The trojan

A guest article by Jimmy Schulz, Member of the Bundestag

In the last few weeks, a debate has been making waves. The revelations of the Chaos Computer Club e.V. have caused a stir among politicians and IT experts, as well as the media. Accusations and counter-attacks, allegations and declarations of innocence have dominated the debate. One thing almost all involved had in common: lack of expertise.

The discussion often confused and misunderstood the various options available to investigators. The analyzed Trojans are – until now – exclusively Trojans, which were used on the basis of an order for source telecommunication surveillance. This allows the interception of communication at the source (end device), if no other "classical" TKu method is effective. In classical TKu, a communication is usually tapped at the exchange without the need to intervene in the terminal device used. In most cases, this involves the interception of Voice Over IP (VOIP) conversations such as e.B. Skype.

Jimmy Schulz. Photo: Christine Olma.

This is to be distinguished from online searches, which provide much more extensive possibilities, but also have much higher hurdles in their implementation. This variant of a possible Trojan use should be considered separately from it.

It is helpful to approach the subject free from agitation. What exactly happened? The CCC has analyzed a hard disk that was sent to it and found a Trojan that is now undisputedly known to be the Trojan used in the Landshut case. In addition to the "desired" ability to tap Internet telephone conversations at the source, i.e. in this case on the notebook, this Trojan also contains more features. These are also the stone of incitement.

The other features can be divided into three categories:

  1. Controversial possibilities used: Screenshots: were allegedly taken 60,000 at 30-second intervals in this case. This should serve to ensure communication via e-mail, chat, etc. . However, the Landshut Regional Court has deemed this to be unlawful. Further questions also remain open here: Did the screenshots also capture or could capture texts that were not used for communication (diary entries, drafts)?. Since this cannot be ruled out, it is obvious that this is an inadmissible acceptance of the TKu.
  2. Deactivated features of the Trojan: The CCC has discovered at least two further integrated features in this Trojan, but not activated in this case. First, a keylogging function, i.e., the logging of all keystrokes, which does not distinguish between writing an e-mail or entering a PIN/TAN combination, has been discovered. Secondly, a microphone on/off switch was found to be able to. This could be.B. be used for acoustic room monitoring. Of course, these two capabilities go far beyond the Mab allowed for the purpose of TKu/source TKu and are more comparable to an online search. The fact that these features were disabled is rearing on the one hand. But the fact that they were integrated and available on the suspect’s hard drive at all is a cause for concern. Because all of the Trojan’s capabilities could be easily activated via remote control. Which brings us to the next point:
  3. Open barn door: All Trojans analyzed by the CCC so far contained a capability that gives cause for particularly grave concern: The ability to remotely control all of the aforementioned capabilities and to reload arbitrary features, or. upload and download arbitrary files. download. This alone calls into question the integrity of the system. The most perfidious thing about the discovered Trojans is their obviously sloppy programming! In particular, the back channel to the infected computer was not encrypted in the older version of the Trojan. The newer version of the Trojan does have a two-way encryption at least between the authorities and the monitored computer – but still with the same key that was used three years ago. In addition, the encryption algorithm, namely AES in the unsuitable ECB mode, is relatively easy to crack. So there is no question of effective encryption, at most of "light obfuscation".1 The frightening thing here is that the CCC managed to impersonate a "legal" control computer without any problems. Unfortunately, due to the above-mentioned errors, this is possible for any halfway talented expert. This means that any third party could gain access to the computer to be monitored using the methods described above. This includes not only the same possibilities that the investigating authorities have, but also the arbitrary loading of additional monitoring tools or the arbitrary manipulation of files and evidence. Taken together, the evidential value of the measures taken by the TKu sources tends to zero.

How did the source TKu actually come about?? We remember: the classical TCu is used for interception of communication in case of reasonable suspicion. The bug in the telephone has long been only a mar. The whole thing works by judicial order in the exchange. Of course, Internet telephony is a bit more complicated and different, because there is a direct connection between two terminals, which is also encrypted. This, by the way, has always been the reason for the need of source telecommunication monitoring. In order for the two subscribers to find each other, an exchange is called upon, a central computer.

Technically, it is not a problem for the provider to run the entire conversation through this exchange.

From a technical point of view, however, it is not a problem to circumvent the encryption, either by a general key or by a man-in-the-middle attack.

All this can be done without the subscribers being aware of it.

Now there are increasing rumors that providers of such Internet telephony services are not only theoretically able to offer this service. Already in 2008 this possibility was confirmed in Austria during a meeting at the Ministry of Interior on the subject of lawful interception. The privacy policy of the leading provider explicitly points out this possibility. Users must therefore be aware that these government methods can be used for surveillance. With German VOIP providers there is anyway the possibility to access the conversations with the methods of the classical TKu. They are obliged by law to provide such an interface. It is therefore very surprising that the analyzed Trojan should also provide interfaces for this purpose.

If there is a way to do this without interfering with the end device and in compliance with the law, then the question is: why don’t we do it??

But if the use of a Trojan cannot be made to conform to basic law, the question arises: Why do we do it then??

What steps should be taken now?

  1. The fastest, most transparent disclosure of who, when, used which Trojan.
  2. Possible alternatives to the use of Trojans, which are regulated on the basis of the current TKu, must be examined and tested for suitability.

It remains to be said: The intrusion into the private sphere (terminal device) by means of secretly installed Trojans fundamentally bears the risk of misuse.

For this reason alone, the state should keep its hands off Trojans.

With his company CyberSolutions, founded in 1995, Jimmy Schulz set up, among other things, the first wireless Internet access in the English Garden in Munich. In 2009 he was elected to the Bundestag on the list of the Bavarian FDP. There he is, among other things, a member of the Interior Committee and the New Media Subcommittee of the Enquête Commission Internet and Digital Society.

Leave a Reply

Your email address will not be published.