daily online news

Documents released by WikiLeaks last week appear to support earlier reports that Germany's federal police plan to use Trojan horse malware to conduct surreptitious searches of targeted computers, including Skype communication and encrypted SSL traffic.

According to one of the documents, which are unverified and were first published by the German political party PiratenPartei (Pirate Party), the Bavarian police appear to have commissioned a German security company to create a Trojan horse for capturing Skype communications and SSL traffic from surveilled computers that would be directly installed on targeted systems or delivered to unsuspecting suspects via an e-mail with a rogue attachment (much as the FBI delivered a Trojan horse to a Washington high school student last year).

One of the two documents appears to be a letter from the Bavarian Ministry of Justice to prosecutors. It discloses that a company named DigiTask was contracted to provide the Trojan horse, or Skype Capture Unit. The document discusses who is responsible - the Bavarian police or prosecutors -- for the cost of surveilling VoIP traffic used in criminal proceedings.

According to this document and the second one dated September 4 of last year -- which appears to be a letter from DigiTask to government authorities outlining how the program would work and its costs -- the police would be required to rent the software at a cost of EURO 3,500 a month, for a minimum of three months. In addition to the rental fee, the letter describes a one-time installation and de-installation fee of EURO 2,500 (the software de-installs itself after a set timeframe but can also be de-installed manually at any time), plus the cost of renting two proxy servers used to route the collected data to police. The document also mentions an additional EURO 2,500 required to rent SSL-decoding.

Of course Skype traffic is encrypted so just collecting the communication as it's in transit isn't enough. Authorities would need a key to decrypt it. German authorities spoke publicly last year about being thwarted by Skype's encryption. The two leaked documents, which have been somewhat poorly translated into English, address the encryption issue:

Encryption of communication via Skype poses a problem for surveillance of telecommunications. All traffic generated by Skype can be captured when surveilling a Dialin- or DSL-link, but it cannot be decrypted. The encryption of Skype works via AES wih a 256-Bit key. The symmetric AES keys are negotiated via RSA keys (1536 to 2048 Bit). The public keys of the users are confirmed by the Skype-Login-Server when logging in. To surveil Skype-communication it thus becomes necessary to realize other approaches than standard telecommunications surveillance.

The concept of DigiTask intends to install a so called Skype-Capture-Unit on the PC of the surveilled person. This Capture-Unit allows recording of the Skype communication, such as Voice and Chat, as well as diverting the data to an anonymous Recoridng-Proxy. The Recording-Proxy (not part of this offer) forwards the data to the final Recording-Server. The data can then be accessed via mobile Evaluation Stations.

The mobile Evaluation Units can, making use of a streaming-capable multimedia player, playback the recorded Skype communication, such as Voice and Chat, also live. To minimize bandwidth usage special codecs for strong compressions are used. The transmission of data to the recording unit is encrypted using the AES algorithm.

Germany's Supreme Court ruled last year that evidence gained from surreptitious searches of a suspect's computers were inadmissible in the absence of surveillance laws regulating police hacking activity. Legislators began drafting such a bill late last year, but as the leaked documents show, police didn't wait for legislators to make their move before they began talking with DigiTask about creating made-to-order Skype malware.

Around the same time that the police were negotiating with DigiTask, Germany passed another hacking bill that now makes it illegal for anyone (other than police presumably) to create, spread or purchase tools that are designed for hacking.

The DigiTask letter leaked online and dated after the new hacking law was passed includes a disclaimer saying that DigiTask will not be held responsible for usage of the software or any damages caused by it -- such as could happen if the rogue software wreaked havoc on a target's machine or if a lucky hacker stumbled across it on a target's machine and commandeered it for his own surveillance purposes. Noticeably, the letter doesn't appear to mention any guarantee by DigiTask that its secret software can bypass standard firewall and anti-virus protection.