By Bob Sullivan
Chaos Computer Club: German gov’t software can spy on citizens
A well-regarded Germany-based hacker group claims a German government-created Trojan horse program is capable of secretly spying on Web users without their consent.
The group says on its website that it obtained and analyzed a piece of software that is supposed to be a “lawful interception” program designed to listen in on Internet-based phone calls as part of a legal wiretap, but its capabilities go far beyond legal bounds.
The program is capable of logging keystrokes, activating Webcams, monitoring Web users’ activities and sending mountains of data to government officials, the club said.
To cover its tracks, the data is routed through rented servers located in the United States, the club alleges.
“To avoid revealing the location of the command and control server, all data is redirected through a rented dedicated server in a data center in the USA,” the Club said on its website.
The German government has yet to comment on the findings, but already, antivirus companies are reacting to them. Security firm F-Secure will detect and disable the alleged government monitoring software if found on clients’ computers, it announced on Saturday.
“Yes, it is possible the Trojan found by CCC is written by the German government. We just can’t confirm that,” said Mikko Hypponen, F-Secure’s chief technology officer, via Twitter.
The program, labeled a “backdoor” because it can open a computer to surreptitious access, targets certain applications for keylogging, including Firefox, Skype, MSN Messenger, ICQ and others, according to F-Secure.
German courts have long allowed use of a backdoor program known as “Bundestrojan” — “federal Trojan,” in English — which permits government investigators to listen in on Skype-based phone calls as part of a legal wiretap order. Skype and other kinds of Internet phone calls that can be encrypted are particularly troubling for law enforcement, because they can be used by suspects to evade wiretaps.
After a court battle in 2008, Bundestrojan was ruled legal as long as it screened only very specific communications — essentially, Internet telephone calls.
But the Chaos Computer Club announced Saturday that it had obtained a copy of what it believed was a copy Bundestrojan, and that the program has capabilities that go far beyond legal wiretapping. In addition to keylogging and screen shots, the software is also capable of remote control and upgrade.
“This refutes the claim that an effective separation of just wiretapping internet telephony and a full-blown Trojan is possible in practice – or even desired…. The Trojan’s developers never even tried to put in technical safeguards to make sure the malware can exclusively be used for wiretapping internet telephony, as set forth by the constitution court,” said the club on its site. “Our analysis revealed once again that law enforcement agencies will overstep their authority if not watched carefully. In this case, functions clearly intended for breaking the law were implemented in this malware: they were meant for uploading and executing arbitrary code on the targeted system.”
The club also criticized security measures put in place by programmers of the alleged Trojan. Poor encryption implementation means a malicious third-party could intercept the government communications, or take control of government-infected machines, it said.
“This complete control over the infected PC – owing to the poor craftsmanship that went into this trojan – is open not just to the agency that put it there, but to everyone,” the club said. “The security level this trojan leaves the infected systems in is comparable to it setting all passwords to ‘1234.’ ”
Worse yet, the flaws make it possible to place false evidence on a suspect’s computer.
“(This) puts the whole rationale for this method of investigation into question,” the club said.
The well-regarded hacker group, founded in the 1970s, didn’t say where it had obtained the program, but said it had analyzed several different copies. It said the German Ministry of the Interior had been informed about the findings, and the club publicly demand that the German government stop using the program and initiate its self-destruction capabilities.
While Bundestrojan is designed to tap communications of suspects after a government official obtain permission from a German court, there is no technical reason that the software could not be used on U.S. citizens traveling in Germany, or even on Web users who are outside of Germany.