Authorities in the state of Bavaria admitted on Monday that a piece of spyware discovered on a citizen’s computer by the local Chaos Computer Club hacker group was designed for use by authorities to spy on suspects.
Under German law, authorities can use spyware to monitor criminals, but its use is supposed to be limited to the interception of internet telephony.
The so-called R2D2 keylogging Trojan CCC examined, however, does much more than this. In addition to monitoring Skype calls and recording keystrokes to monitor e-mail and instant messaging communications, the Trojan can take screenshots and activate a computer’s microphone and webcam to allow someone to remotely spy on activities in a room. Furthermore, the program includes a backdoor that would allow authorities to remotely update the program with additional functionality.
“The analysis concludes, that the trojan’s developers never even tried to put in technical safeguards to make sure the malware can exclusively be used for wiretapping internet telephony, as set forth by the constitution court,” CCC wrote on its web site. “On the contrary, the design included functionality to clandestinely add more components over the network right from the start, making it a bridge-head to further infiltrate the computer.”
The backdoor contains several security vulnerabilities that makes any system on which the spyware is installed potentially vulnerable to takeover by other parties who could commandeer the spyware for their own purposes. Commands sent to the Trojan are not encrypted, and the spyware requires no authentication between the Trojan and the system communicating with it, meaning that anyone could take remote control of the spyware to spy on a user, plant evidence on his machine or even impersonate a law enforcement Trojan to communicate with law enforcement systems.
“This complete control over the infected PC — owing to the poor craftsmanship that went into this trojan — is open not just to the agency that put it there, but to everyone,” CCC wrote. “It could even be used to upload falsified ‘evidence’ against the PC’s owner, or to delete files, which puts the whole rationale for this method of investigation into question.”
The group announced that it had already written exploit code that would allow someone to take control of the government’s spyware on a machine.
The CCC discovered the spyware after being given a laptop to analyze that allegedly belonged to a man accused of illegally exporting pharmaceuticals. The suspect’s attorney says the spyware was installed on his client’s computer when he passed through airport customs.
Bavaria Interior Minister Joachim Herrman confirmed that officials began using the spyware in 2009, but insisted authorities acted within the law. Three other states — Baden-Wurttemberg, Brandenburg and Lower Saxony — have also confirmed using spyware, though it’s unclear if they used the same Trojan that CCC found.
Justice Minister Sabine Leutheusser-Schnarrenberger has called for an investigation to determine if authorities used the spyware properly.
Authorities in the U.S. have also been using spyware for years to conduct surveillance of suspects. The U.S. software, called a “computer and internet protocol address verifier,” or CIPAV, is designed to collect a wide range of information and deliver it to an FBI server in eastern Virginia. The FBI’s use of the spyware surfaced in 2007 when the bureau used it to track e-mailed bomb threats against a Washington state high school to a 15-year-old student.
Documents obtained by Threat Level under the Freedom of Information Act showed that the FBI had deployed the CIPAV in a wide variety of cases — from major hacker investigations, to a case involving someone who posed as an FBI agent online. The program at one point became so popular with federal law enforcement agents, that Justice Department lawyers warned that overuse could result in electronic evidence being thrown out of court in some cases.
“While the technique is of indisputable value in certain kinds of cases, we are seeing indications that it is being used needlessly by some agencies, unnecessarily raising difficult legal questions (and a risk of suppression) without any countervailing benefit,” notes a formerly classified 2002 memo from the Justice Department’s Computer Crime and Intellectual Property Section.
With previous reporting by Kevin Poulsen