The German Federal Office for Information Security (BSI) issued a vulnerability report (german only) for Webex on June 10, 2024. The IT threat level was classified as "2 / Yellow". This is defined as an "IT threat situation with increased observation of anomalies with temporary impairment of regular operations."
This made it possible to access meeting metadata and identify further meetings. In particular, meetings that were not password-protected could be accessed without authorization.
Cisco reports in its statement that the underlying vulnerability was already closed on May 28, 2024.
According to Cisco, the affected customers have been informed. However, the BSI still recommends deleting and recreating meetings that were scheduled before May 28, 2024 - especially regular meetings.
Webex at the RWTH
As IT security is a very high priority for RWTH, the issue is taken very seriously both by the IT Center as a whole and by the relevant specialist department.
Following discussions with the manufacturer Cisco and our own intensive review, we were able to establish that RWTH and its Webex users are not affected by the security incidents. The necessary security precautions had already been implemented at RWTH before Webex was introduced.
Webex generally offers a very high level of security and data protection for meetings and chats. All meetings, calls and chat messages between Webex clients or to and between RWTH telephones are encrypted. This means that telephone calls via the RWTH telephone system with Webex softphones or desk phones are also encrypted and are made exclusively on RWTH infrastructure.
To increase the level of security, the key management for all RWTH Webex participants is also operated locally on servers in RWTH data centers.
Particularly Confidential Conversations
If you want to hold particularly confidential conversations via Webex, please create a Webex meeting of the type "Private Meeting".
In this case, voice and video data from this meeting will only be distributed via resources in RWTH data centers. The following restrictions apply:
- Only RWTH members registered in Webex can participate.
- The meeting can only be attended with the Webex app.
- All end devices must be connected to the RWTH data network. This is also possible via VPN, for example from the home office.
Risks
In the following situations, there is a possibility that the implemented security mechanisms can be circumvented:
1. the host allows dial-in to their meeting via the public telephone network.
Since all telephone calls in the public telephone network, i.e. landline and mobile networks, are usually transported unencrypted, attackers could listen in on the connection. We recommend not allowing dial-in via the public telephone network by selecting the meeting type "private meeting".
2. the dial-in data for a meeting has become known to strangers, allowing unknown persons to attend the meeting.
As the host, check the list of participants in the meeting. If necessary, exclude unknown participants. Lock the meeting in the meeting menu so that new participant requests end up in a lobby.
3. the end device has been compromised by a third party.
In this case, there is a high security risk for all communication via the device. Therefore, use end devices and operating systems that are maintained by the manufacturer. Use up-to-date software and virus scanners on your end devices.
4. there are third-party recording devices in the room
If third-party recording devices are in the same room during a meeting, your communication can be overheard. Be aware of your surroundings and potential eavesdroppers.
Contact for Questions
If you have any further questions, please contact Nicole Wießner or Thomas Böttcher. Of course, the IT-ServiceDesk is also available as a point of contact.