Zoombombing The EU Foreign Affairs Council

Those with security clearance are capable of making foolish mistakes, just like the rest of us. So is the story of how a Dutch journalist made an appearance on video meeting of the European Union’s Foreign Affairs Council (Dutch language, Google Translate link).

Ank Bijleveld's Tweeted picture, with the access details blacked out by Daniël Verlaan.
Netherlands Defence MInister Ank Bijleveld’s Tweeted picture, with the access details blacked out by Daniël Verlaan.

Like any other video call, if you had the link you could enter the meeting. So when Netherlands Defence Minister Ank Bijleveld Tweeted a photo of a video call last Friday, the address bar of the browser gave away the secret to anyone with a keen eye. Dutch journalist Daniël Verlaan working for the broadcaster RTL saw the URL on the screen and deduced the login credentials for the meeting.

We say “deduced”, but in fact there were five of the six digits in the PIN in the clear in the URL, leaving him with the difficult task of performing a one-digit brute-force attack and joining with the username “admin”. He joined and revealed his presence, then was admonished for committing a criminal offence before he left.

On one level it’s an opportunity for a good laugh at the expense of the defence ministers, and we certainly wouldn’t want to be Ank Bijleveld or probably the EU’s online security people once the inevitable investigation into this gets under way. It seems scarcely credible that the secrecy on such a high-security meeting could have sat upon such a shaky foundation without for example some form of two-factor authentication using the kind of hardware available only to governments.

EU policy is decided not by individual ministries but by delicate round-table summits of all 27 countries. In a pandemic these have shifted to being half-online and half in-real-life, so this EU defence ministers’ meeting had the usual mosaic video feed of politicians and national flags. And one Zoom-bombing journalist.

33 thoughts on “Zoombombing The EU Foreign Affairs Council

      1. – Yeah, the article doesn’t say Zoom, but titling the article ‘zoombombing’ kind of leads that way… Not Zoom-hosted – bigger fail seems to be “consilium video conferencing platform” putting pin/cred info right in the URL shown making this easy to do…

    1. In the Netherlands this might result in a 100 € fine for RTL for guessing a decimal digit and a thank-you letter from the minister herself for having pointed out the blatant IT security vulnerability, combined with a fine worded request to approach these matters more tactfully in future attacks to spare her the embarrassment.

  1. This time last year I’d never heard of Zoom, and now we have governments using it. Given that this isn’t the first Zoom conference we have seen being infiltrated, I do wonder what the attraction is. My suspicion is that it’s ease of use compared to other offerings.

    1. It’s not zoom, and if it was, the PIN wouldn’t have been exposed in the URL. This is probably the EU’s private “high” security video conferencing tool. Got to build something with £350m/week.

      1. “This is probably the EU’s private “high” security video conferencing tool. Got to build something with £350m/week.” thats what I call enterprise software. Very expensive, closed source, bodged together, bad security, built on bullshit framework/language….

  2. I think that the irresposible thing to do would have not highlighed the error. Otherwise it could have been used by someone with a different agenda. So Zoombombing was really the easiest way to bring it to everyones notice, along with getting some free publicity.

  3. Did you notice the bookmarks?
    Either it’s a professional laptop and I’m afraid of the time spend watching movies during his job, or it’s his personal device and I’m quite sure that this is not a well secured one!
    A pity!

  4. >EU policy is decided not by individual ministries but by delicate round-table summits of all 27 countries.

    EU policy is not decided by summits, but by a commission of bureaucrats who are not elected but appointed to the task, who make the policy proposals and initiatives, which are then voted on by the council of national ministers and the parlament of representatives from each country.

    https://en.wikipedia.org/wiki/Institutions_of_the_European_Union#/media/File:Organs_of_the_European_Union.svg

    This is the usual way a government works: career bureaucrats do the actual policy, and populist politicians vote yay/nay depending on which option benefits them personally. In the normal case, the bureaucrats can expect the representatives to simply act as rubber stamps, because despite their disagreements about the policy, there’s still a 50/50 chance it will pass anyways.

  5. “…without for example some form of two-factor authentication using the kind of hardware available only to governments”

    It’s a little depressing to see this kind of comment on hackaday – secure 2 factor is mathematics and convenience, not top-secret hardware, and far more likely to be actually used if it is simple and convenient, such as a mobile phone based system

  6. What if her were to have joined without a camera and microphone and just put in some believable name? He could have simply sat there and recorded everything and for who knows how long? This is cool!

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.