Press Release: Germany Stipulates Security Gaps by Law – DeepSec Conference Warns: Legal Anchoring of the State Trojans Destroys the Security of the Infrastructure.
People on business trips are accustomed to take precautions against untrustworthy Internet access. Employees have been equipped with Virtual Private Network (VPN) technology in order to have secure access to company resources and internal systems. VPNs are also often used to circumvent the insecurity of the so-called last mile, i.e. the connection between your own computer and the actual systems on the Internet. The law, which was passed in the German Bundestag on June 10th, creates opportunities for the use of so-called State Trojans (term literally translated from the German Staatstrojaner, meaning a malicious piece of software provided and used by authorities). This institutionalizes security gaps so that state Trojans can be installed on end systems. The safe home office is a thing of the past.
Comprehensive surveillance through digital intrusions
The alterations to enable federal malicious software are hidden in changes to the Federal Police Act and in reforms of the Constitutional Protection Act. All German federal and state secret services gain the right to read encrypted communications. On request, Internet providers must actively help with the installation of the state trojan software. Specific suspicions or reasons for interception of messages are unnecessary. This regulation affects both the providers of messenger services and the Internet service providers who provide the infrastructure for the Internet connection. In addition, the federal police may eavesdrop on ongoing communications from messenger clients. Technically, there is no difference in the implementation, because one way or another special software – the state trojan horse code – has to be smuggled in. Service providers who are instructed to manipulate Internet communication are forced to falsify the transfer of software updates and redirect downloads, for example. By definition, this means that any network traffic is not trustworthy when accessing the Internet. In the future, manufacturer updates will become a direct threat on all platforms.
The installation of a state trojan horse requires the existence of unpublished security gaps in order to be carried out on the end devices without cooperation. This implicitly stipulates weaknesses in computer systems by law. Information security bears the immediate damage, because unknown vulnerabilities a.k.a. “0 days” are already being traded for a lot of money. The change in the law creates additional stability for this market and thus endangers all those affected in the private sector, in business and in the authorities.
Online search as a misleading term
The language of legislation obscures its real meaning for information technology. The exploitation of security vulnerabilities and the installation of additional software for monitoring on the end device is referred to as “source telecommunications monitoring” (literal translation of the German term Quellen-Telekommunikationsüberwachung / Quellen-TKÜ). This mechanism is required to monitor the communication data in systems that provide secure communication. Instead of Quellen-TKÜ, the term online search (German Online-Durchsuchung) is also used. However, the technical implementation leads to a complete compromise of the end devices, whose security measures have been successfully attacked and overridden. From a computer science perspective, there is no difference between a state trojan, ransomware or other malware. Once security precautions have been disabled, the software can manipulate, delete or additionally save any data. Compromised systems are no longer trustworthy and may no longer be used safely.
Unsafe technology in surveillance software
The software used by the authorities sometimes has no or only unsatisfactory security measures. The developers of Signal Messenger analyzed a specific forensic software in April 2021 and found glaring weaknesses and copyright infringements in the code. In 2011, the Chaos Computer Club examined a copy of a state trojan that had been in use since 2008. Technical analysis found hair-raising security flaws in the program. Third parties could gain full control of the system and carry out any operations after installing the software. In addition, the implementation of the encrypted protocol for transferring the client data was not even up to the technical standard of the 1940s (no, that’s not a typo).
With covert monitoring software, if one looks at the security features one must bear the intended use in mind. State Trojans horses generally have to break the security of the end device. If this software is then even poorly implemented, it can be exploited further by third parties and used to attack any system. Examples of malware in the past have clearly demonstrated that this is what happens. Conversely, securely programmed surveillance software does not change the fact that it was installed as a result of a break-in. In any case, information security is sabotaged in the long term.
Alternatives to sabotaging the infrastructure
At least since the controversy about secure encryption in the Cold War and its digitization in the PC era, there have been repeated discussions about the cat-and-mouse game between investigators and their opposing poles. Security personnel must also investigate incidents and find out reasons for breaking into digital systems. In principle, modern technology does not prevent this approach. Knowing about security gaps and correcting them is a fundamental part of information security, just like the mathematical basis of cryptography. Research in security technology never sleeps, and there are therefore many approaches and publications for research without compromising the digital infrastructure.
Every year the DeepINTEL conference in Vienna addresses issues of strategic security. It is about the analysis of threats and the clarification of the methods used by attackers. The focus is on both cyber-crime groups and attacks by government organizations. Due to the sensitive nature of the topics, it is a closed conference. Participation is recommended for all security officers in companies and authorities.
Programs and booking
The DeepSec 2021 conference days are on November 18th and 19th. The DeepSec trainings will take place on the two preceding days, November 16 and 17. All trainings (with a few exceptions) and lectures are intended as face-to-face events, but due to future COVID-19 measures, they can take place partially or completely virtually.
The DeepINTEL Security Intelligence Conference will take place on November 17th. Since this is a closed event, we ask for direct inquiries about the program. We provide strong end-to-end encryption for communication: https://deepsec.net/contact.html
You can order tickets for the DeepSec conference and training courses online at any time under the link https://deepsec.net/register.html. Sponsor discount codes are available. If you are interested, please contact deepsec@deepsec.net. Please note that we are dependent on timely ticket orders due to the security of planning.