Germany accused of using Trojan to spy on citizens

The German authorities have been accused of putting out malware that is designed to spy on citizens, and has security flaws which could let third parties monitor people’s computer usage or even plant false evidence.

The Chaos Computer Club has accused German authorities of putting out malware intended to spy on citizens. Image credit: Chaos Computer Club

The Chaos Computer Club (CCC), one of the world’s pre-eminent ‘white
hat’ hacker groups, said on Saturday evening that someone had
anonymously sent it a copy of the malware, which it is calling ‘Bundestrojaner light’. The group reverse-engineered and analysed the software, and
found it could “not only siphon away intimate data but also offers a
remote control or backdoor functionality for uploading and executing
arbitrary other programs”.

“Significant design and implementation flaws make all of the
functionality available to anyone on the internet,” the CCC said in a statement.
The group accused the German authorities of being behind the malware,
but did not provide evidence to back this up.

Privacy and data protection are taken very seriously in Germany, which previously saw massive surveillance operations by the Nazis and the Stasi. The country was the first to pass data-protection laws, and now has some of the strictest privacy safeguards in the world.

In 2008, the German constitutional court banned the use of state
malware, dubbed ‘Bundestrojaner’ or ‘federal Trojan’, to spy on
citizens’ computer usage, beyond straight internet telephony
interception. The government responded by saying it was introducing Quellen-TKÜ lawful interception software, which is only supposed to
be used for VoIP wiretapping.

‘Bundestrojaner light’

However, the CCC seems convinced that the malware it has just
analysed is related to the original malware, and is therefore
referring to it as ‘Bundestrojaner light’.

It is even conceivable that the law enforcement agencies’ IT infrastructure could be attacked through this channel.

– Chaos Computer Club

The fact that the Trojan can receive uploads of “arbitrary
programs” from the internet and execute them remotely means “an
‘upgrade path’ from Quellen-TKÜ to the full Bundestrojaner’s
functionality is built-in right from the start”, the CCC said.

The group
claims the malware can activate a user’s
microphone and webcam for “room surveillance” purposes, while capturing screenshots of the user’s web browser.

In addition, it said the Trojan is tearing “serious security holes”
into infected systems, as the commands from the control software to
the Trojan are completely unencrypted, and the screenshots and audio
files it sends back are “encrypted in an incompetent way”.

“Not only can unauthorised third parties assume control of the
infected system, but even attackers of mediocre skill level can
connect to the authorities, claim to be a specific instance of the
Trojan, and upload fake data,” the CCC said.

“It is even conceivable
that the law enforcement agencies’ IT infrastructure could be attacked
through this channel. The CCC has not yet performed a penetration test
on the server side of the Trojan infrastructure,” it added.

Read this

Ten computer viruses that changed the world

Read more

Malware origins

Although the CCC has published the binaries of the malware, it has
not explicitly offered evidence that the software has an official government source. On Monday, Germany’s Federal Criminal Police Office (Bundeskriminalamt,
or BKA) told ZDNet UK it “has never used this
kind of software”.

Federal justice minister Sabine Leutheusser-Schnarrenberger issued a
statement on Sunday saying her party, junior coalition partner
the FDP, has “always warned against the dangers of government snooping
software”. The use of such software is a risk to public
confidence in the powers of the constitutional court, she added.

The Pirate Party, a tech-focused party that entered
mainstream German politics when it won
15 seats in the Berlin state parliament, said it would refrain
from commenting on the situation until the source of the malware is
proven.