A German hacker collective has exposed police use of potentially illegal spying software in at least five German states. Did the German government sanction hacking into its own citizens computers?
On October 8, the Berlin hacker collective known as the Chaos Computer Club (CCC) announced that they had analysed a piece of spying software they believed had been written by the German government. Once installed on a computer, the software had the ability to quietly listen to conversations on Skype, log keystrokes and remotely switch on the computer’s webcam. It would then report this data back to servers, two of which have been identified – one located in the US and the other in Germany. It is not yet clear who the servers belonged to. Now regional police in five German states have admitted to using the software.
The CCC was made aware of the trojan, known as R2D2, when a German lawyer gave them the computer of a client being investigated on suspicion of drug related offences. They discovered the R2D2 trojan after recovering deleted files. The software had allegedly been installed onto the computer as it passed through customs control at Munich Airport.
The CCC believed that it had found an example of a “Bundestrojaner” (Government trojan) which from 2007 were being used to conduct online searches of suspects by law enforcement agencies. In 2008 a ruling by a German Constitutional Court restricted the use of these “Government trojans” only to cases where human lives or state property were in danger and only after permission had been granted by a judge.
To get around these restrictions on online searches, the CCC maintains that the German government used a different term for the spy software, “Quellen-TKÜ” or “source wiretapping”. This means listening to conversations at the source (on Skype for example) in order to prevent a person from encrypting the conversation.
If the CCC’s findings are correct the R2D2 trojan appears to contravene the 2008 ruling. In addition the trojan was poorly written with some glaring security weaknesses. Those with the technical know-how could take control of the software once it had been installed, allowing them to capture information themselves, plant files on computers or update the software with new spying features.
Five German states (Bavaria, Baden-Württemberg, Brandenburg, Rheinland-Pfalz and Lower Saxony) have now admitted that regional police used the software “within the parameters of the law”. It has also emerged that the trojan was probably written by a German company, Digitask, who actually presented information about how the software worked at a security conference. Leaked documents on Wikileaks detail pricing and license models of the software made by Digitask for the State of Bavaria.
A key question now is whether the state police who used the trojan were planning to make use of its extra information collection capabilities, or had accidentally left that possibility open. According to the Digitask presentation those enhanced spying features that were not needed, or in the case of the German police not authorized, were supposed to be left out of the software. It appears from the CCC’s analysis of this case that all of these features were left in.
“Never ascribe to malice that which can be adequately explained by stupidity” goes the old adage, “but don’t rule out malice”. In this case it seems only time will tell; but when it comes to potential government espionage, stupidity seems a scarcely adequate excuse.
The 2008 legal ruling limiting the use of information gathering by spyware to cases of risk to human lives or state property could potentially have been ignored. As has been seen in the US, laws that cover protection against terrorism, such as the Patriot Act, are more commonly being used for other purposes. Drug trafficking made up 73.7% of Patriot Act “sneak-and-peak” searches in 2009.
The use of backdoor trojan software by law enforcement agencies came to the fore in 2001 when both the NSA and the FBI were rumoured to have produced software known as “Magic Lantern”. The software came to light as part of a Freedom of Information request filed by the Electronic Privacy Information Center. That revealed documents concerning a project called “Carnivore” which allowed for full Internet surveillance of a particular Internet address. This was used in conjunction with a “Magic Lantern” backdoor trojan which was specifically targeted at capturing encryption passwords, allowing the FBI to decode communication captured by Carnivore.
At the time, anti-virus software companies were faced with the decision of whether to remove known government backdoor trojans. In 2001, various anti-virus software vendors made declarations about whether their software would remove a suspected FBI backdoor trojan. Companies such as F-Secure were categorical that they would never knowingly leave detected malware on a computer. Sophos agreed but Eric Chien, chief researcher at Symantec at the time, claimed they would not detect Government malware. Their assumption was that the software would have enough protective mechanisms in place to prevent the wrong people taking control of it. As the case of the R2D2 trojan has demonstrated, that assumption is not necessarily well founded; the R2D2 trojan had very few protective mechanisms and was open to hijacking.
It seems clear that as criminal and terrorist activity increases on the web, governments and law enforcement agencies in particular are turning to every available technique in order to intercept and collect information. The German BND (Germany’s foreign intelligence service) was alleged by Der Spiegel to have used spyware to monitor the Ministry of Commerce and Industry in Afghanistan and obtain confidential documents, passwords and email. Surveillance trojans have also been used by the Swiss and the Austrian Police.
There are a number of observations that can be made from the CCC’s announcement:
Firstly, anti-spyware software from any company that would even contemplate not detecting malware, irrespective of its origins, would have to be treated with caution. Companies that have declared they would detect all malware would seem preferable.
Secondly, it brings into question government sponsored anti-virus initiatives unless they give free choice of vendors to the public. Why would you trust a government sponsored anti-virus software package if they are also producing malware for general use?
Finally, it is interesting to note that the R2D2 trojan would only work if the person being targeted was using a PC with Windows. So perhaps the easiest solution for German citizens at present is to use Linux, an Apple Mac OSX computer or even a smart phone?
With thanks to Runa Sandvik (@runasand) for comments and editing