BKA and Zitis are looking for zero-day exploits – the federal government knows nothing about them

“See nothing, hear nothing, say nothing” is the motto of the Federal Government and the EU Commission in view of the zero-day exploits that the Federal Criminal Police Office (BKA) and the Central Office for Information Technology in the Security Sector (Zitis), which has become known as the hacking authority, apparently in hands. Both local security authorities, along with the Dutch Forensic Institute, the Norwegian police and the French company Synacktiv, are partners in the Overclock project, 90 percent of which the EU is funding with 3.8 million euros. Its main goal is to give investigators “live access” to encrypted smartphones.

Overclock stands for “Operational Vanguard: Using Encryption Research to Fight Crime (‘Lockdown’)”. The project started on October 1, 2021, will run for 36 months and is managed by the French Ministry of the Interior. It builds on the predecessor initiative Cerberus. This is a platform used by EU law enforcement agencies to crack passwords and access encrypted devices.

According to the official project description, Overclock aims to enable “readable data extraction” from criminals’ secured IT devices at the highest level “by discovering technical vulnerabilities and reverse engineering the applications used by criminal networks”. The desired real-time access is a “special exploit”. Such a hack makes it possible to read data “without having to crack the original password”. This can even be done remotely, i.e. without physical access to the device. In the best case, organized criminal networks that rely on encryption should be broken up in this way.

Zero-Day Vulnerabilities

In view of these announcements, Sven Herpig, security expert at the New Responsibility Foundation, says Assessment on Twitter of itthat those involved in overclocking have meanwhile found zero-day vulnerabilities “in specially adapted smartphones and their basic versions”. These are security gaps that are not yet known to the general public and are therefore particularly dangerous. The BKA is also involved in the similar EU project Exfiles, which also deals with smartphone exploits.

Cornelia Ernst, MEP for the left, asked the Commission in October what types of vulnerabilities were being exploited for the intended live access. The response from Home Affairs Commissioner Ylva Johansson, which has been available since the end of January, is astonishing because it completely contradicts the project description on the basis of which the Brussels government institution released the state funds. The Swede, who is currently pushing the highly controversial chat control and the associated attack on end-to-end encryption, claims that Overclock “is not intended for research or the development of any form of spyware or real-time access to encrypted devices.”

“Guidelines for Crime Scene Investigations for Law Enforcement”

According to Johansson, the project is intended only to provide “crime scene investigation guidelines for law enforcement to ensure proper handling of encrypted devices discovered during an investigation.” The implementation takes place on an “existing secure Europol platform for law enforcement”. In addition, the parties involved worked on a “forensic tool to support lawful access to data on devices”.

According to Herpig, if Overclock is looking for zero-day exploits for smartphones and the BKA and Zitis are involved, it is logical “that these authorities also have access to the vulnerabilities”. State Secretary Johann Saathoff said in an answer to a question from member of parliament Anke Domscheit-Berg last week that the federal government had “no knowledge” about such security gaps within the framework of the project. Domscheit-Berg’s parliamentary colleague Andrej Hunko let the SPD politicians know that Overclock would “consider the state-of-the-art password search methods” and – if necessary – “optimize” them for the Europol platform. Apparently the Ministry of the Interior hasn’t even read the project description.

Touchy topic

The topic is sensitive: In its coalition agreement, the traffic light government alliance actually spoke out in favor of the state not “buying any security gaps or keeping them open”, but “always looking for the fastest possible closure” under the leadership of a more independent Federal Office for Information Security (BSI). try”. The Federal Ministry of the Interior (BMI) announced a good year ago that the Federal Government is currently dealing with the content of this question. The “formation of an opinion on effective weak point management” has not yet been completed between the departments.

The responsible BSI “is not aware of any security gaps found by a federal authority that were not communicated to the manufacturer,” the BMI also said at the time. As part of the cyber security strategy for Germany, which was revised in 2021, former Federal Minister of the Interior Horst Seehofer (CSU) still had his way with his line on the use of zero-day exploits.

It is known that Europol has been operating a decryption platform since the end of 2020. European security authorities have also succeeded in siphoning off large-scale communications from more or less well-encrypted crypto messengers such as EncroChat, Sky ECC, Anom and Exclu. Senior Public Prosecutor Markus Hartmann recently stated that end-to-end encryption, at least in the area of ​​child sexual abuse, only proved to be a thorough investigation obstacle in a very small number of cases.

(bme)