With Wikileaks founder Julian Assange anxiously awaiting word from the government of Ecuador on his request for political asylum, a security researcher warns that the country’s Ministry of Foreign Affairs, which is handling the Assange asylum request, is using a video conferencing system that is vulnerable to online snooping.
Ecuador’s Ministry of Foreign Affairs (MFA) relies on a video conferencing system that is accessible from the public Internet and doesn’t require a password to use, according to security researcher Dillon Beresford, who said he discovered the vulnerable conferencing system when searching online.
“Anyone in the world can access Ecuador’s MFA private conferencing system,” Beresford wrote in an e-mail to Threatpost on June 22 about the Sony PCS-G50 video conferencing system used by the Ministry. In a phone conversation with Threatpost, Beresford said that the system was apparently pushed into use with only default, factory settings. It was also deployed outside the Ministry’s firewall, meaning that it could be accessed by anyone and identified in an Internet scan looking for video conferencing systems.
Beresford said that, using only a Web browser, he could access an administrative interface for the Ministry of Foreign Affairs’ video conferencing server and peer into Ministry conference rooms. Beresford sent screen shots to back up his claim. They show a graphical interface for managing the conferencing system with a live feed from a conference room showing a whiteboard, a television, table and chairs. Beresford said he did not need to enter any credentials to access the administrative interface, but that he did not access the system when any meetings were taking place.
The scenario by which the Ecuadoran Ministry of Foreign Affairs video conferencing system was discovered appears identical to those of other video conferencing systems that security vendor Rapid7 discovered and reported by The New York Times in January. Organizations that use video conferencing systems often place them outside their firewall to make them easily accessible by other video conference system users. However, that also exposes them to prying.
E-mail messages and phone calls sent by Threatpost to the Ecuadoran Consulate in Washington D.C. and the Ministry of Foreign Affairs seeking comment were not returned prior to publication.
Beresford said that the vulnerable conferencing system could be used to spy on diplomatic meetings and to move to other systems used by the Ecuadoran government.
“Perhaps, if one were so inclined they could also dial in to other Ecuadorian embassies and conulates from this web based software (application) which allows outgoing calls to other web conferencing systems deployed at various Ecuadorian missions across the world,” he said. “Their video conferencing system is also in the same IP range as their mail server. Kinda bad if you ask me.”
The revelation of the security hole comes at a sensitive time for the Ecuadoran government and the Ministry of Foreign Affairs. Wikileaks founder Julian Assange sought refuge in the Ecuadoran embassy in London on June 20 and has been holed up there since, out of reach of law enforcement in the UK, which is seeking to arrest him for violations of his bail agreement, which was set after the eccentric activist turned himself in to UK authorities in December, 2010. Assange is worried that UK authorities will extradite him to Sweden to answer to charges of rape and sexual assault brought by two separate women. He alleges that the charges are politically motivated after Wikileaks, the Web site he founded and ran, released documents damaging to the U.S. government and its allies.
Assange’s gamble has led to high stakes diplomacy, with Ecuado’s ambassador to the UK, Anna Alban, returning to Quito over the weekend to brief the country’s president, Rafael Correa, on the situation. She will also hold a series of meetings at the Foreign Ministry during the visit, raising the seriousness of the vulnerable video system.
Beresford told Threatpost that he was probably not the first person to notice the Foreign Ministry video conferencing systems were publicly accessible, though he has no proof that any Ministry of Foreign Affairs conferences were spied upon. Still, finding and accessing the systems was a trivial matter for anyone who knew where to look.
“I guess they really are transparent in Ecuador!” he wrote.