An eavesdropping tool allegedly used by the German government to intercept Skype calls is full of security problems and may violate a ruling by the country’s constitutional court, according to a European hacker club.
The Chaos Computer Club obtained several versions of a program that has allegedly been used by German law enforcement in possibly hundreds of investigations to intercept Skype calls, said Frank Rieger, a member of the club.
It has long been rumored that the German government was interested in developing an application to intercept Skype. Three years ago, documents released by WikiLeaks purported to show a proposal by a Bavarian company, DigiTask, offering to develop such a tool.
Press officials contacted on Monday morning at Germany’s Interior Ministry were unable to immediately answer questions. On Sunday, Steffen Seibert [cq], a spokesman for Germany’s Federal Press Office wrote on Twitter that the Interior Ministry said it did not use the programs examined by the Chaos Computer Club.
Seibert wrote on Twitter on Monday morning that federal and state governments were expected to issue a statement about the controversy.
The tool, called “Quellen-TKU,” was developed ostensibly for wiretapping Internet phones calls, the Chaos Computer Club said. It is a lighter version of a more encompassing surveillance tool conceptualized by the German government to spy on computers in Germany but banned by the country’s constitutional court in February 2008.
The court left room for the government to develop a tool specifically for wiretapping, but the Chaos Computer Club found that the versions in circulation are far more powerful than the boundaries set by the constitutional court, Rieger said.
“We got our hands on it and found it is doing much more than it is legally allowed to do,” Rieger said.
DigiTask’s lawyer, Winfried Seibert, said on Monday that the company is investigating whether the application examined by the Chaos Computer Club was developed by the company and should find out within a day or so. He said DigiTask has developed such programs for public authorities in Germany.
“In general, it fits,” Seibert said. “We are trying to find out what it really is. We can’t be 100 percent sure.”
The Chaos Computer Club explains on its blog that Quellen-TKU can activate a computer’s microphone and camera, which could be used for room surveillance, and take screenshots. The program can upload other applications to a computer, which could export files from the machine.
“This is clearly in violation of the constitutional court,” Rieger said.
Basically, Quellen-TKU is a call recorder. It can intercept Skype calls by recording the conversation from a computer’s sound card before it is encrypted by Skype. Skype’s encryption has led to widespread fears in countries such as Germany and India that law enforcement would be shut out from monitoring plotting terrorists.
“It’s quite hard to intercept Skype calls at the operator level because it’s encrypted,” said Mikko Hypponen [cq], chief research officer for the Finnish security company F-Secure. “It’s fairly easy if it [the interception program] is running on the computer itself.”
The club reported other disturbing findings about Quellen-TKU’s security: although the data transmitted by the program is encrypted, the commands transmitted to control the program are not. Those commands are also not authenticated to prove the directions are coming from an authorized source, making it possible for an attacker to impersonate law enforcement.
“Not only can unauthorized third parties assume control of the infected system, but even attackers of mediocre skill level can connect to the authorities, claim to be a specific instance of the trojan and upload fake data,” according to the Chaos Computer Club’s writeup. “It is even conceivable that the law enforcement agencies’ IT infrastructure could be attacked through this channel.”
The Chaos Computer Club provided samples to F-Secure, which found Quellen-TKU also had keylogging capabilities to intercept data entered into applications such as Firefox, and the instant messaging programs MSN Messenger and ICQ.
Bizarrely, Quellen-TKU has a hidden reference to the movie Stars Wars, F-Secure found. A text string that is used to start data transmission reads:”C3PO-r2d2-POE.” F-Secure decided to name the program “Backdoor:W32/R2D2.A.”
“I can’t confirm the source who wrote this trojan, but I have no reason to doubt what CCC [Chaos Computer Club] is saying,” Hypponen said.
Now that is has been detected, it’s unlikely Quellen-TKU will be of any use now to law enforcement. F-Secure said it had added a signature to its database to detect the program, and other major antivirus vendors such as Symantec and McAfee have as well.
But many antivirus programs have other methods for detecting malicious software. Hypponen said F-Secure’s software — while not knowing exactly what Quellen-TKU was — would have blocked it once it executed one a computer as far back as a year ago because the program meddled with low-level parts of a computer’s operating system. Other security vendors may also have been capable of stopping it as well, he said.
Even if law enforcement had been recently using Quellen-TKU to monitor someone planning to do violence, Hypponen said the company decided to continue to detect it. F-Secure has a policy that it will not modify its products for law enforcement within respect of European Union laws.
Send news tips and comments to jeremy_kirk@idg.com