Schneier on Security
A blog covering security and security technology.
« Leaked UK Government Document on National ID |
| Detecting Nuclear Weapons Using the Cell Phone Network »
February 1, 2008
Bavarian Government Wants to Intercept Skype Calls
And plans are to use malware to do it.
Posted on February 1, 2008 at 5:00 AM
• 29 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
So the next step in the arms race ic going to be special headsets that encrypt all data and do a key exchange directly with the VoIP-application.... no MitM by local trojans :-)
Why is the use of malware necessary in this case?
All Skype keys are stored in Luxembourg. Can't the Bavarian cops ask their colleagues in Luxembourg to provide the legal interception?
@Juergen: How is the headset going to establish that it is actually talking to an authentic Skype and not to a manipulated binary?
Sorry, very off-topic, but I just have to share.
"They're protecting the leader of the 'free' world with brown paper." That's a direct quote from one of my co-workers this morning. Miles and miles (literally, there's a lot of overlooking offices).
President Bush is coming to my workplace this morning and they've covered all of our windows with brown butcher paper and tape so that we can't see out. So what's normally a fairly bright, open-feeling area is now a dungeon. When he arrives, we won't even be able to see him. Security theatre at its finest. Like my co-worker also said, it's like putting a padlock on my garden shed: it keeps the honest people honest.
Other Draconian measures: don't come to work after 8:30 am and don't plan to leave until Noon.
So, I can't see him arrive, and I can't leave for a certain period of time. My own private Gitmo. God bless America.
Sorry for OT, now talk amongst yourselves.
@Juergen: A high-level application like Skype interfacing directly with the hardware sounds very much 1990 (remember the compatibility headaches?). Moreover, if the malware is a bootkit/rootkit, no software interface will protect you anyway.
Read-only boot/OS/app medium (CD or DVD) on TPC hardware seems like a possibility to me (but then again, the malware is probably not targeted at users with such level of expertise: "For the installation of the Skype Capture Unit an executable file will be delivered, that can for instance be attached to an e-mail or directly be installed on the target machine." -wikileaks in URL).
So essentially what you're saying is they can't secure their way out of a brown paper bag...
I guess what I'm saying is, it is about as secure AS a brown paper bag. I mean, come on--papering windows?
That's a heck of a security job there brownie. Sorry, couldn't resist.
@Juergen: In which case the easiest thing would be just to use a bug that records data onto a flash chip, that is sneakily integrated into the headset that the targeted suspect is using.
If you were running Linux / Unix or (Windows not in Admin mode), then surely it should be difficult to install a worm or rootkit? So I think email will be an unlikely path. Maybe by getting them to install a modified version of P2P software. But I think they'll just get access to the site and use hardware keyloggers. Then wait and hope someone has the right to and actually uses su/sudo and then they physically go to the site again.
At least its a cheap solution, rather than some super complex facial - recognition behavior monitoring system costing 6.3 Jiga Billion Dollars.
The emporer's clothes.
"plans are to use malware to do it."
What else? If the police, even with a valid court wiretap order, install (for instance) keyboard logging software on your PC without your knowledge, then that's malware by definition, since the operator of the computer doesn't want it there.
But the operator of the computer is a suspect in a criminal investigation, so that's just tough luck for him. He doesn't get a say.
If the "malware" turns up any incriminating evidence, I imagine that the police would employ "kidnapping" in order to further their investigation. This being Germany there's no chance of the courts opting to "murder" a convicted criminal, but they could easily "steal" money from him or impose a further period of "kidnapping", depending on the crime. I don't know whether German courts have the option of also inflicting "indentured servitude" as a punishment, but here in Britain they certainly do.
Honestly. I don't object to people being made aware that, among the ways in which the police conduct surveillance, sneaking software onto your PC is one of them. But the fact that the surveillance is carried out without the consent of the person being observed surely isn't something many people object to on principle, is it?
