This story has been updated twice with recent developments. Please scroll down to the end of the text to view updates.
German police may be using a sophisticated Trojan to tap the Skype calls and IM chats of citizens without their knowledge, a well-known hacking group alleges.
The Trojan, called "R2D2," can capture screenshots from Web browsers, log user keystrokes, record Skype audio conversations and possibly communicate with a remote website, Germany's Chaos Computer Club (CCC) wrote on Saturday (Oct. 8).
German wiretap laws permit the use of a "Bundestrojaner," or "federal Trojan," to spy on criminal or terrorist suspects by recording their Voice over Internet Protocol (VoIP) conversations, such as those transmitted over Skype. But if R2D2 is indeed the Bundestrojaner, its abilities are far beyond what the laws permit.
The German federal government has denied it is using R2D2, The Register said. It's also possible that a German state police agency may be using it independently.
"Our analysis revealed once again that law enforcement agencies will overstep their authority if not watched carefully," the CCC said. "In this case functions clearly intended for breaking the law were implemented in this malware: they were meant for uploading and executing arbitrary code on the targeted system."
According to Graham Cluley, senior technology consultant for the security firm Sophos, the Trojan was found on the hard drive of a German lawyer's client as the client passed through customs at Munich Airport.
In analyzing R2D2 — so-called because of a line in the code that references the "Star Wars" droid and his friend C3PO — the CCC found that the Trojan contains "serious security holes," namely in the way it processes screenshots and tapped audio files. Once it lands on a target's computer, R2D2 captures and sends out these files in unencrypted formats.
The privacy consequences of this insecure formatting are huge: The spyware, the CCC contends, could be exploited by hackers to tamper with the data authorities are (perhaps illegally) trying to harvest. For example, the police could be using R2D2 to log the keystrokes of a suspected terrorist, and a hacker could, at the same time, worm his own way into the suspected terrorist's system and plant all kinds of false information on it.
"Any attacker could assume control of a computer infiltrated by the German law enforcement authorizes," the CCC said. "The security level this Trojan leaves the infected systems in is comparable to it setting all passwords to '1234'."
Researchers from the security firms Sophos, Symantec and F-Secure have all confirmed the authenticity of R2D2. The companies did not take an official position regarding the CCC's claims that a German government agency, either at the federal or state level, is behind it.
Cluley, however, did acknowledge that this wiretapping Trojan is "likely to kick up a political storm" in Germany if the CCC's allegations turn out to be true. Germany has very strict privacy laws, and the memory of constant surveillance of ordinary citizens during the Nazi and Communist eras has created a deep-seated revulsion against anything that smacks of governmental or corporate intrusion into private life.
UPDATE: The security firm Bitdefender late Monday (Oct. 10) released a removal tool for R2D2. It can be downloaded for free at Bitdefender's website.
UPDATE: As of Tuesday morning (Oct. 11), five German states — Baden-Württemburg, Brandenburg, Lower Saxony, North Rhine-Westphalia and Schleswig-Holstein — had confirmed that their police agencies had used "Bundestrojaner," but all insisted they had done so within the scope of the law. A sixth, Bavaria, said it had used an unspecified spyware program.