German Govt. Skype Interception Trojans Revealed

James Hardine writes "Wikileaks has released documents from the German police revealing Skype interception technology. The leaks are currently creating a storm in the German press. The first document is a communication by the Ministry of Justice to the prosecutors office, about the cost splitting for Skype interception. The second document presents the offer made by Digitask, the German company secretly developing Skype interception, and holds information on pricing and license model, high-level technology descriptions and other detail. The document is of global importance because Skype is used by tens or hundreds of millions of people daily to communicate voice calls and Skype (owned by Ebay, Inc) promotes these calls as being encrypted and secure. The technology includes interception boxes, key forwarding trojans and anonymous proxies to hide police communications."

Germany

[CastrTroy (595695)]

Germany still seems to have a lot of it's old attitudes lying around. Installing trojans on the computers of it's citizens for the purpose of listening to skype calls is way beyond what I would expect from a country like Germany. Then again, they still can't have video games with Nazis or blood in them. How long before someone packages up a Linux live CD with Skype preinstalled so that you can ensure you're computer isn't compromised when making phone calls?

Re:

[gnasher719 (869701)]

Germany still seems to have a lot of it's old attitudes lying around. Installing trojans on the computers of it's citizens for the purpose of listening to skype calls is way beyond what I would expect from a country like Germany. Then again, they still can't have video games with Nazis or blood in them. How long before someone packages up a Linux live CD with Skype preinstalled so that you can ensure you're computer isn't compromised when making phone calls?

1. It is legal (if you get permission from a judge etc.) to listen in to phone conversations. 2. With Skype using 256 bit encryption, the police cannot do in practice what it is allowed to do legally. 3. Some company makes software/hardware that enables the police to do what they are allowed to do legally.

It seems to be necessary to install some software on the user's computer to achieve this. As long as this software doesn't do anything but opening up Skype communications, it doesn't do anything that w

Re:Germany

[CastrTroy (595695)]

The police are allowed to tap regular phone lines because they don't have to intrude on your property to do it. Just like they can stake out your house from a van on the road. They aren't allowed to walk into your house and watch you all day. Once they start installing trojans on computers for listening to skype calls, it's not a far stretch from them installing trojans to record every action you do on your computer.

Re:Germany

[STrinity (723872)]

The police are allowed to tap regular phone lines because they don't have to intrude on your property to do it.

No, they're allowed to tap phone lines because they get court orders saying they can. Do you think courts have never issued warrants allowing police to place bugs on a suspect's property?

Re:Germany

[Nullav (1053766)]

So? It's a trojan, meaning that one has to willingly open it; more bluntly, it means that the police will need to trick people into opening them. Also, with this information out in the open now, anyone with a lick of sense will be even more wary of such rogue email attachments.

tl;dr - No one has to convince you to pick up a tapped phone.

Re:

[WK2 (1072560)]

So? It's a trojan, meaning that one has to willingly open it; more bluntly, it means that the police will need to trick people into opening them.

Here in the USA, the police will break into your house to install keyloggers and such. Hardware keyloggers, usually. They will only send something through email if they don't know who you are (such as virus writers) and they do it to find out who, and where you are, not to listen to your phone calls. The problem with sending software trojans is that it usually doesn't work, and might get noticed.

Re:Germany

[m.ducharme (1082683)]

I always wondered what that weird looking dongle was hanging out of the USB port....

Your privacy, Your liberty, Your freedom

[iendedi (687301)]

1. It is legal (if you get permission from a judge etc.) to listen in to phone conversations. 2. With Skype using 256 bit encryption, the police cannot do in practice what it is allowed to do legally. 3. Some company makes software/hardware that enables the police to do what they are allowed to do legally.

It seems to be necessary to install some software on the user's computer to achieve this. As long as this software doesn't do anything but opening up Skype communications, it doesn't do anything that would affect the user's rights. All their Skype communications can only be heard by people who are legally allowed to hear it - even though one of them is the police, which is not the _intended_ recipient.

In the US, today, the government can legally decide that you might be a terrorist (you know, like you support Ron Paul, for instance, who is very terrifying to them). Once so implicated, they can legally break down the door to your house, pull you from your bed, take you to a detention center, refuse to give you a phone call, hold you for as long as they like, torture you and so forth. If they decide to release you, they are not legally obligated to in any way compensate you for your life that they just demolished.

