NSA "cracked" UN teleconferencing system - how safe is yours?

Filed Under: Cryptography, Data loss, Featured, Privacy

German investigative magazine Der Spiegel (The Mirror) has come up with yet another espionage-related allegation about the NSA.

The NSA, of course, is the National Security Agency, America's beleaguered SIGINT, or signals intelligence, organisation.

Der Spiegel claims, from its own evaluation of recently-leaked secret documents, that the NSA managed to crack the encryption of the UN's videoconferencing system:

The US secret intelligence agency NSA didn't just bug the European Union but also the headquarters of the United Nations. According to Der Spiegel's analysis, this is evident from NSA secret documents.

Der Spiegel explicitly quotes from the secret documents:

The data traffic gives us the internal videconferencing system of the UN (yay!).

Sadly, that's about all Der Spiegel has to say, apart from noting that in the three weeks after the alleged crack was announced, the number of decryptions [die Zahl der entschlüsselten Kommunikationen] increased from 12 to 458.

There's no information about what Der Spiegel really means by "decrypted", or indeed if there was any genuine cryptographic breakthrough involved.

For all we know, the NSA's challenge might merely have been acquiring unencrypted video conferencing data, or intercepting login codes allowing it to join conferences and record them incognito.

I suspect that this is a genuine risk in many organisations.

Have you ever received one of those "please join this conference call" emails from a company that wants you to join a supposedly private call, by invitation only, from outside the company's own network?

Frequently, there is a long list of local phone numbers in numerous countries and cities, followed by a many-digit "joining code" you use to login to the call.

Conference calls operated this way are, of course, ripe for eavesdropping, especially if there are numerous participants.

(Often, even the company's own staff will call out to the external telecommunications provider, using the same or a similar joining code to the one sent to you.)

When you host a teleconference of this sort, do you religiously keep track of how many callers have connected?

Are you even aware of how many "lurkers" you have: callers whose webcams are turned off, who didn't leave a name, and who have muted their own microphones?

You're unlikely to notice them unless you are carefully keeping track of everyone who joins and leaves the meeting.

After all, the whole idea of videoconferencing is to let people "meet" even though they can't conveniently get together.

In other words, even so-called internal teleconferences are often internal only inasmuch as the legitimate participants are supposed to be fellow-employees.

Indeed, in many cases, the reason for using a teleconference is to help those who are on the road or away from the office to connect remotely.

And no strength of encryption applied to the teleconference data stream itself is going to help you if unknown outsiders can intercept the joining codes you sent out by email in the first place.

Now...what was the name of that US intelligence agency again?

The one that's supposedly intercepting our emails on an industrial scale?

Image of a video conference courtesy of Shutterstock.

, , , , , , ,

You might like

8 Responses to NSA "cracked" UN teleconferencing system - how safe is yours?

  1. tokkaali · 771 days ago

    As always, the human component is the weakest...
    This has and will be an issue as long as those carbon-based bipeds exist.

    • Trump · 767 days ago

      You can lock things down, implement a multi-layer security approach and train your employees all you want. All it takes is 1 individual to fall for a phising attempt and the bad guys are in.

  2. MonicaC · 771 days ago

    I've noticed Der Spiegel tending to be a bit more dramatic than they ought to be. "Industrial-scale spying"...I like that!

  3. CEEA · 771 days ago

    Oh no. First they collect data from European Union and now UNO.
    Is there anything or any organization, which is safe and independent?!

  4. spryte · 771 days ago

    If you want convenience, have a conference call to discuss the weather.

    For anything more important, have a face to face meeting.

  5. Mo Raf · 771 days ago

    Firstly and most importantly the UN video conferencing is hosted on a virtual LAN over the WAN which means a tunneling protocol minimum. If the NSA broke the tunnel then it is very definitely decryption, otherwise they must have broken through the firewalls and got hold of unencrypted LAN data. I very much doubt that such attacks could have easily got passed the UN firewalls without raising alarms and even trojanware would not have been able to speak from inside the firewall to the WAN unless it was an authorised executable. Mostly likely the VPN tunnel data was breached in the wild, this way the UN would never know it was going on. The only question is how to get the session keys, a one-time physical theft would be a great start.

  6. wam · 771 days ago

    The paranoia of the US will be a self fulfilling prophecy. The world will stand up and say that is enough.

    The very fact that they try to police the internet says it all. An international public access facility is not within your remit USA. Go Home.

  7. Andrew · 732 days ago

    Does the US honestly believe it can spy on the UN and get away with it. I suggest the US thinks again as there will be a backlash from the UN or some other organisation bigger and more powerful than the NSA or the FBI, this applies to you too UK as we all know about GCHQ spying centre of the UK

    there are laws of privacy in the UK and they have to be adhered too. As for the US shame on you !

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Paul Ducklin is a passionate security proselytiser. (That's like an evangelist, but more so!) He lives and breathes computer security, and would be happy for you to do so, too. Paul won the inaugural AusCERT Director's Award for Individual Excellence in Computer Security in 2009. Follow him on Twitter: @duckblog