Swiss to Use Spyware to Listen to VoIP

An anonymous reader writes "Heise Security is reporting that the Swiss Department of the Environment, Transport, Energy and Communications is entertaining the idea of utilizing the 'Superintendant Trojan', a spyware program designed to allow eavesdropping on VoIP conversations. According to ERA IT Solutions, the creator of the software, it will only be distributed to investigation agencies in the hopes of keeping it out of the hands of malicious hackers since firewalls apparently 'do not present a problem' for the software."

4 words:

[creepynut]

Create it and they will get it.

Re:4 words:

[creepynut]

Haha... 4 words. Make that 7, because I don't know how to count.

yea right

[grapeape]

If the trojan can be installed it can be sniffed out and discovered. I give it at tops a week of deployment before someone figures out what it is how it works and backwards engineers it into instant maymem for all the black hats.

Re:yea right

[whoever57]

If the trojan can be installed it can be sniffed out and discovered.

Which then raises the interesting question: how will anti-spyware vendors (including MS) respond to this? There really are no good solutions for an anti-spyware vendor in this case, since detecting it could be considered as hindering law enforcement, which would be illegal in many jurisdictions.

Re:yea right

[Coldmoon]

"There really are no good solutions for an anti-spyware vendor in this case, since detecting it could be considered as hindering law enforcement..."

Actually it will turn out to be the exact opposite. Once the program is in the wild and the black hats get their hands on it, both the AV and AS vendors will have no other choice than to add it to their detections.

Regardless of whether the detection is for the original Trojan or not, any subsequent black hat variations found would be added and the original would in all likelihood be flagged due to the particular (add your own term here) scanning technology.

Re:yea right

[rolfwind]

Um, if you are free/opensource hacker in the US, you don't have to care about the laws/law_enforcement in Switzerland, generally. You can circumvent this all you want.

Now, if you were a corporation, there may be additional considerations, but only if you have a branch of your business operating there.

Re:yea right

[isometrick]

The omg-leak-to-blackhat bit isn't a big deal. Any blackhat worth his weight in RAM chips could cobble something together to record incoming/outgoing RTP traffic on a local network interface (in the case of SIP/RTP VoIP, and similar in IAX, H.323 and other protocols). It's just a few header fields and then pure Mu-law or A-law audio in most cases and other publicly available codecs in other cases.

It'd probably be more work to reverse engineer this trojan as opposed to writing something to do it yourself. It definitely would be for me. And from some experience with other 'law enforcement'-type programs, it's probably shit anyway.

The worrisome bit is utilizing trojans for law enforcement, even with some kind of judicial review (scoff).

It will also only be really useful when Joe User starts using VoIP, because it'd be much harder to get your average power user to install something infected with the trojan.

And end-to-end encryption renders it completely useless anyway, unless it actually reads pre-encrypted stuff from memory. Hopefully VoIP providers will get off their collective asses and get SRTP et al. working.

Just my $0.02.

Re:yea right

[mattr]

hacker: 100kg
sd card: US$124 / 2 grams ($61/g)

hacker's weight in ram chips: $610,000

Re:yea right

[surprise_audit]

You know it's only a matter of time before one or more of the NSA, FBI, CIA, TSA, etc deploy their own version, and there'll be encryption involved somewhere so that defeating it will be a DMCA violation and/or an act of terrorism...

Come to think of it, wouldn't it also be a DMCA violation if the government agency's version circumvented any VOIP encryption to eavesdrop?? Not that it really matters, because Bush will pencil-in a clause that makes it OK for his buddies to rape the DMCA all they like...

Hmmm... Anyone tried running a VOIP product in VMWare?? It'll boot a LiveCD ISO and run everything in it, without saving *anything* to disk. Have fun infecting *that* with spyware...

Re:yea right

[kensan]

And end-to-end encryption renders it completely useless anyway, unless it actually reads pre-encrypted stuff from memory.

I read the original newspaper article and it contains some more information. Apparently the software is accessing the microphone directly, so encryption will not help. On top of that, the software will be able to record audio by turning on the Mic even if there is no VoIP-Software running, etc.

The newspaper article also said that it was theoretically possible to do the same with Webcams but there are no plans to use this "feature". Not because of privacy concerns or any such thing but because many webcams have a LED that indicates the usage.

I assume this thing only runs on Windows PCs, but this is pure speculation.

It's really distressing how they could put together such a piece of software without even having any "sound legal basis" for it's usage. Usually it takes years to change things here in Switzerland, which is a good thing to a certain degree.

Re:yea right

[ArsenneLupin]

No third party is going to enter your house without your express permission, either, but the police can and will, and there's nothing you can do to stop them.

