Do you remember the Golden Age of Wardialing? The idea back then was to try calling phone numbers and to see if a computer systems answers. This methods still works, because you can wardial any system with a suitable addressing scheme. VoIP wardialing is a lot easier since you do not need a modem. You just need to send signalling messages. Video conferencing systems are no exception. They have to do signalling, too. Furthermore, participants of a meeting need to join and leave. For joining there must be a process that authenticates participants. Usually you get a conference identification number and maybe a PIN code. Other systems require an account, so that you have to log in first. Finding conference rooms gets real easy if you just need an URL.
The Bavarian Ministry of the Interior uses a conference system that uses URLs. The scheme of finding a conference or a room is very easy to figure out. It uses https://video.top.url/path/roomnumber where path is a combination of a few letters and roomnumber consists of six digits. This gives you the address space of the virtual conference rooms. Physical rooms have their counterpart in the addressing scheme, and the system is configured to provide permanent discussion slots. The problem was that the authentication was missing (the system now requires a PIN). The German IT magazine c’t has discovered that it was easy to join existing conferences (article is in German) and to listen without being invited.
Due to the current coronavirus outbreak many of us have to rely on remote conferencing systems and similar ways of communication. Even without wardialing or missing authentication, the PIN and conference codes are sensitive data. Some systems allow multiple joins of participants. Members of Anonymous used the credentials of a conference call to „intercept” a discussion between the Federal Bureau of Investigation (FBI) and Scotland Yard. So please be careful when sharing call appointments. Make sure you use a trusted communication channel. In turn verify your call peers. Having video helps, but sometimes video information is not what it seems. In turn please be very careful when receiving links to conference calls. You might be lured into a fake call by a phishing campaign.
Originally published at https://blog.deepsec.net on March 11, 2020.