Source Code

More than two decades after the fall of the Berlin Wall, revelations that German state governments have been using trojan malware to monitor the calls of Skype users has sparked concern.

The Chaos Computer Club examined a computer hard drive that was handed to them by the lawyer of a suspect in a criminal case. It’s claimed the software - R2D2 as it has been branded due to a line of code - may have been installed on his computer while he passed though security at Munich airport.
 
I once had the privilege of meeting several members of this hacker collective and was struck by a slight paranoia, but also a devotion to looking at how end users - to borrow consumer-speak - are at risk. But just because you’re paranoid, doesn’t mean they’re not out to get you.

SECURITY HOLES

Indeed, on October the 8th, the group announced it had reverse engineered and analysed ‘lawful interception’ malware which could ‘not only siphon away intimate data but also offers a remote control or backdoor functionality for uploading and executing arbitrary other programs" adding that "significant design and implementation flaws make all of the functionality available to anyone on the internet."

In other words the software could apparently listen in to Skype calls, switch and turn off the webcam, and as a keylogger, take a record of everything typed into the keyboard. It then sent this information back to two remote servers.  In theory, it allows for false evidence to be planted by police, the CCC says. On top of that, the group says the security is so poor, anyone else with the right knowledge could also take control of the compromised computer.

The real point the CCC is making is what it clearly thinks is the added reckless behaviour of installing something with ‘serious security holes.’

Perhaps this should all come as no surprise in Germany, considering WikiLeaks documents which showed authorities hiring a company with the aim of creating such trojans in 2008.

The document in question goes into some detail on the high costs of the project, which are also currently causing a bit of a stink with the increasingly popular Pirate Party.

Skype spying as a whole is not new. In 2009, America’s FBI released a set of documents relating to Skype surveillance. It's been using trojans on unsuspecting users for at least the last ten years.  There have been similar occurrences in China, which saw Skype forced to blog on its apparent compliance in 2008.

Microsoft has even filed a patent for a method to silently record communication on Skype, which it recently acquired. Reports suggested this was to comply with America's Communications Assistance for Law Enforcement Act. But an even newer proposal to force web-based communications such as Skype - and including email, Facebook, Twitter and Blackberry – to require a built-in way of complying with wiretap orders has been on the books for years, the New York Times reports.

In Germany, CCC is most concerned at what appears to be the recklessness of authorities.

“The screenshots and audio files it sends out are encrypted in an incompetent way, the commands from the control software to the trojan are even completely unencrypted...Not only can unauthorized third parties assume control of the infected system, but even attackers of mediocre skill level can connect to the authorities, claim to be a specific instance of the trojan, and upload fake data. It is even conceivable that the law enforcement agencies IT infrastructure could be attacked through this channel.”

A compromised computer would thus then be at risk of being controlled by not just the government, but anyone else with the nous to get on board and use the software.

"We were surprised and shocked by the lack of even elementary security in the code. Any attacker could assume control of a computer infiltrated by the German law enforcement authorities."

In addition, storing the siphoned data on a rented server in the US, as the CCC alleges is occurring, sets what appear to be new jurisdictional concerns around what’s likely to be sensitive information. German law allows for a degree of snooping, but there are strict guidelines – altering code is out, and there must be safeguards in place to stop the trojan being used for ‘additional functionality’, as security firm Sophos reports.

COMING OUT OF THE WOODWORK

So days later, German states were coming out of the woodwork to fess up, and it’s now causing nothing short of a storm.  First Bavaria, then five more states said police had been using such malware.

The Bavarian government says it’s putting an end to the program’s use after calls from Berlin for an investigation, and the opposition is calling for the head of the interior minister.

And it’s not just at the state level. Berlin’s Tageszeitung reports that federal agencies have used Trojan software 25 times since 2008 to get at Skype and email, although authorities are still denying that R2D2 is use.  In an added headache for Chancellor Angela Merkel, junior coalition partner the FDP - a centre right party - has even reportedly met up with the CCC to put itself at the forefront of action. Only in Germany.

There’s no doubt that government agencies need to be able to monitor the communications of people suspected of serious crimes – but as the CCC points out - there needs to be serious checks on such power.

Any inquiry will need to assure Germans – and other Skype users – that state-sponsored malware is being used on the right people, but importantly, by the right people.

The computer, as the CCC argues, is now the ‘Kernbereich’ or core area, of the individual’s living space. If lax security then allows any ill-intentioned hacker to mess around in there without the user’s knowledge – crime suspect or not – it might not just be the surveillance-conscious Germans kicking up a fuss.

Follow @billcode