I point this out to illustrate, essentially, that legality does not necessarily have anything whatsoever to do with acceptability. It is our responsibility to stop this madness. I do not believe that governments have the right to invade our lives in these ways. I do not believe the government has the right to install a virus on my computer for the purpose of taking my skype keys. We all know that the various governments around the world are infiltrated by all manner of nasty organizations. If the government has a virus in my computer, then is it safe for me to transfer funds using online banking on my computer? How do I know that there aren't members of some criminal syndicate that are working for the government that have access to that virus?

No. If someone breaks my door down, I don't care if it is a policeman, a soldier, a thief or a vampire, I have the right and obligation to defend my family and my space with deadly force. If someone breaks into my computer, I have the right and obligation to eliminate that threat and to help others do the same. We all need to take these transgressions on our personal space, lives and property much more seriously. When will we fight back? When they want to put an implant in our brains to read and control our thoughts?

When is it enough, people??

Re:

[TransEurope (889206)]

An to do the same without public announcement is better? Or what "old attitudes" have CIA and NSA? Are they Nazis too? Or worse?

Re:

[by Anonymous Coward]

How long before the gestapo packages up a Linux live CD with Skype preinstalled and distrubutes it as secure?

Fixed

Re:Germany

[trewornan (608722)]

Germany still seems to have a lot of it's old attitudes lying around.

Yeah, because other governments would never do something like this - talk about naive. Did anybody here not realise that skype calls were going to be intercepted?

Re:

[smilindog2000 (907665)]

Skype pretty much admits allowing wire-taps by refusing to answer whether they do or not, and given the law that makes them do it, and the current administration's love of secret Internet monitoring, you pretty much have to assume your Skype calls are about as public as Slashdot. What's interesting about this article is to find the Germans doing it. They had seemed so progressive lately, I'm quite surprised.

Naive people.....

[jmorris42 (1458)]

> talk about naive. Did anybody here not realise that skype calls were going to be intercepted?

That is exactly why all the uproar. Too many stupid people looked at the magic encryption pixie dust eBay was splashing around Skype and thought it was safe. A closed implemntation of crypto by a closed corporation subject to the laws of most countries by virtue of being a multi-national. If the crypto didn't have bugs[1] a court order from any jurisdiction eBay does business in would be all that is needed t

Re:Germany

[Aardpig (622459)]

As someone else has pointed out, it is legal in Germany for police to monitor phone calls, when they get appropriate authorization from a judge. Contrast this with the United States, where the administration is trying to award retroactive immunity to itself and telcos for years of illegal phone surveillance.

Re:Germany

[Yahma (1004476)]

My thoughts exactly. While our administration has allowed for unwarranted illegal wiretapping with full cooperation from most of the major telco's, the American public is mostly either unaware of the issue, or seemingly apathetic. The German public, on the otherhand, is almost in an uproar over the revelations that the German gov't can/may listen in on Skype calls LEGALLY.

The difference in public reaction is likely due to the histories of our respective nations. The Germans populace went through a period where a lunatic dictator brought on the downfall of the nation. Today in Germany, school children from age 5 upwards learn about this terrible time in the Nation's history and because of the openness and recognizance of today's germany with respect to its recent history, its population are very very wary of allowing Government too much power over its people. In the US, on the otherhand, the government have been passing laws stripping our privacy using 9/11 as justification. The recent realization that there will be little to no backlash from the American populace as a whole has only encouraged our government to continue with such laws as the "Patriot Act" that slowly strip away our rights and give the Executive Branch ever more power.

Re:Germany

[hkl387 (565152)]

This is not about Germany's past, this is a global issue of today.

According to a 2007 International Privacy Ranking [privacyinternational.org], there is "weakened protection" in Germany, while the UK and the US are ranked as "endemic surveillance societies".

Yes, we are very concerned about German authorities pushing to weaken our rights, but we also need to understand that Citizen's rights are under attack all around the world these days. Stereotypes are not helpful, we've got to stand up for our rights together.

so what?

