Documents released by WikiLeaks last week appear to support earlier reports that Germany's federal police plan to use Trojan horse malware to conduct surreptitious searches of targeted computers, including Skype communication and encrypted SSL traffic.
According to one of the documents, which are unverified and were first published by the German political party PiratenPartei (Pirate Party), the Bavarian police appear to have commissioned a German security company to create a Trojan horse for capturing Skype communications and SSL traffic from surveilled computers that would be directly installed on targeted systems or delivered to unsuspecting suspects via an e-mail with a rogue attachment (much as the FBI delivered a Trojan horse to a Washington high school student last year).
One of the two documents appears to be a letter from the Bavarian Ministry of Justice to prosecutors. It discloses that a company named DigiTask was contracted to provide the Trojan horse, or Skype Capture Unit. The document discusses who is responsible - the Bavarian police or prosecutors -- for the cost of surveilling VoIP traffic used in criminal proceedings.
According to this document and the second one dated September 4 of last year -- which appears to be a letter from DigiTask to government authorities outlining how the program would work and its costs -- the police would be required to rent the software at a cost of EURO 3,500 a month, for a minimum of three months. In addition to the rental fee, the letter describes a one-time installation and de-installation fee of EURO 2,500 (the software de-installs itself after a set timeframe but can also be de-installed manually at any time), plus the cost of renting two proxy servers used to route the collected data to police. The document also mentions an additional EURO 2,500 required to rent SSL-decoding.
Of course Skype traffic is encrypted so just collecting the communication as it's in transit isn't enough. Authorities would need a key to decrypt it. German authorities spoke publicly last year about being thwarted by Skype's encryption. The two leaked documents, which have been somewhat poorly translated into English, address the encryption issue:
Germany's Supreme Court ruled last year that evidence gained from surreptitious searches of a suspect's computers were inadmissible in the absence of surveillance laws regulating police hacking activity. Legislators began drafting such a bill late last year, but as the leaked documents show, police didn't wait for legislators to make their move before they began talking with DigiTask about creating made-to-order Skype malware.
Around the same time that the police were negotiating with DigiTask, Germany passed another hacking bill that now makes it illegal for anyone (other than police presumably) to create, spread or purchase tools that are designed for hacking.
The DigiTask letter leaked online and dated after the new hacking law was passed includes a disclaimer saying that DigiTask will not be held responsible for usage of the software or any damages caused by it -- such as could happen if the rogue software wreaked havoc on a target's machine or if a lucky hacker stumbled across it on a target's machine and commandeered it for his own surveillance purposes. Noticeably, the letter doesn't appear to mention any guarantee by DigiTask that its secret software can bypass standard firewall and anti-virus protection.
Photo: AP
See also: