War Dialing Video Conference Systems

Do you remember the Golden Age of Wardialing? The idea back then was to try calling phone numbers and to see if a computer systems answers. This methods still works, because you can wardial any system with a suitable addressing scheme. VoIP wardialing is a lot easier since you do not need a modem. You just need to send signalling messages. Video conferencing systems are no exception. They have to do signalling, too. Furthermore, participants of a meeting need to join and leave. For joining there must be a process that authenticates participants. Usually you get a conference identification number and maybe a PIN code. Other systems require an account, so that you have to log in first. Finding conference rooms gets real easy if you just need an URL.

The Bavarian Ministry of the Interior uses a conference system that uses URLs. The scheme of finding a conference or a room is very easy to figure out. It uses https://video.top.url/path/roomnumber where path is a combination of a few letters and roomnumber consists of six digits. This gives you the address space of the virtual conference rooms. Physical rooms have their counterpart in the addressing scheme, and the system is configured to provide permanent discussion slots. The problem was that the authentication was missing (the system now requires a PIN). The German IT magazine c’t has discovered that it was easy to join existing conferences (article is in German) and to listen without being invited.