CCC cracks government trojan
The German Chaos Computer Club (CCC) says that it received a copy of the software generally known as the "Federal Trojan" (Bundestrojaner) and which is used by the German government for surveillance purposes. The software is currently used by German federal criminal investigators for "telecommunication source surveillance" (Quellen-TKÜ or Quellen-Telekommunikationsüberwachung) and allows Voice-over-IP conversations to be intercepted before they are encrypted at the sender's end or after they are decrypted at the recipient's end.
"The malware can not only siphon away intimate data but also offers a remote control or backdoor functionality for uploading and executing arbitrary other programs", said the CCC (german statement), criticising the federal software's "significant design and implementation flaws" which create security holes in the infiltrated computers that could be exploited by third parties.
Talking to the German Press Agency (dpa), a spokesperson for the German Federal Ministry of the Interior confirmed that source surveillance software is available to both federal and state authorities in Germany. "Legal guidelines must be observed when using this software", said the spokesperson, adding that federal investigations are governed by the Law on the Establishment of a Federal Criminal Police Office (BKA law). Several German state authorities have implemented additional regulations for the use of source surveillance software. Bavaria particularly stands out in this respect, as the Bavarian Ministry of Justice admitted in mid-2011 that the "Bavaria Trojan" had already been repeatedly used.
Efforts to conduct clandestine remote searches on suspects' computers began back in 2005, when Otto Schily (Social Democratic Party, SPD) was the German Federal Minister of the Interior. Under the catchword "Bundestrojaner" (Federal Trojan), a heated debate about the legitimacy of such intrusions into PC privacy ensued. In February 2008, the German Federal Constitutional Court implemented strict legal guidelines for remote searches. With its decision, the court also created a new constitutional right involving computers, the "constitutional right to IT system privacy and integrity."
Not only did the Constitutional Court's decision set a very strict limit to IT system investigations, it was also the first to define users' sovereignty of their IT equipment, clarifying that nothing may be altered, and that any surveillance must adhere to very strict regulations in this private data sphere. The constitutional right describes comprehensive system protection measures that cover far more than the information that is published by users.
In late 2008, an analysis by Markus Hansen of the "Independent Centre for Privacy Protection Schleswig-Holstein" and Dresden-based IT professor Andreas Pfitzmann found that the regulations for remote searches using the Federal Trojan not only undermine data protection rules, but that the Federal Trojan is also unable to provide evidence that is admissible in court.
The CCC pointed out that "source surveillance" may, by definition, only be used for intercepting internet telephony conversations, and that this must be ensured through technical and legal measures. However, the CCC said that the software sample it analysed allows a much wider scope for attack. "This refutes the claim that an effective separation of just wiretapping internet telephony and a full-blown trojan is possible in practice – or even desired", commented a CCC spokesperson.
The code analysis found that the trojan's functions go far beyond the monitoring and intercepting of internet-based telecommunication, and that they violate the explicit terms set by the German Constitutional Court. The CCC said that the trojan can, for example, receive remote uploads of arbitrary programs from the internet and execute them, and that an "upgrade path" to the Federal Trojan's full functionality is built-in from the start; once enabled, these functions apparently allow files on alleged suspects' computers to be searched, read, edited and manipulated. Even a full digital wiretapping attack by remotely accessing a computer's microphone, camera and keyboard is possible, according to the CCC.
In addition to the surveillance functions, the CCC's analysis also found that serious security holes are created when the trojan is injected on the suspect's computer. "The screenshots and audio files [the trojan] sends out are encrypted in an incompetent way, the commands from the control software to the trojan are even completely unencrypted", said the CCC. Apparently, neither the commands to the trojan nor the trojan's responses are authenticated or given any form of integrity protection. "Not only can unauthorised third parties assume control of the infected system, but even attackers of mediocre skill level can connect to the authorities, claim to be a specific instance of the trojan, and upload fake data", added the CCC. "It is even conceivable that the law enforcement agencies' IT infrastructure could be attacked through this channel."
According to the CCC, the appropriate consequences are clear: "The clandestine infiltration of IT systems by government agencies must stop." The hacker club has also called on "all hackers and people interested in technology" to further analyse the trojan's binaries and said that it will gladly receive copies of other versions of government malware.
- Chaos Computer Club analyzes government malware, CCC report with link to the government trojan's binaries
- Chaos Computer Club analysiert Staatstrojaner, German version CCC report with link to the government trojan's binaries
- Analyse einer Regierungs-Malware, CCC report on the code analysis of the government trojan
- Anatomie eines digitalen Ungeziefers, CCC spokesman Frank Rieger talking about the analysis of the government trojan in the Sunday edition of FAZ newspaper