Impressed by FBI trojan, Germans write their own-and national scandal ensues
By Matthew Lasar Ars Technica
It has been pretty chaotic in German Chancellor Angela Merkel's cabinet ever since the Chaos Computer Club dumped some alarming technology news in her lap. Turns out that the German government's "lawful interception" application, supposedly designed only to monitor IP telephone calls, is just a little more powerful than the police let on.
Berlin-based CCC released its analysis of Germany's "Quellen-TK" ("source wiretapping") trojan on Saturday. The results weren't pretty. Despite a constitutional court ban on the use of malware to crack PCs, the state-sanctioned malware's makers didn't even bother to add technical barriers ensuring that the code would only be used for tapping Internet telephone conversations.
"On the contrary, the design included functionality to clandestinely add more components over the network right from the start, making it a bridge-head to further infiltrate the computer," CCC's report noted.
But that's only the start of what this application can do:
The government malware can, unchecked by a judge, load extensions by remote control, to use the trojan for other functions, including but not limited to eavesdropping. This complete control over the infected PC - owing to the poor craftsmanship that went into this trojan - is open not just to the agency that put it there, but to everyone. It could even be used to upload falsified "evidence" against the PC's owner, or to delete files, which puts the whole rationale for this method of investigation into question.