The German government is a the heart of a privacy row, as a hacker group releases details of a Trojan which they claim has been written as a Quellen-TKÜ or wiretapping package.
Discovered late last week by noted hacker group the Chaos Computer Club - itself based in Germany - the R2D2 or 0zapftis Trojan is a sneaky bug: according to CCC's reverse engineering, it's a 'lawful interception' tool designed to allow police to siphon data from and even take control of a suspect's computer in the name of gathering evidence using a tool known as a Bundestrojaner, or Federal Trojan.
Sadly, there's a problem beyond the tool's alleged intended use: "Significant design and implementation flaws," the group writes of its discovery, "make all of the functionality available to anyone on the internet."
German law has long allowed for federal authorities to employ malware tactics for evidence gathering and intelligence activities, but a ruling in 2008 by the Bundesverfassungsgericht overturned the right to use Bundestrojaner, instead creating a lesser right to use a tool known as a Quellen-TKÜ to record VoIP conversations where a traditional physical wiretap would be impossible.
The Trojan analysed by the CCC, however, oversteps the mark. "The CCC analysis reveals functionality in the 'Bundestrojaner light' concealed as 'Quellen-TKÜ' that go much further than to just observe and intercept internet based telecommunication, and thus violates the terms set by the constitutional court," the group claims.
"The Trojan can, for example, receive uploads of arbitrary programs from the Internet and execute them remotely. This means, an 'upgrade path' from Quellen-TKÜ to the full Bundestrojaner's functionality is built-in right from the start," adds the CCC. "Activation of the computer's hardware like microphone or camera can be used for room surveillance."
"Our analysis revealed once again that law enforcement agencies will overstep their authority if not watched carefully," a sensibly anonymous speaker for the CCC declared as the group released its findings. "In this case functions clearly intended for breaking the law were implemented in this malware: they were meant for uploading and executing arbitrary code on the targeted system."
The release of the investigation's findings has the malware community in a tizz. Officially, the R2D2 Trojan is nothing to do with the Bundeskriminalamt, Germany's federal law enforcement agency. "The BKA has not used the Trojans shown by the CCC," spokesperson Steffen Seibert claimed via Twitter. "It is not ours."
Evidence has emerged, however, that local branches of the BKA - known as Landeskriminalamt, or LKA - may not be so innocent. The command and control server for the R2D2 Trojan is located in Düsseldorf, home to LKA Nordrhein-Westfalen.
The LKA, incidentally, was the subject of a leak by WikiLeaks back in 2008 of a memo between it and a software development company called DigiTask, which revealed it asked the company to work on a Bundestrojaner having remarkably similar properties to the R2D2 Trojan uncovered by the CCC.
"It's not really possible to prove who authored the malware, unless the German authorities confirm their involvement," admits Sophos's Graham Cluley. "However, it's beginning to look as though it's more likely that they were involved than not."
"We have never before analysed a sample that has been suspected to be governmental backdoor," a bemused Mikko Hypponen of rival anti-virus outfit F-Secure explains in his own analysis. "We have also never been asked by any government to avoid detecting their backdoors."
If the R2D2 Trojan does indeed turn out to be the first example of a software bugging tool created by a major world government in direct contravention of its own laws, it would cause an outcry unlike anything in recent memory. For now, however, the German government is maintaining its silence.
The full Chaos Computer Club report can be found here.