But that doesn't mean that it is illegal to make locks. So, yes, antivirus and antispyware companies are in their rights to add this to their lists.

OMG...

[Pharmboy]

I can't believe I just read that. They think they can use it and it won't get in the wild? This sounds as smart as the judge in the Spamhaus case, as in, totally clueless about "that there interweb spying softywear".

Wow.

[Sensae]

If that isn't a destruction of your privacy, I don't know what is. Although it'll probably be flagged by scanning software soon.

I really don't believe this

[El+Cubano]

...it will only be distributed to investigation agencies in the hopes of keeping it out of the hands of malicious hackers...

Do they really think so?

I mean, that completely ignores human nature. Come on.

• radar detectors
• traffic light remotes (the new ones that only emergency vehicles are supposed to have)
• guns in countries where guns are illegal
• police-band radios

All these things have one thing in common: they are not supposed to be accessible to the general public (or at least initially were not supposed to be) and yet they are. Legality does not stop criminals.

Re:I really don't believe this

[wordsnyc]

Actually, police-band radios have always been legal in the US (not in the UK, though). But with the rise of digital encrypted radio systems, those days may be fading fast, as it's a federal crime to even try to decrypt the transmissions.

Re:I really don't believe this

[roseblood]

In the USA the FCC gives permission to specific persons or agencies to operate radios on specific frequencies. The frequencies vary depending on the availibity of spectrum and the needs of the agency. A metro agency with many sky-rises will have diffrent needs from those of a rural agency in the plains states. Thus some agencies use relatively low frequencies, some in the 400mhz bands (mostly because most of the radio gear available on the market works here), others in the 800mhz bands(because the remainder of the radio gear on the market works here, with a few exceptions), and others scattered about diffrent parts of the spectrum.

It is NOT against FEDERAL LAW to own radios capable of receiving or broadcasting in these bands, as frequencies in these bands are liscenced out to all sorts of parties (private citizens, city workers, fire, police, ems, bus companies, etc.) It is also NOT AGAINST FEDERAL LAW to listen/receive tranmissions on ANY BAND. Decrypting, recording, and re-tranmission are another issue. If it is in the spectrum you are allowed to receive it (given you can past an FCC test to prove you know how to operate any equiptment you might use that is capable of transmission [Tx]) It is illegal to Tx on any frequency assigned to other persons or agencies. That goes for police, fire, ems, and civil users. Additionaly there are likely to be state and local laws regarding using of radio technlogy to impede the work of public saftey and/or the interference of civil use of radio spectrum in so far that it causes a cost to be incurred by the properly FCC liscenced party (IE: can't dispatch a taxi 'cause some prick is Txing all over your channel.)

Most TX is NOT encrypted as a form of security. Some transmissions are digital in nature and can not be parsed by the human ear as they are broadcasted. Other TX is "trunked" and spread over many frequencies, these can be both digital and analog trunked systems, and are hard to follow as users are moved from frequency to frequency as they become available for use, and the same frequencies are often shared by multiple users [a city that uses 10 channels for PD, FIRE, EMS, and civil functions for example.]

I am not aware of the legal status of decrypting signals where the encrypition is intended to protect the contents of said signal. Someone else will have to speak up on that.

Re:I really don't believe this

[wordsnyc]

Scanners that can track trunked digital systems are freely available in the US -- Uniden makes several. But once the digital signal is encrypted, it's illegal to decode it. The FBI and Secret Service use encrypted digital systems.

Re:I really don't believe this

[jimicus]

Legality does not stop criminals.

No kidding. If it did, they wouldn't be criminals.

(As an aside, I wrote to my MP pointing this one out a couple of years ago when they proposed making forging an ID card illegal (it already is anyway). The letter I received back said, in a nutshell, "We know criminals don't obey the law. We're trying to find a solution to that one and anyone who has any ideas is welcome to write to us".)

This is why...

[sjs132]

I write all my secrets onto yellow stickies... Then make the person that reads it shred and eat...

2 Words

[cybercobra]

Bad Idea.

If there's a backdoor, crackers will find it and they will exploit it.
Stop the idiotic Police/Spyware.

Ok, let's analyze this a bit, shall we?

[Weaselmancer]

Two things stand out right away. Point one:

the 'Superintendant Trojan', a spyware program designed to allow eavesdropping on VoIP conversations

Ok, so it's spyware. It sneaks onto a system and installs itself. Gotcha. That moves us to point two:

it will only be distributed to investigation agencies in the hopes of keeping it out of the hands of malicious hackers

Ok. Got it. So to sum up, what they're saying is that they don't want anyone to get it, but they need to install it on a target's system in order for it to work. And a target would be someone the law was interested in who was computer literate. Like, say....hackers, for instance.