[by Anonymous Coward]

They already have the ability to spy on you for normal phone calls. This just does the same thing for skype. In fact it's less bad since they can't do it on a mass scale; they have to come to the house of the person they want to install on or risk no knowing enough about your computer systems. What's the big hype? It's a very clear lesson; if you can't afford to protect your machine physically (and very few of us can afford that against something as powerful as the German Govt.) then you can't be 100%

Re:

[cozziewozzie (344246)]

The key thing is that they need a court to approve monitoring and have due legal process. This is what sets Germany apart from totalitarian societies like Saudi Arabia, China, the USA and Sudan.

In reality, however, one only has to claim that something you do, or something you know does, or something somebody who knows somebody who knows you does, is somehow unconstitutional, and they can listen to all your communications. You won't even know about it.

So, in practice, there is little fundamental difference,

Why should we be surprised?

[trelayne (930715)]

If Germany can do it, do we really think it hasn't already been done in the states? Skype, is very popular and would be a logical means for governments to monitor conversations---especially when said program touts itself as being encrypted and secure. So the German revelations are likely a national security goof.

Re:Why should we be surprised?

[Kadin2048 (468275)]

If Germany can do it, do we really think it hasn't already been done in the states?
Skype, is very popular and would be a logical means for governments to monitor
conversations---especially when said program touts itself as being encrypted and
secure. So the German revelations are likely a national security goof.

More than that, while the Germans have to install this aftermarket snooping program, it wouldn't surprise me if Ebay provided a convenient backdoor in the code so that the U.S. government can do the same thing without going to all the trouble and expense (both of third-party software, and warrants).

How exactly Skype implements encryption has never been made public. Anyone using it for secure communications is a fool. The only person it's good against is some script kiddie on your LAN or in the coffee shop where you're using a hotspot. The only person calling it "secure" is Skype/Ebay, and since they haven't opened the code up for auditing by disinterested third parties (someone like, say, Bruce Schneier), it's really not guaranteed to be anything more than snake oil.

For all you know, every time you make a call, Skype could be forwarding the key to a central server and then sending them in bulk to the FBI. That's the price of using a closed-source security product where the vendor has an obvious interest in selling you out to the authorities.

da

[by Anonymous Coward]

Da, zis ceetezens arse iz goodentite.

Skype and firewalls.

[Ethanol-fueled (1125189)]

If the German authorities know how to use Skype as a trojan, then I'll bet that others do too.
I'm not too familiar with skype and its relation to firewalls but wasn't there an article or two(and this [cyberciti.biz]) about Skype's ability to use voodoo to penetrate firewalls? Any alternative clients? I'm not by any means an expert, by the way :)

Man-in-the-middle against SSL?

[gnasher719 (869701)]

Does anyone know how a man-in-the-middle attack against SSL, as mentioned in the article, is supposed to work?

The only possibility that I can see is to modify the browser itself, so that when the user tries to get a secure connection to www. criminals.com, the browser contacts www. police.de instead, gets a valid certificate from the police, while the police's computer then makes a secure connection to www. criminals.com.

Re:

[Raven42rac (448205)]

mac spoofing, arp poisoning, dns spoofing, and a fake certificate

Re:Man-in-the-middle against SSL?

[gnasher719 (869701)]

mac spoofing, arp poisoning, dns spoofing, and a fake certificate

Yes, I forgot that if they are able to install software on your computer, they might also be able to install a root certificate created by the police, and send you a kind-of-genuine certificate for www.terrorists.com, signed by www.police.de. Or they _might_ be able to convince a certificate authority to give them an actual, valid certificate for www.terrorists.com, which would be a bit worrying.

With a minute of thinking: The first method would be much better, because they don't need to know ahead who I am going to contact.

With another minute of thinking: My computer has for example four Verisign root certificates installed. Does that mean that Verisign (I only take them as an example) could technically install a box with a computer into the phone line 50 meters away from my house, and do a man-in-the-middle attack by creating genuine Verisign certificates for any SSL connection that I make, without breaking into my home or doing anything to my computer at all? And the only trace that I would have would be the curious fact that everyone I contact uses certificates signed by Verisign?

With a further minute of thinking: My computer has about 100 root certificates installed that came with Leopard, and similar things happen for Windows users. I have no idea where these certificates come from; I just have to trust Microsoft and Apple. If the police could convince Microsoft and Apple to put a root certificate owned by the police into their installers, then the police could read anyone's SSL connections without breaking into their homes (but breaking into their connection a bit further down the line)?

Re:Man-in-the-middle against SSL?

