German police accused of using a Trojan backdoor for interceptions

By EDRi · October 19, 2011

This article is also available in:
Deutsch: [Deutsche Polizei soll Trojaner für Online-Durchsuchungen eingesetzt haben | https://www.unwatched.org/EDRigram_9.20_Deutsche_Polizei_soll_Trojaner_fuer_Online_Durchsuchungen_eingesetzt_haben?pk_campaign=edri&pk_kwd=2011102]

According to EDRi-member Chaos Computer Club (CCC), the German
government has been using a backdoor Trojan, a spyware that can retrieve
private data, and also offers a remote control for uploading and executing
other arbitrary programs.

CCC has reverse engineered and analysed the respective programme and has
concluded that the Trojan can receive uploads of arbitrary programs from the
Internet and execute them remotely and that the activation of the computer’s
hardware, like the microphone or the camera, can be used for surveillance.

Moreover, with the help of an additional module, it can be used to remotely
control infected PCs over the Internet, watching screenshots of the web
browser on the infected PC, including private notices, emails or texts in
web based cloud services. On its website, CCC group includes a screen shot
to show the Trojan in action.

The use of spying software violates the country’s constitutional law as
it contains functions beyond the interception of Internet-based
communication. In 2008, Germany’s Federal Constitutional Court ruled that
the secret infiltration of information technology systems was a grave
infringement of civil rights and could only be justified in some criminal
investigations, and so established strict legal limitations for such cases.

The CCC analysis reveals this is a case of “Bundestrojaner” (federal
Trojan), the colloquial German term for a government malware concept
concealed as “Quellen-TKÜ” (meaning “source wiretapping” or lawful
interception of the source). But, according to the constitutional court,
Quellen-TKÜ can only be used for wiretapping Internet telephony and has to
be enforced through technical and legal means.

The analysis concludes that not only were no technical safeguards introduced
by the Trojan’s developers to provide the use of the malware exclusively
for wiretapping Internet telephony, but its design includes
functionality to clandestinely add more components over the network from the
start, creating a bridge-head to further infiltrate the computer.

“This refutes the claim that an effective separation of just wiretapping
internet telephony and a full-blown trojan is possible in practice – or even
desired. Our analysis revealed once again that law enforcement agencies will
overstep their authority if not watched carefully. In this case functions
clearly intended for breaking the law were implemented in this malware: they
were meant for uploading and executing arbitrary code on the targeted
system,” stated a CCC speaker.

Markus Beyer, spokesperson for the Federal Interior Ministry said at a press
conference on 8 October 2011 that the software was “freely available” and
three years old, without however stating whether the software had been
designed by or for the government.

Chief government spokesperson Steffen Seibert stated at the same press
conference that the German government was taking allegations about illegal
surveillance software used by investigative authorities “very seriously” and
would examine the claims made by CCC.

“It would be a very grave incident and clearly against the law should the
allegation be accurate,” said Wolfgang Bosbach, chairman of the German
Parliament’s Internal Affairs Committee to Deutschlandfunk radio and, on 7
October 2011, the Free Democratic Party asked for an investigation and a ban
on the use of the software until the allegations were cleared.

German government accused of spying on citizens with state-sponsored Trojan
(8.10.2011)
http://www.zdnet.com/blog/bott/german-government-accused-of-spying-on-citizens-with-state-sponsored-trojan/4044

Analysis of Government malware (only in German, 8.10.2011)
http://www.ccc.de/system/uploads/76/original/staatstrojaner-report23.pdf

Chaos Computer Club analyzes government malware (8.10.2011)
http://ccc.de/en/updates/2011/staatstrojaner

Possible Governmental Backdoor Found (“Case R2D2”) (8.10.2011)
http://www.f-secure.com/weblog/archives/00002249.html

German Malware May Put PC’s Camera at Risk (10.10.2011)
http://www.bloomberg.com/news/2011-10-10/german-trojan-spyware-may-violate-constitution.html