German cops are pushing ahead with controversial plans, yet to be legally approved, to develop “remote forensic software” – in other words, a law enforcement Trojan. Leaked documents outline proposals by German firm Digitask to develop software to intercept Skype VoIP communications and SSL transmissions. A second leaked document from the Bavarian Ministry of Justice outlines costing and licensing proposals for the software. Both scanned documents (in German, natch) have found their way onto the net after being submitted to Wikileaks…As previously reported, the German government is looking to recruit coders to develop “white hat” malware capable of covertly hacking into the PCs of suspects in investigations of terrorism or other serious crimes.
Proposals to give explicit permission for law enforcement officials to plant malware stem from a Federal Court ruling last year declaring clandestine searches of suspects’ computers to be inadmissible as evidence, pending a law regulating the practice. Germany’s Federal Court of Justice said the practice was not covered by existing surveillance legislation.
Joerg Ziercke, president of Germany’s Federal Police Office (BKA), expressed frustration about their inability to decipher the encryption used by Skype in order to tap into the VoIP calls of suspected terrorists. Digitask, if the leaked documents are to be believed, has stepped into the breach.
Skype is widely used by consumers to make VoIP calls. The firm has commissioned security experts to audit the encryption and security of its software.
However, other experts have contested the security of Skype’s software. Skype uses widely trusted encryption techniques, such as Advanced Encryption Standard, to encrypt conversations and RSA for key negotiation. But unlike Zfone, its source code has not been publicly released.
In a presentation (pdf) at Black Hat Europe 2006 Philippe Biondi and Fabrice Desclaux argued that without access to the source code we can’t be sure if Skype is secure. The researchers also expressed concerns that Skype has the keys to decrypt calls or sessions, a claim the firm itself denies.
Often law enforcement agencies are just as interested in who someone is talking to and for how long. Skype offers confidentiality, but not anonymity.
In 2006 a fugitive chief exec was tracked down to Sri Lanka after a Skype call. Quite how he was tracked down remains unclear, beyond the availability of papers on tracking anonymous peer-to-peer VoIP traffic.
El Reg has been seeking to speak to someone from Skype about security and VoIP systems for over a week since news of flaws involving the interaction between Skype and video-sharing sites such as DailyMotion broke in mid-January. Skype blocked this particular exploit as a workaround pending the arrival of a more complete fix.
Petko Petkov, a UK-based penetration tester and one of those most vocal about warning of the poison movie peril also expressed concerns about Skype’s security architecture more generally. He suggested that unencrypted data within Skype’s ads created a means for hackers to taint ad traffic with malware by using packet injection tools such as Airpwn in environments such as public wireless hotspots.
Skype has since declined to set up an interview about VoIP security, saying no one was available. It offered to respond to email questions but is yet to respond to a question on Petkov’s concerns either.
Even alerting it that we were planning to write about the wikileaks story on Monday failed to elicit a response from the ostrich-like eBay subsidiary.