exclusive
The federal government wants to regulate which software gaps can be used for surveillance. But the so-called vulnerability management is still a long time coming. But how does the state actually become a hacker?
A few weeks ago it happened again. The Federal Office for Information Security (BSI) publicly warned of a vulnerability in software from an Australian-American manufacturer. “The CVE-2023-22518 (…) vulnerability is being actively exploited,” said the cybersecurity agency. Attackers from outside could get into the program unnoticed, so users should close the gateway as quickly as possible with a software update.
It is the legal task of the BSI to warn government institutions, companies and citizens about malware and security gaps in software and thus make the networks in Germany more secure. But within the local authorities, not everyone is in favor of reporting such vulnerabilities as soon as they are discovered. Because the state is now a hacker itself.
Secret services and police exploit programming errors in IT systems to secretly install surveillance software, so-called “state Trojans,” on computers and smartphones of targets. In order to be able to monitor, for example, encrypted communication via chat programs such as WhatsApp or Telegram.
Report or exploit?
So how should the state deal with the vulnerabilities, called “exploits”: report them and thus close them – or keep them open and exploit them for hacking operations? The discussion about this is already several years old. However, the current federal government promised in the coalition agreement to address the issue specifically. According to the announcement two years ago, so-called “vulnerability management” should be introduced.
“The exploitation of vulnerabilities in IT systems is in a highly problematic relationship with IT security and civil rights,” says the coalition agreement. “The state will therefore not purchase or keep open security gaps, but will always strive to close them as quickly as possible through vulnerability management under the leadership of a more independent Federal Office for Information Security.”
After WDRHowever, almost nothing has happened in this regard so far. There is still no vulnerability management. There are said to be different ideas among the coalition parties about what such a process should look like – and how strict it actually has to be.
Voting continues
The Greens and the FDP are two parties in the government that are rather skeptical about the authorities’ extensive surveillance powers. For a long time they rejected the “state trojan,” especially for intelligence services.
“The implementation of the project to introduce ‘effective vulnerability management’ from the coalition agreement (…) has not yet been completed,” said a spokeswoman for the Federal Ministry of the Interior upon request. “The coordination between the authorities concerned and the departments regarding the specific design and implementation is ongoing.”
The coalition members’ working group “AG BSI” met a few times last year. On the agenda was the future role of the cybersecurity authority BSI and also the question of what vulnerability management could look like. However, a formal procedure as to which exploits can be closed and which can be exploited by the authorities has not yet been established. The working group will meet again next week.
Then it will probably again be about the conflict of interest between security authorities such as the Federal Criminal Police Office (BKA) or the Federal Intelligence Service (BND) on the one hand, and the cybersecurity authority BSI on the other.
The police authorities and the intelligence services are supposed to prevent terrorist attacks, solve crimes and obtain information from war and crisis areas. According to the authorities, the so-called “state Trojans” are increasingly necessary for this purpose.
To date, this has been carried out relatively rarely
After a change to the Code of Criminal Procedure in 2017, the German police are now allowed to use such programs not only to avert danger, but also, following a court order, to investigate certain crimes. However, such measures have so far been carried out relatively rarely, but their numbers are increasing.
There are no current figures on this, but the Federal Office of Justice has published statistics from previous years: investigators nationwide were given permission to use such spying programs 48 times in 2020. In 2021 there were 55 orders, with 35 surveillance measures actually taking place. For comparison: in 2021 there were 17,225 orders for regular telephone monitoring.
Used in investigations against the Reichsbürger network
After WDR-In their research, the BKA investigators used so-called state trojans several times in the proceedings against the Reichsbürger network surrounding the Frankfurt businessman Heinrich XIII. Prince Reuß and the former Berlin AfD member of the Bundestag Birgit Malsack-Winkemann.
For example, the investigators secretly installed the surveillance software on Reuss’ cell phone on October 31, 2022, at 10:07 a.m. They then leaked data from the device for around a month, including Telegram chats.
The software used should be: WDR-Research into the surveillance program of an Israeli manufacturer, which was acquired by the BKA a few years ago. When asked, the BKA did not want to comment on this “for tactical reasons”.
The practical case illustrates why the debate about vulnerability management sometimes resembles a phantom discussion: Although the BKA has programmed “state trojans” itself over years of development work, these often do not meet the investigators’ requirements. It is rather the exception that German authorities discover useful vulnerabilities themselves.
Mainly commercial tools used
The authorities often lack the necessary money to purchase vulnerabilities from specialized dealers. Because knowing about the really useful gaps is very expensive. Therefore, mainly commercial tools are used.
As a rule, only the manufacturer knows exactly which vulnerabilities these purchased Trojans exploit. They are often well-guarded trade secrets.
Companies are unlikely to have much interest in disclosing how their products work – especially if this could mean that in the future, as part of vulnerability management in Germany, a decision will be made to publicly warn about exactly these vulnerabilities.