German bill provides network traffic redirection to install state trojans

Hello Peter,

thanks a lot for your very informative blog post on future possible network traffic redirection.

WTF is all I can say to this incredible stupid bill. If this will pass we provide a great infrastructure to control and manipulate data and information on the fly to any future dictatorship.

Mainstream media in Germany is rarely covering this topic, so for anyone who wants to dig a little deeper into this can read this article on netzpolitik.org (German). There is also a link in the article to the bill.

There is also a podcast with Linus Neumann about the topic (German).

I’m also very keen on the further blog series regarding countermeasures Peter announced in the blog, but I’m afraid there is not an easy work around, because even if you tunnel your traffic outside of Germany and go to a German website you still will pass DECIX etc. unencrypted.

Thanks again Peter and lets fight this crazy bill

1 Like

Probably all ready happening in America. :nauseated_face:

Most likely :face_vomiting:

" A draft law provides for secret services to be given the opportunity to manipulate the data traffic of providers in order to spread state trojans. However, it is no longer as simple as it once was to place malware in Internet data traffic - thanks to TLS encryption and signed updates. In most cases, this is only feasible if so-called zero-day gaps are used.

Originally, the draft was to be adopted by the Federal Cabinet on 15 July 2020. But the topic disappeared from the agenda again at short notice.

The draft law had been published on the website Netzpolitik.org in June. In another article, the site reported that one paragraph of the draft law provides for the direct possibility for secret services to redirect data traffic at Internet access providers.

The secret services are not only supposed to be able to read the data traffic, but also to manipulate it. It should be possible for measures taken by the state authorities, such as the installation of a Trojan to monitor a person, to be carried out.
2020 is not 2011

Netzpolitik.org points out that some providers of state surveillance software have been offering such mechanisms for a long time and cites as an example an advertising brochure of the Finfisher company, in which a software update is attacked as an example. However, the brochure dates from 2011, and since then a lot has changed on the Internet.

Software updates that are transmitted completely unprotected are rarely found today. Almost always either TLS encryption is used or the updates are protected with signatures, in many cases both are the case. If an attacker attempts to infiltrate a monitoring software here, this only leads to an error in the certificate or signature verification. To carry out a practical attack on an update process, the attacker would have to know about a security hole in the respective update software.

Instead of attacking the update process of software, the secret services could also place an exploit in website calls, they only have to wait until the target calls an unencrypted HTTP website. Despite the fact that HTTPS is now very widespread, this is likely to happen again and again. Instead of the called website, the ISP can simply play another website: But even then the attackers would have to know about a security hole in the browser. Such an attack on a journalist in Morocco was recently documented by Amnesty International, the Israeli company NSO and its software Pegasus were responsible.
Attacks possible, but expensive

Of course, German secret services can also fall back on such security gaps. If the target system is outdated, it may be possible to use already known gaps for this purpose, otherwise the secret services have to fall back on so-called Zerodays, i.e. security gaps not yet publicly known. This is feasible in individual cases - but in any case expensive.

Politically more relevant than the question of whether secret services are allowed to manipulate the data traffic of Internet access providers is the question of the general handling of undiscovered security gaps. Nevertheless, the new measures should be criticised: if secret services are given more opportunities to attack users, they also have more incentives to ensure that security gaps are not closed. And that ultimately affects the security of all users."

Translated with www.DeepL.com/Translator (free version)

At minute 44:00 they are talking about TLS and they have the opinion that it should be no problem for a state or secret service to fake certificates. Also big providers operate their own CA, so if they have to help by law to make this happen, they would just generate a valid cert under their own CA.
So you could manipulate e.g. the latest Firefox Update, redirect the download and combine the Firefox code with the state trojan.

Hi,

[…], because even if you tunnel your traffic outside of Germany and go to a German website you still will pass DECIX etc. unencrypted.

the same applies for any other German IXP as well (there are many of them), but since the DE-CIX Frankfurt/Main is the most popular one, I thought it may be sufficient to mentioned that one.

At minute 44:00 they are talking about TLS and they have the opinion that it should be no problem for a state or secret service to fake certificates. Also big providers operate their own CA, so if they have to help by law to make this happen, they would just generate a valid cert under their own CA.

I doubt manipulating TLS traffic is a hurdle for intelligence agencies indeed. It might be detected by some browsers or certificate observatory projects (the EFF runs one), but in the end, this is not helping.

DANE works, but unfortunately is not implemented by modern browsers due to technical difficulties (it requires DNSSEC validation, which is not guaranteed everywhere - since IPFire is enforcing it, we have seen a lot of complaints from some users sitting behind very crappy DNS infrastructures of their ISPs) and perhaps legal considerations (?).

Thanks, and best regards,
Peter Müller

1 Like

sure, thats why I wrote DE-CIX etc :smiley:

I see. :slight_smile:

1 Like

There is a bill pending in the US which allows the government to eliminate encryption and therefore record and spy on everyone, without their knowledge.(see EFF.org) while you are there, checkout their Privacy Badger tool which is an addon to your browser. It can show you who is tracking you. A nice feature. But it can not prevent State Trojan Horses from snooping.

They are comparing it to a wire tap.
But it is blanket surveillance.

1 Like

Won’t it affect all users? Not one?

Hi,

this affects all users, although sophisticated attackers usually aim to be as precise as possible, especially if they are using (expensive) 0-day exploits. However, if such redirection infrastructures were (ab)used by third parties, they might spread their malware more broadly.

Thanks, and best regards,
Peter Müller