I love things that are broken by design.

Installation?!?

[iOsiris]

I wonder how they plan to install these things onto the target computers?

The Victim

[NevDull]

Well, the thing about Trojans, is that the victim installs them.

This article is complete and utter bullshit.

"VoIP" is not a single computing platform or implementation.

Ok, I could clarify a bit, sure.

[Weaselmancer]

And the better question is why not? Provided that there is sufficient judicial oversight, why shouldn't VOIP coversations of suspected criminals be monitored?

Well, I haven't argued anywhere that they shouldn't be monitored. It's not the judicial oversight that worries me. It's the technical oversight.

Let me clarify my objections a bit. In order for this hack to work, some authorized person has to sneak something onto your system. And as soon as it's on your system....it's on your system. You have it. If you find it and can figure out what it is, nothing is stopping you from using it on other people. In short, it's only a matter of time until the hackers DO get it. And then they'll be listening in on VOIP.

To summarize the summary, this is wildly irresponsible. I can't believe people smart enough to write this software are dumb enough to think they can contain it. Absolute morons, I'd call them.

Move along, nothing to see here.

[foQ]

There are dozens of commercial keyloggers and remote admin type apps out there. "Firewalls do not present a problem" to any of these, nor most of the other tools. I'm assuming here that they mean incoming firewalls, not restrictive bidirectional firewalls which block unknown outbound connections. The fact that this makes use of webcams and microphones is nothing new, Back Orifice did this a decade or so ago. None of the antispyware or antivirus vendors mark the commercial tools as malicious, because they assume (wrongly) that whoever put the tool there had a right to do so. I guess the only thing that is new here is that the company is distributing only to law enforcement. That might not even be new, since I'm sure the espionage community has some exclusively licensed tools at its disposal. If you want to get paranoid about something, be worried that your credit card info is in the hands of somebody in former Soviet countries or that some ransomware has taken over your PC. Trust me, the Swiss are not your biggest problem out there.

Thankfully...

[krray]

Thankfully I have nothing to hide. But if I did:
Thankfully my main GUI is a Mac. I wonder how LittleSnitch would handle a .EXE?
Thankfully my networks are Linux and BSD based. They don't like .DLL's.
Thankfully my VoIP is handled by a Sipure non-PC based box. It doesn't allow / nor has needed updates.
Thankfully the one place I do use Windows for now (work) will be replaced with a Mac in short time.

I do have to wonder if and how heuristic type scans and/or zonealarm tweaked all the way up would react to this type of software. Recently there was a "new" virus that showed up (one week ago today) on the email (Linux) server which my workstation immediately flagged as suspicious before even reading the body of the message (which was supposedly from the email admin [myself] :). This virus, at that time, was not known my Norton, McAfee, or Clam-AV. Thankfully my Windows workstation _is_ a work-hourse and I do have heuristic type scanning turned on for everything it ever touches.

As for the firewall, well, trust me, you have no idea HOW I configure it and what I do (or don't) allow out under normal circumstances. VoIP? Only from authorized IP's and MAC address' -- and only to specific OpenVMS servers (which REALLY hate to run Windows software and are even harder to infect :). Sure -- you could capture the OTHER END of the call probably much easier.

Thankfully, I have nothing to hide. :)

Re:Thankfully...

[icebike]

Thankfully your packets do not travel on any public network...

Oh, wait a minute...

Black hats rejoice!

[Mr_Tulip]

The only possible means by which a trojan can get around anti-virus tools, operating systems and firewalls is if the tools themselves have been modified to allow this trojan to work.

I suspect that the software vendors / designers of these tools will be contacted, asked to participate and sign a ND agreement.

All people running software by these vendors will then be susceptible to attacks from this trojan - a trojan which will undoubtedly be in the hands of black hat hackers by then.

Additionally, if this sort of thing becomes common practice, it will result in anti-virus software becoming practically useless, as the virus writers will take advantage of these 'back doors' to create new malware that can mimick the behaviour of the trojans.

Re:Depends.

[Captin+Shmit]

"The ISPs of the persons under investigation will then slip the program onto their computers."

How do they plan on doing that, exactly?

maybe but you still have plenty to worry about

[gd23ka]

Me with my TA behind my router I think I have less to worry about.

Me with my terminal adapter which happens to be integrated with my router,
I think I have plenty to worry about. Who says its firmware is not rigged?
Who says they can't upload a patch to it or otherwise tamper with it??

