Feeds

Skype Trojan wiretap plan leaks onto the net

We have ways of hearing you talk

The Essential Guide to IT Transformation

German cops are pushing ahead with controversial plans, yet to be legally approved, to develop "remote forensic software" - in other words, a law enforcement Trojan.

Leaked documents outline proposals by German firm Digitask to develop software to intercept Skype VoIP communications and SSL transmissions. A second leaked document from the Bavarian Ministry of Justice outlines costing and licensing proposals for the software. Both scanned documents (in German, natch) have found their way onto the net after being submitted to Wikileaks.

As previously reported, the German government is looking to recruit coders to develop "white hat" malware capable of covertly hacking into the PCs of suspects in investigations of terrorism or other serious crimes.

Proposals to give explicit permission for law enforcement officials to plant malware stem from a Federal Court ruling last year declaring clandestine searches of suspects' computers to be inadmissible as evidence, pending a law regulating the practice. Germany's Federal Court of Justice said the practice was not covered by existing surveillance legislation.

Joerg Ziercke, president of Germany's Federal Police Office (BKA), expressed frustration about their inability to decipher the encryption used by Skype in order to tap into the VoIP calls of suspected terrorists. Digitask, if the leaked documents are to be believed, has stepped into the breach.

Skype is widely used by consumers to make VoIP calls. The firm has commissioned security experts to audit the encryption and security of its software.

However, other experts have contested the security of Skype's software. Skype uses widely trusted encryption techniques, such as Advanced Encryption Standard, to encrypt conversations and RSA for key negotiation. But unlike Zfone, its source code has not been publicly released.

In a presentation (pdf) at Black Hat Europe 2006 Philippe Biondi and Fabrice Desclaux argued that without access to the source code we can't be sure if Skype is secure. The researchers also expressed concerns that Skype has the keys to decrypt calls or sessions, a claim the firm itself denies.

Often law enforcement agencies are just as interested in who someone is talking to and for how long. Skype offers confidentiality, but not anonymity.

In 2006 a fugitive chief exec was tracked down to Sri Lanka after a Skype call. Quite how he was tracked down remains unclear, beyond the availability of papers on tracking anonymous peer-to-peer VoIP traffic.

El Reg has been seeking to speak to someone from Skype about security and VoIP systems for over a week since news of flaws involving the interaction between Skype and video-sharing sites such as DailyMotion broke in mid-January. Skype blocked this particular exploit as a workaround pending the arrival of a more complete fix.

Petko Petkov, a UK-based penetration tester and one of those most vocal about warning of the poison movie peril also expressed concerns about Skype's security architecture more generally. He suggested that unencrypted data within Skype's ads created a means for hackers to taint ad traffic with malware by using packet injection tools such as Airpwn in environments such as public wireless hotspots.

Skype has since declined to set up an interview about VoIP security, saying no one was available. It offered to respond to email questions but is yet to respond to a question on Petkov's concerns either.

Even alerting it that we were planning to write about the wikileaks story on Monday failed to elicit a response from the ostrich-like eBay subsidiary. ®

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Tor attack nodes RIPPED MASKS off users for 6 MONTHS
Traffic confirmation attack bared users' privates - but to whom?
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.