sent the respective invitation, on the side of the participant who did not use a BWI- or SINA-device to access the session.

Well, and I would say that when a session running through servers of the Bundeswehr was overheard by Russia, at least the session was compromised. And if someone can access an audio-session, which is enabled by and via a Bundeswehr server and which is intended to be secure, via an open telephone line then something is severely wrong in the overall security measures.

So, my dear Minister, as a concerned citizen I still do not sleep well. More explanations have to follow …