Skip to main content

German police confirm R2D2 Trojan use

Despite official denials from the Bundeskriminalamt, several German states have come forward to confirm that the R2D2 Trojan analysed by hacker group the Chaos Computer Club is, indeed, an official government tool.

When the CCC released its thorough analysis of the R2D2 Trojan, it claimed that it represented a Bundestrojaner: a tool used by German law enforcement to monitor and modify a suspect's computer system, originally allowed by law but modified in 2008 by the Bundesverfassungsgericht to restrict its usage to the recording of VoIP conversations where traditional physical wiretaps wouldn't work.

Although German law allows for the use of such digital wiretaps - known as Quellen-TKÜ - it specifically restricts the tool from any other functionality, including uploading of files and modification of the host system beyond that required for VoIP monitoring.

The CCC analysis claimed that the R2D2 Trojan was capable of exactly those things, making it a government-sponsored illegal Trojan. At the time, a spokesperson for the Bundeskriminalamt - the German federal law enforcement agency - denied that the R2D2 Trojan was a Bundestrojaner, but a 2008 memo leaked to WikiLeaks asking for a company called DigiTask to create such a tool suggested otherwise.

That leak appears to have been the straw which broke the camel's back: since the CCC published its findings, four German states have come forward to admit that the they have used the R2D2 Trojan or similar tools to gather evidence on suspects.

According to DW-World's round-up of local media reports, Bavaria, Baden-Württemberg, Brandenburg and Lower Saxony have all reported use of the R2D2 Trojan "within the parameters of the law." While that suggests that the Trojan has been used in its legal format of a Quellen-TKÜ, it ignores the possibility - confirmed by the CCC's analysis of its capabilities - that the R2D2 Trojan can be upgraded to full and illegal Bundestrojaner functionality.

Joachim Herrmann, interior minister for Bavaria, promised to conduct a review into the software's use in order to ensure that it complied with the Bundesverfassungsgericht's 2008 ruling on the use of Quellen-TKÜ technology, while justice minister Sabine Leutheusser-Schnarrenberger called for a joint investigation between state and federal government.

While use of the R2D2 Trojan by local law enforcement agencies - known as Landeskriminalamt, or LKA - has been confirmed, an official statement from the Interior Ministry denies that any such tool was being used at a federal level by the BKA.