On the other hand, why do these shitheads need to tamper with someones
machine if they can just pick off the conversation directly from the wires
at the provider (unless they're using encryption)??!

Am I missing something ?

[l0cust]

I read TFA and I was a bit confused. First, I was not sure about where exactly this software is going to be installed

The ISPs of the persons under investigation will then slip the program onto their computers.

This seemed to be saying that it will be installed on the ISP's end which seemed like not such a big deal as ISPs monitor the network data to some extent anyway

The wiretap has some additional functions. For example, the built in microphone on a laptop can be turned on to monitor a room or webcams can be activated. As the latter is usually indicated by an LED, this is unlikely to be useful in practice.

Now it seems more likely that it will be installed on the target's computer. Now it is a spyware. I think it can be compared to planting microphones in the house of a suspect. And they will need a judge's permission before they do it which seems like a sensible thing to do. But unlike a microphone planted in the house, a spyware/trojan can interact with the data on the other end. So what happens when a person discovers this program installed on his system and sues the government for some credit card/personal information stealing (which may or may not have happened) ? I know he is a suspect but the fact that they needed to plant a spyware on his system means that they did not have enough evidence to refute his claims by saying that he is a terrorist or dangerous criminal and get away with the charge easily. This all is ignoring the fact that the program ever makes to the hands of the Black Hat community (which is inevitable as already mentioned by a lot of people).

He can atleast argue that installing a spyware in his system made it insecure in some way which led to the theft or something to this tune. I don't know the technicalities of the software in question but I am sure the judges won't exactly be experts in this domain either.

Dear Swiss People

[SQLz]

Welcome to the USA!!!

Re:Dear Swiss People

[elebeik]

Uhm, why exactly is this post insightful?
Do you know the first thing about Switzerland anyway?
FTA: "[...]is therefore examining the use of spy software to allow it to listen in on conversations on PCs[...]" I say: Yay for the Swiss government. They are examining this? Good, examining doesn't hurt. The press (ok, one newspaper... they might be misinformed) has heard about it and published it. People are being informed.
The contrast to the USA?
Well, firstly i'm sure somebody is examining the possible use of this or similar software in the US, too. But contrary to the US, Switzerland does not have a Patriot Act or similar stupid laws to allow wiretaps without a warrant.
Secondly, Switzerland is a direct democracy. The Swiss people can actually oppose anything the government decides and put it up to a vote. Yes, you heard right: no president can decide 'let's take away some rights from the people' without the people having the last word (for that matter, our executive is made up of 7 'ministers' (Bundesrat), with all of them together not having as much power as the US president on his own!).
So, to sum up my rant: I have no big fear of my government spying on me, while I am certain the NSA is spying on all of us. "Welcome to the USA!!!", indeed, for the world is your playground for all you care (and no, I don't hate Americans, just can's stand the current administration).

Re:Depends.

[TCM]

Well, the ISP basically controls how you view the Internet. The next .exe you download via HTTP could be modified.

wrong

[george_e]

1.intrusion of privacy
2.administration of law outside legal jurisdiction
3.stealing computing time
4.stealing bandwidth from us who need it.
5.intellectual property compromise

wrong.fuckers.misguided.immoral.

lets reverse engineer this and use it on them! see how they fucking like it.

another bunch of politicians that decide our everyday freedoms.

A Swiss perspective

[batbertus]

Fun facts about Switzerland: 1. Our army needs seven years and 40 billion Swiss Francs (about 30 billion US Dollars) to be ready for war. 2. It's illegal to flush the toilet after 10 pm. (Nobody seems to know, however) 3. My government believes they can bug the VOIP of the country the most Macs per capita.

Re:Firewalls dont present a problem....shhhhure

[pla]

Firewalls dont present a problem...........i read this as.....the software connects back to home by connecting to TCP port 80.

You done with that strawman yet? I'd like a whack at it...

If you use VoIP, you must have firewall rules allowing VoIP traffic out (and probably back in, but not neccessary for spying on the user).

Thus, this trojan would only need to connect the same way as your legitimate VoIP client. It could even act more-or-less like real VoIP traffic, since it basically needs to duplicate a legitimate call into a 3-way call with one hidden party (the police).

So yes, even a crappy software-only firewall could block the traffic from this trojan - But in doing so, it would also effectively disable VoIP, making the trojan unnecessary.


Now, you could certainly set up an out-of-channel means to tell an external firewall to allow a single VoIP session to a single designated IP address (ie, log into your gateway machine and manually enter the rule). But how many people will actually do that each time they want to make a phone call?