Feeds

Skype Trojan wiretap plan leaks onto the net

We have ways of hearing you talk

High performance access to file storage

German cops are pushing ahead with controversial plans, yet to be legally approved, to develop "remote forensic software" - in other words, a law enforcement Trojan.

Leaked documents outline proposals by German firm Digitask to develop software to intercept Skype VoIP communications and SSL transmissions. A second leaked document from the Bavarian Ministry of Justice outlines costing and licensing proposals for the software. Both scanned documents (in German, natch) have found their way onto the net after being submitted to Wikileaks.

As previously reported, the German government is looking to recruit coders to develop "white hat" malware capable of covertly hacking into the PCs of suspects in investigations of terrorism or other serious crimes.

Proposals to give explicit permission for law enforcement officials to plant malware stem from a Federal Court ruling last year declaring clandestine searches of suspects' computers to be inadmissible as evidence, pending a law regulating the practice. Germany's Federal Court of Justice said the practice was not covered by existing surveillance legislation.

Joerg Ziercke, president of Germany's Federal Police Office (BKA), expressed frustration about their inability to decipher the encryption used by Skype in order to tap into the VoIP calls of suspected terrorists. Digitask, if the leaked documents are to be believed, has stepped into the breach.

Skype is widely used by consumers to make VoIP calls. The firm has commissioned security experts to audit the encryption and security of its software.

However, other experts have contested the security of Skype's software. Skype uses widely trusted encryption techniques, such as Advanced Encryption Standard, to encrypt conversations and RSA for key negotiation. But unlike Zfone, its source code has not been publicly released.

In a presentation (pdf) at Black Hat Europe 2006 Philippe Biondi and Fabrice Desclaux argued that without access to the source code we can't be sure if Skype is secure. The researchers also expressed concerns that Skype has the keys to decrypt calls or sessions, a claim the firm itself denies.

Often law enforcement agencies are just as interested in who someone is talking to and for how long. Skype offers confidentiality, but not anonymity.

In 2006 a fugitive chief exec was tracked down to Sri Lanka after a Skype call. Quite how he was tracked down remains unclear, beyond the availability of papers on tracking anonymous peer-to-peer VoIP traffic.

El Reg has been seeking to speak to someone from Skype about security and VoIP systems for over a week since news of flaws involving the interaction between Skype and video-sharing sites such as DailyMotion broke in mid-January. Skype blocked this particular exploit as a workaround pending the arrival of a more complete fix.

Petko Petkov, a UK-based penetration tester and one of those most vocal about warning of the poison movie peril also expressed concerns about Skype's security architecture more generally. He suggested that unencrypted data within Skype's ads created a means for hackers to taint ad traffic with malware by using packet injection tools such as Airpwn in environments such as public wireless hotspots.

Skype has since declined to set up an interview about VoIP security, saying no one was available. It offered to respond to email questions but is yet to respond to a question on Petkov's concerns either.

Even alerting it that we were planning to write about the wikileaks story on Monday failed to elicit a response from the ostrich-like eBay subsidiary. ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts
Bloke behind the cockup says not enough people are helping crucial crypto project
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Bad PUPPY: Undead Windows XP deposits fresh scamware on lawn
Installing random interwebs shiz will bork your zombie box
Experian subsidiary faces MEGA-PROBE for 'selling consumer data to fraudster'
US attorneys general roll up sleeves, snap on gloves
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.