If the problem is that the surveillance is excessive, then that should be stated, rather than calling it "malware", with the insinuation that it must therefore be a bad thing regardless of the actual facts.
The idea would have to be that the headset doesn't care about Skype - it's just the audio transport layer. It would be a direct point-to-point session between two headsets, over an audio-only channel.
This would be the same way an SSL client doesn't care if some hop at the IP layer is compromised. All it can do is encrypt against interception, and detect and alert on tampering.
The best part is, it could be completely transport neutral - plug the headsets into your cellphone, your desk phone, or your computer using the audio chat program of your choice - you get the same protection.
I really like this idea! If someone makes it, I'd probably buy one, to protect my phonecalls to my wife when she's on the phone, when we talk about such sensitive information as the cats, the weather, and our recent dinners...
There are two things that you have to consider
1. Your encrypted audio stream must be as robust as to survey the audio compression of you chat client / Mobile phone (GSM, G7??, AMR etc.)
2. How will you do the key exchange? (Think about MitM)
This is only about Skype on Windows for now. If you can control the operating system, then all bets are off on security anyway. The data on the wire is still secure, the OS never was.
ZPhone, by Saint Phil (Zimmerman, of PGP fame) provides a nice add-on encryption/authentication layer that sits on top of, and interoperates with, a bunch of different VOIP clients (though not with Skype).
Zfone is fully peer-to-peer, which probably makes it largely CALEA-proof. It has good protection against MITM, assuming users avail themselves of that protection. The source code is published (though not fully open-source-licensed), and their encryption protocol is now a draft standard under consideration by the IETF.
If your security requirements include defense against government interception, it's probably a reasonable component for a secure voice solution.
One of the big concerns goes like this:
- The malware will have to hide itself somehow.
- There is software out there to detect this sort of malware.
- Once government-approved malware exists, the next obvious step is to bribe/threaten the malware detection companies to ignore the government malware.
- Other malware can either use the government-approved malware as a shield, or the blind spot created by compliant malware detection programs to hide in.
- Thus the existence of government-approved malware is guaranteed to actively reduce computer security.
This isn't entirely theoretical: while there is no proof that anti-malware companies actively didn't look for the Sony rootkit (just some disturbing delays in providing any detection signatures), there were examples of other programs using the Sony rootkit's hiding routines to hide themselves...
People should start speaking Klingon over skype. Not that security through obscurity works, but because it'll piss off the listeners to have to hire some nerd to translate it for them.
Better yet, pig latinized Klingon.
The really Bad Thing is this: The german minister of interior, Wolfgang Schäuble repeatedly claims that he'd need what he calls "Online-Durchsuchung". That means he wants to inspect the computers of "terrorists" to find if these terrorists plan to build bombs. Regular citizens are of course not affected by this. At least that's what he claims.
So in short: Germany might soon send malware to computers of "terrorists". Bets are still open when the Movie and/or music industry declares that they need this ability, too.
While I have no trouble believing something like this could happen, is there any other corroborating evidence? I can make up a nice looking fake document with NSA letterhead myself...
@ Bryan Feir: "Once government-approved malware exists, the next obvious step is to bribe/threaten the malware detection companies to ignore the government malware".
While I accept the possibility, I'm not too worried about it. If a government is going to nobble software providers in order to introduce back doors in desktop systems, then it could just as easily be going after the OS, rather than the AV. It's easier, because one company gives to a huge majority, and two gives you almost the whole desktop market. It's more direct, because you can build the backdoor right into the OS, rather than fiddling around with Trojans and hoping the criminal clicks on them.
There isn't convincing evidence that there is any such threat at the moment.
How would the Bavarian government go about influencing major AV providers, anyway? They probably have a lot less money than just Sophos's customers put together, so I don't see how they'd bribe even one major company. Legislating on the activities of foreign companies is out of the question - they can only enforce locally.
