NSA “cracked” UN teleconferencing system – how safe is yours?

German investigative magazine Der Spiegel (The Mirror) has come up with yet another espionage-related allegation about the NSA.

The NSA, of course, is the National Security Agency, America’s beleaguered SIGINT, or signals intelligence, organisation.

Der Spiegel claims, from its own evaluation of recently-leaked secret documents, that the NSA managed to crack the encryption of the UN’s videoconferencing system:

The US secret intelligence agency NSA didn't just bug the European Union but also the headquarters of the United Nations. According to Der Spiegel's analysis, this is evident from NSA secret documents.

Der Spiegel explicitly quotes from the secret documents:

The data traffic gives us the internal videconferencing system of the UN (yay!).

Sadly, that’s about all Der Spiegel has to say, apart from noting that in the three weeks after the alleged crack was announced, the number of decryptions [die Zahl der entschlüsselten Kommunikationen] increased from 12 to 458.

There’s no information about what Der Spiegel really means by “decrypted”, or indeed if there was any genuine cryptographic breakthrough involved.

For all we know, the NSA’s challenge might merely have been acquiring unencrypted video conferencing data, or intercepting login codes allowing it to join conferences and record them incognito.

I suspect that this is a genuine risk in many organisations.

Have you ever received one of those “please join this conference call” emails from a company that wants you to join a supposedly private call, by invitation only, from outside the company’s own network?

Frequently, there is a long list of local phone numbers in numerous countries and cities, followed by a many-digit “joining code” you use to login to the call.

Conference calls operated this way are, of course, ripe for eavesdropping, especially if there are numerous participants.

(Often, even the company’s own staff will call out to the external telecommunications provider, using the same or a similar joining code to the one sent to you.)

When you host a teleconference of this sort, do you religiously keep track of how many callers have connected?

Are you even aware of how many “lurkers” you have: callers whose webcams are turned off, who didn’t leave a name, and who have muted their own microphones?

You’re unlikely to notice them unless you are carefully keeping track of everyone who joins and leaves the meeting.

After all, the whole idea of videoconferencing is to let people “meet” even though they can’t conveniently get together.

In other words, even so-called internal teleconferences are often internal only inasmuch as the legitimate participants are supposed to be fellow-employees.

Indeed, in many cases, the reason for using a teleconference is to help those who are on the road or away from the office to connect remotely.

And no strength of encryption applied to the teleconference data stream itself is going to help you if unknown outsiders can intercept the joining codes you sent out by email in the first place.

Now…what was the name of that US intelligence agency again?

The one that’s supposedly intercepting our emails on an industrial scale?

Image of a video conference courtesy of Shutterstock.