Germany accused of using Trojan to spy on citizens

The Chaos Computer Club says it has reverse-engineered and analysed malware that not only spies on people, but also introduces security flaws that could let third parties plant false information

The German authorities have been accused of putting out malware that is designed to spy on citizens, and has security flaws which could let third parties monitor people's computer usage or even plant false evidence.

Chaos Computer Club logo

The Chaos Computer Club has accused German authorities of putting out malware intended to spy on citizens. Image credit: Chaos Computer Club

The Chaos Computer Club (CCC), one of the world's pre-eminent 'white hat' hacker groups, said on Saturday evening that someone had anonymously sent it a copy of the malware, which it is calling 'Bundestrojaner light'. The group reverse-engineered and analysed the software, and found it could "not only siphon away intimate data but also offers a remote control or backdoor functionality for uploading and executing arbitrary other programs".

"Significant design and implementation flaws make all of the functionality available to anyone on the internet," the CCC said in a statement. The group accused the German authorities of being behind the malware, but did not provide evidence to back this up.

Privacy and data protection are taken very seriously in Germany, which previously saw massive surveillance operations by the Nazis and the Stasi. The country was the first to pass data-protection laws, and now has some of the strictest privacy safeguards in the world.

In 2008, the German constitutional court banned the use of state malware, dubbed 'Bundestrojaner' or 'federal Trojan', to spy on citizens' computer usage, beyond straight internet telephony interception. The government responded by saying it was introducing Quellen-TKÜ lawful interception software, which is only supposed to be used for VoIP wiretapping.

'Bundestrojaner light'

However, the CCC seems convinced that the malware it has just analysed is related to the original malware, and is therefore referring to it as 'Bundestrojaner light'.

It is even conceivable that the law enforcement agencies' IT infrastructure could be attacked through this channel.

– Chaos Computer Club

The fact that the Trojan can receive uploads of "arbitrary programs" from the internet and execute them remotely means "an 'upgrade path' from Quellen-TKÜ to the full Bundestrojaner's functionality is built-in right from the start", the CCC said.

The group claims the malware can activate a user's microphone and webcam for "room surveillance" purposes, while capturing screenshots of the user's web browser.

In addition, it said the Trojan is tearing "serious security holes" into infected systems, as the commands from the control software to the Trojan are completely unencrypted, and the screenshots and audio files it sends back are "encrypted in an incompetent way".

"Not only can unauthorised third parties assume control of the infected system, but even attackers of mediocre skill level can connect to the authorities, claim to be a specific instance of the Trojan, and upload fake data," the CCC said.

"It is even conceivable that the law enforcement agencies' IT infrastructure could be attacked through this channel. The CCC has not yet performed a penetration test on the server side of the Trojan infrastructure," it added.

Malware origins

Although the CCC has published the binaries of the malware, it has not explicitly offered evidence that the software has an official government source. On Monday, Germany's Federal Criminal Police Office (Bundeskriminalamt, or BKA) told ZDNet UK it "has never used this kind of software".

Federal justice minister Sabine Leutheusser-Schnarrenberger issued a statement on Sunday saying her party, junior coalition partner the FDP, has "always warned against the dangers of government snooping software". The use of such software is a risk to public confidence in the powers of the constitutional court, she added.

The Pirate Party, a tech-focused party that entered mainstream German politics when it won 15 seats in the Berlin state parliament, said it would refrain from commenting on the situation until the source of the malware is proven.

Get the latest technology news and analysis, blogs and reviews delivered directly to your inbox with ZDNet UK's newsletters.