So, if the story were "government is planning to ban non-approved AV software", then I'd be concerned, and I'd agree with you that this risks dangerous security flaws. But that isn't the story, and doesn't seem likely to be.
How long before the Clipper chip is reintroduced as a means to overcome all the dangers inherent in "malware" solutions?
There is a valid reason for law enforcement agencies to secretly wiretap phonecalls. The established process of obtaining a warrant from a judge works fine most of the time, so it leaves the question of how to do it.
To me it seems like the police is trying to utilize old-tech on new-tech, which is not gonna work.
So what would security professionals tell the police how they could record those skype-calls?
@SteveJ: "If a government is going to nobble software providers in order to introduce back doors in desktop systems, then it could just as easily be going after the OS, rather than the AV."
That's not the point. They go to the AV vendors because they don't want the AV software to *detect their malware*. If the cops were using said malware to collect evidence for an ongoing investigation, having the AV software notify the user about the malware would interfere with the investigation (and probably also lead to increased awareness of the malware, via the Internet).
I don't have a problem in principle with the cops secretly installing surveillance software onto people's machine, as long as they have a warrant to do it.
One problem is that other bad people will figure out what it is about the cops' malware that causes the virus scanner not to complain about it (e.g. a magic string?), and use the same technique in their own malware, thus worsening security for the rest of us. Even if that doesn't happen, they might get their hands on a copy of the "official" malware and use it (or a modified copy of it) themselves in illegal ways. Even if the virus scanner detects a "legitimate" piece of malware, how can it possibly know who put it there? The virus scanner does not get to read the court order. So I think it should always report it anyway--frankly, a virus scanner that can detect a piece of malware but does not report it, is not doing its job. (Of course most virus scanners are next to useless anyways, but that's another issue.)
If the Bavarian government planners and developers fully implement such a plan, they'll blow it with the use of proxy, I believe. It's not easy to build ironclad security into a proxy network. Whether they blow it or not, I hope they don't try to use Tor or JAP/JonDo.
@Pat Calahan: "While I have no trouble believing something like this could happen, is there any other corroborating evidence?"
Not really for this particular issue (although the Bavarian ministry chose not to deny it).
But attempts to legalize online-searches of PCs (which, naturally, encompass Skype-eavesdropping) are in the public legislative process - in Bavaria and Germany as a whole.
"That's not the point. They go to the AV vendors because they don't want the AV software to *detect their malware*."
But if they could go to the AV to stop the AV detecting their malware, then why not go to the OS vendor instead?
They'd get a more convenient surveillance mechanism (wouldn't need a Trojan, could deliver a worm-like rootkit to the machine via an agreed backdoor). There would have a good chance of the OS vendor being able to make the malware undetectable by *any* AV, as opposed to only undetectable by AV companies who agree to co-operate. And they'd need fewer companies to co-operate in order to get near-total coverage of suspects.
So, since nobbling the OS is a strictly better strategy than nobbling the AV, I conclude that the government will not attempt to nobble the AV. Don't worry about that, worry about them getting at your OS.
Compare this with the fact that the government doesn't tap phone calls by interfering with phone manufacturers, it does it by interfering with the network operators. It's just common sense to go for the pinch point, which in this case is the OS (since the comms are secure), not the AV.
"(Of course most virus scanners are next to useless anyways, but that's another issue.)"
Then it's no great loss to cripple them further, even if the government did unwisely attempt to do so ;-)
I am a former Army sniper, and the implementation of brown paper on windows is a very basic measure. It is not "Security Theater" in any sense. It is just the USSS doing their jobs in an urban environment to protect the package, Mr. President. Good job, people!
If I knew or cared was Skype was, I'd probably be outraged.
All I know is that every government everywhere is doing its damndest to eavesdrop on everything everybody says to anyone anywhere using any communication method possible. All of its done in the name of "combating terrorists", who are bad because they want to take away our freedoms and turn us into some fascist state that eavesdrops on its citizens.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.