Preliminary note: This post primarily affects users falling under German jurisdiction, but may apply to other countries as well, where similar laws are already in place or about to be introduced. Unfortunately, some primary sources are German only.
According to current status and local knowledge, the German government is about to establish a law that provides the redirection of network traffic through a intelligence agencies' infrastructure in order to exploit security vulnerabilities and, for example, to install a certain type of malware known as Staatstrojaner (state trojans).
The bill lists both end-user devices and servers as potential targets, and requires "telecommunication service providers" to establish and maintain infrastructure for transparently redirecting traffic of certain users, households, or IP addresses. "Telecommunication service providers" covers any company providing telecommunication services, thus ranging from cable, DSL or fiber providers to mail, VoIP and messaging vendors. Ultimately, even backbone providers or internet exchanges are covered by this definition.
Among the intended users of this are
- the Federal Intelligence Service (Bundesnachrichtendienst),
- the Federal Office for the Protection of the Constitution (Bundesamt für Verfassungsschutz),
- the Military Counterintelligence Service (Militärischer Abschirmdienst) and
- all 16 State Offices for the Protection of the Constitution (Landesbehörden für Verfassungsschutz),
thus covering the entire range of German intelligence agencies.
Needless to say, this puts an entire amount of the current internet at risk of being compromised by one of those agencies. If your connection traverses the DE-CIX Frankfurt/Main, which is the largest internet exchange in the world, you might be even affected if you and your communications' destination do not fall under German jurisdiction (e. g. a network connection from London to Zurich will most likely traverse this IXP - since you cannot choose routing preferences outside your network, there is little to do against it).
Encrypting traffic by using TLS is not helping if your systems rely on public key infrastructure (PKI), as intelligence agencies are most likely able to issue certificates from commonly trusted (intermediate) CAs. DANE could mitigate that, but is currently neither widely deployed for non-SMTP services nor validated by common applications aside MTAs.
A very sophisticated drive-by download...
If this redirection infrastructure finds a targeted computer to be vulnerable for publicly available or undisclosed exploits (so-called zero-day exploits, as the vendor has had zero days to patch the corresponding vulnerability), a dropper is injected to the traffic, ultimately installing the desired malware onto the target. Technically, it's just a very sophisticated drive-by download in most cases.
Compromising devices by transparently injecting malware into their communications is not a difficult task to do in technical terms (if you do penetration testing, you might have used it as well). However, government attacks have only been known from rogue states such as Morocco, Turkey, or Bahrain. It is bad to see Germany appearing on this list...
So, if this is all bad, why is the German government proposing it?
As of today, state trojans are mostly deployed by having physical access to the target systems. This obviously violates the sanctity of the home as guaranteed by article 13 Basic Law for the Federal Republic of Germany (Grundgesetz der Bundesrepublik Deutschland), which is why a judicial decision is obligatory unless there is imminent danger.
But what if the target moves a lot (e. g. a commercial traveler), has a very good alarm system in place - or the judge refused to approve?
Deploying the state trojan via network attacks does not interfere with the sanctity of the home, thus reducing constitutional legal hurdles. It is not difficult to imagine that this might be used for bypassing democratic control measures.
If physical access is required, compromising systems en masse is a nightmare. If you can do so remotely (and perhaps automated), this makes it much easier.
Eroding privileges. One at a time.
The state trojan was meant to be the ultima ratio when it was introduced in 2009. It could only be used by the Federal Criminal Police Office (Bundeskriminalamt) in case of international terrorism and preventing terrorist attacks.
Once such laws were introduced, governments usually get a taste for it. As of today, any police authority may use it even in cases of less severe crimes than terrorism such as counterfeiting money or violations against the Narcotics Act (Betäubungsmittelgesetz, e. g. drug consumption or trafficking).
As you can see, compromising devices became increasingly common as a measure at law enforcement agencies. It is probably going to be extended to intelligence agencies within a short amount of time. For obvious historical reasons, the German state only gives certain rights to police and intelligence agencies to avoid too much power being concentrated in one organisation, which could turn it against their people.
At IPFire, we fight to protect your network. Frankly, this was complicated enough before governments legalised hacking by intelligence agencies. This German bill will not make anything more secure. Instead, it will turn defense against security vulnerabilities even more into an arms race.
This is not an example of "the opposite of good is good intentions". This is beyond dangerous.
Imagine, for example, cyber criminals or foreign intelligence agencies (ab)using that redirection infrastructure in order to deploy their malware. Perhaps they will be able to take advantage of some zero day exploits left on some servers in that infrastructure as well (the CIA suffered from a similar breach in 2017). With a blink of an eye, arbitrary malware could be placed on a significant amount of computers compromised that way. Ransomware attacks such as WannaCry or NonPetya come to mind...
Imagine compromised machines being vulnerable to other attacks as well, as some security measures have been turned off. Image surveillance abuse. Imagine future governments abusing this feature for persecution of unwanted people or political opponents - with a view at current political events, one may be concerned about personal liberties being restricted.
A blog series regarding countermeasures
In order to make it harder for attackers to compromise your network that way, this post will be the first one of a small series regarding countermeasures. It is provided in the hope that it will be useful and help to improve the overall security of your networks, especially if you are a more threatened individual like investigative journalists, human rights activists, whistleblower, etc.
We will start next week by providing advice on whom to trust and how to establish a security-focussed mindset. Afterwards, we focus on specific technical aspects and advise how to configure IPFire machines as secure as possible - as it already implements effective mitigations against those attacks.
All in all it's just raising the bar. Unfortunately, it seems as we can no longer count on legal guarantees.