[Rich0 (548339)]

You are completely correct. When you tell your browser to trust a root certificate - that means exactly what it sounds like it means. Whoever has the signing keys to that root cert can make your browser think that any site is legit for any domain name.

Many companies install their own root certs so that they can sign their own intranet ssl certs (rather than pay for a ton of them for every little web-based app they install). That gives those same companies the ability to man-in-the-middle any web connection from one of their browers.

Nothing new here - if somebody can get you to install stuff on your computer they can generally do whatever they want with it if they are unscrupulous.

Re:

[maxwell demon (590494)]

To redirect the user from www.criminals.com to www.police.de, they only have to intercept DNS calls (unless the criminals have edited their /etc/hosts or Windows equivalent, but if they get a trojan in, that shouldn't be too hard to change as well). The only thing which might be problematic is to get a valid certificate. But then, they probably can get that by just connecting themselves (which they'll do anyway if they do a man-in-the-middle). AFAIK the certificate only contains the domain name, not the ser

Re:

[by Anonymous Coward]

Does anyone know how a man-in-the-middle attack against SSL, as mentioned in the article, is supposed to work?

Probably in the same way that governments perform any other interception methods, full cooperation from corporations.

Look at who Narus, the manufacturer of big honkin' communication vacuums that the NSA has installed at ATT and other telco's, partners with:

http://www.narus.com/partners/index.html [narus.com]

VeriSign offers the entire suite of Narus products to its global customer base as managed services or li

It's NOT the german gov,...

[TransEurope (889206)]

it's the bavarian government, a federal state of germany.

http://www.heise.de/newsticker/suche/ergebnis?rm=result;q=skype;url=/newsticker/meldung/102375/;words=Skype [heise.de]
http://www.heise.de/newsticker/suche/ergebnis?rm=result;q=skype;url=/newsticker/meldung/102485/;words=Skype [heise.de]

Re:It's NOT the german gov,...

[KDR_11k (778916)]

For Americans, just think of Texas with lederhosen instead of cowboy garb.

How does this affect admissibility?

[by Anonymous Coward]

Germany has/had some wonderful privacy legislation, but in the last year or so they're heading in the other direction...

What's interesting here is the collection of evidence by installing spyware: if forensic analysis of a disk means absolutely nothing may be installed/changed/touched on the disk, how are they allowed to install their own software? does this invalidate any evidence they collect for use in a court, or are civil law courts a bit more flexible with such things?

Secondly, the problem here doesn'

"how are they allowed to install their own..."

[TransEurope (889206)]

"....software?"

Good question. The best answer is, the bavarian minister has exactly no idea of software and how it works. He shares his unknowledge with his federal counterpart Wolfgang Schäuble, the guy responsible for the so called "Federal Trojan" (Bundestrojaner).

http://en.wikipedia.org/wiki/Wolfgang_Sch%C3%A4uble [wikipedia.org]

Re:

[TransEurope (889206)]

I don't think the common 15-$-earphones match the price to contain the logic for encryption between computer an earphone/mic. But a hardware solution is not the question here, because the ministry said explicitely that they want to use software. hides much better than a strange piece of electronics which appears out of the nothing at your line-in.

Re:

[TransEurope (889206)]

Maybe it was may fault and my English isn't good enough ;-D But somewhere between Skype and the earphone's driver (you probably need one) the data must be "clear speak" to handle it over to Skype, and at this point the trojan could hook into. Or there must be a interface in Skype implemented, to receive/send encrypted audio streams directly to a headphone.

Skype is not securely encrypted.

[WK2 (1072560)]

Skype is not securely encrypted. The only client is closed source, and the protocol is not open, nor peer-reviewed. The developers themselves have said that security analysts would probably quickly find holes if they opened the source.

It is less likely that thieves and spies, etc, will be able to eavesdrop on your Skype conversations than with a plain old phone. But don't treat it as secure communications.

http://en.wikipedia.org/wiki/Skype [wikipedia.org]

Re:

[PGillingwater (72739)]

I would have to take issue with your statement.

According to this: http://www.ossir.org/windows/supports/2005/2005-11-07/EADS-CCR_Fabrice_Skype.pdf [ossir.org]

Skype seems to use AES for the VOIP payload, and RC4 for signaling packets.

Naturally, although AES is an excellent algorithm, it will fail if the implementation is weak, especially in the key handling.

