" A draft law provides for secret services to be given the opportunity to manipulate the data traffic of providers in order to spread state trojans. However, it is no longer as simple as it once was to place malware in Internet data traffic - thanks to TLS encryption and signed updates. In most cases, this is only feasible if so-called zero-day gaps are used.
Originally, the draft was to be adopted by the Federal Cabinet on 15 July 2020. But the topic disappeared from the agenda again at short notice.
The draft law had been published on the website Netzpolitik.org in June. In another article, the site reported that one paragraph of the draft law provides for the direct possibility for secret services to redirect data traffic at Internet access providers.
The secret services are not only supposed to be able to read the data traffic, but also to manipulate it. It should be possible for measures taken by the state authorities, such as the installation of a Trojan to monitor a person, to be carried out.
2020 is not 2011
Netzpolitik.org points out that some providers of state surveillance software have been offering such mechanisms for a long time and cites as an example an advertising brochure of the Finfisher company, in which a software update is attacked as an example. However, the brochure dates from 2011, and since then a lot has changed on the Internet.
Software updates that are transmitted completely unprotected are rarely found today. Almost always either TLS encryption is used or the updates are protected with signatures, in many cases both are the case. If an attacker attempts to infiltrate a monitoring software here, this only leads to an error in the certificate or signature verification. To carry out a practical attack on an update process, the attacker would have to know about a security hole in the respective update software.
Instead of attacking the update process of software, the secret services could also place an exploit in website calls, they only have to wait until the target calls an unencrypted HTTP website. Despite the fact that HTTPS is now very widespread, this is likely to happen again and again. Instead of the called website, the ISP can simply play another website: But even then the attackers would have to know about a security hole in the browser. Such an attack on a journalist in Morocco was recently documented by Amnesty International, the Israeli company NSO and its software Pegasus were responsible.
Attacks possible, but expensive
Of course, German secret services can also fall back on such security gaps. If the target system is outdated, it may be possible to use already known gaps for this purpose, otherwise the secret services have to fall back on so-called Zerodays, i.e. security gaps not yet publicly known. This is feasible in individual cases - but in any case expensive.
Politically more relevant than the question of whether secret services are allowed to manipulate the data traffic of Internet access providers is the question of the general handling of undiscovered security gaps. Nevertheless, the new measures should be criticised: if secret services are given more opportunities to attack users, they also have more incentives to ensure that security gaps are not closed. And that ultimately affects the security of all users."
Translated with www.DeepL.com/Translator (free version)