German Government Fesses Up to Spying on Citizens With Trojan, Says It's Legal
Just days ago, the Chaos Computer Club announced that it had analyzed what it called a “Bundestrojaner” or “federal trojan” that the group believed had been developed and used by the German government. Security researchers at F-Secure Labs confirmed the malware’s capabilities, giving it the name “R2D2.” Now, state officials are confirming that the software is indeed state-sponsored.
According to the Deutsche Welle, several German states have admitted late Monday to using the software for the past two years. The first to respond was Bavaria, followed by Baden-Württemberg, Brandenburg, Schleswig-Holstein, Lower Saxony, Brandenburg, and North Rhine-Westphalia. In their statements, several of the interior ministers for the states outlined the circumstances in which the trojans had been used, which generally characterize an infrequent and court-approved use of the tool. Some officials, including the Bavarian interior minister, say they will begin investigations into R2D2’s use. Germany’s Interior Minister said that the trojan has never been used as part of a federal investigation.
Today, the German software company DigiTask confirmed that they created the program and have sold it to German clients as well as state and federal agencies in Austria, the Netherlands, and Switzerland. The company says it made a sale to the Bavarian government in 2007, which public records show was worth $897,000 or €660,000. Further references to the software’s development have been traced to this WikiLeaks entry and these public documents. F-Secure labs notes that while they have been calling it R2D2, its installer is called scuinst.exe or Skype Capture Unit Installer. The malware has also been called “0zapftis” by other sources.
Sparse reports are trickling in about the malware’s use in investigations, including this rather chilling story from the Deutsche-Welle:
A Bavaria-based attorney, Patrick Schladt, said in a Monday German-language press release that one of his clients had this software installed on his laptop while at the Munich airport.
When it was first announced, the software not only raised eyebrows because of the possible state-sponsored origin, but because it served as a foothold inside infected computers. Once installed, the trojan’s operators could load and execute programs on the host computer. If that wasn’t distressing enough, the program was also capable of capturing voice data, keystrokes, and imagery from infected computers. Analysis of the trojan showed that it could also activate a computer’s webcam or microphone, turning the infected computer into an all-purpose spying machine.
Now that the creators have fessed up, concern is now shifting to whether or not the software is legal. Laws passed in 2008 by the German government do allow for investigators to perform digital wiretaps, but set up clear guidelines for those circumstances. Given that R2D2 has sprawling capabilities, its use and — possibly even its development — may be in violation of the law. Speaking as a writer and not a security or constitutional law expert, the problem seems to be one of overkill: Investigators installed R2D2 to do one thing, but it is capable of doing far, far more.
We’ll have to wait and see how this plays out in the courts, but in the meantime there is still some concern over R2D2. In the CCC’s analysis of the code, which has been correct so far and supported by F-Secure, the trojan is a rather poorly put together piece of malware. Though they certainly benefit from the use of such hyperbole, the CCC says that R2D2 malware could potentially be misused or hijacked by non-governmental agencies. In the CCC announcement of the trojan, the group says that they first alerted state agencies in order for the malware to be remotely disabled once the code was made available.
However, everyday folks may not have to be as worried about being hit with the trojan. According to an update from F-Secure, the malware was entered into the Virus Total database in 2010, and was automatically blocked by their software before it was identified. Apparently, R2D2 just looks fishy, even to other machines. That’s some reassurance, I suppose.