I agree that the code is largely obfuscated, and without open source, it would be a nightmare to expect to rely on its security.

However, there was an "independent"

Re:

[WK2 (1072560)]

It's nice that Skype is at least smart enough not to use DES, or ROT-13. AES is good encryption.

Naturally, although AES is an excellent algorithm, it will fail if the implementation is weak, especially in the key handling. I agree that the code is largely obfuscated, and without open source, it would be a nightmare to expect to rely on its security.

I couldn't agree with you more.

However, there was an "independent" review of Skype, which I understand was able to review the source code.

You put "independent" in quotes. After reading the pdf you linked to, I could see why. From the pdf:

You may imagine my delight when, in April 2005, Skype contacted me and invited me to compete for the job of performing an independent evaluation of Skype information security

Skype thinks they are hiring an independent evaluator? I wonder how many independent evaluators they had to go through before they found one who was confident in Skype's security, so that they could display how secure they are.

So to summarize, we have:

+ Skype uses a good,

Re:

[PGillingwater (72739)]

Yes, I did quote "independent", because of the conditions under which the inspection was made.

However, before everyone rushes to judgment -- the guy who did the evaluation appears to have impressive credentials for assessing the effectiveness of implementation of encryption algorithms.

Check out his page: http://www.anagram.com/berson/ [anagram.com]

In my opinion, as a crypto dilettante, this guy Tom Berson is the real deal.

Of course, Skype showed him selected parts of the code, which may or may not be in the final produc

Source Audit

[fred911 (83970)]

I don't believe for 1 minute that the "encryption" included with Skype is secure or should we say "escrow key free", do you?

The classic /. question.....

[budword (680846)]

Yeah, but does it run on Linux ? Anyone know if said software will end up on your linux box ?

Re:

[maxwell demon (590494)]

According to http://www.esrockt.com/bayerntrojaner-hoert-skype-gespraeche-ab/ [esrockt.com] (German language), it only works on Windows.

Skype on linux is a bad idea

[Werrismys (764601)]

It's closed, proprietary crap after all.

I for one

[MrCopilot (871878)]

am glad i live in a country where these abuses of privacy are outlawed by the constitution and the government would never even think to monitor our voice and data transmissions.

That is why I am proud to be an American. They what, Oh damn.

What about China?

[Toddlerbob (705732)]

As pointed out in a comment above, if Germany does it, why not the USA? (Especially with all the secrecy and propensity to spy on citizens that the USA feds have these days)

I'm wondering now about China. I remember that Skype was, for a short time, on slippery footing for continued operations in the People's Republic. Then, for some reason, there was no longer a problem. I can't help but suspect that Skype may have opened up its code to China in order to continue operating there. The Chinese government liv

anybody who believes skype to be safe, ....

[WindBourne (631190)]

is an idiot. Do you think that the USA, England France, Germany, China, and Russia would allow its citizen to communicate without their knowing? ALL of them have the ability to listen in on the calls. Heck the fact that the calls exist in China tells you that THEY have it. Do you think they cracked it? Nope. They will simply have bought or stolen it from another country (most likely America). And I suspect that even if we (America) did not have it, we would also resort to obtaining it from elsewhere. After

To paraphrase Carlin

[smitty_one_each (243267)]

We should prick a hole in the stiff trojan front erected to cover these pricks.

End to End Only

[Doc Ruby (173196)]

The only encryption worth trusting is end-to-end, where at least one end is verified secure by you (because inevitably you'll have to trust the person at the other end, no matter how secure their tech is). Why would I trust Skype to be the middleman? Either to ensure the encryption works, or not to allow backdoors (designed or unexpected) in their carriage of the signals.

When the network and all its intermediary nodes don't have to be trusted, because they just carry opaque traffic that only the endpoints c

Maybe, but...

[TransEurope (889206)]

...they were never hired by the CIA/NSA. They were all hired by the German Government to found the Bundesnachrichtendienst (Germany's Federal Secret Service) and the MAD (Military Counter Intelligence Service) in 1956 ;-)

Fascism

[J'raxis (248192)]

Anyone who thinks fascism in Germany ended with the fall of Nazism is severely mistaken.

Re:

[jollyreaper (513215)]

an the public

Schiesse. Maybe next they'll show us how to proofread. :(