The Federal Criminal Police Office (BKA) and the Central Office for Information Technology in the Security Sector (Zitis) are reportedly holding zero-day exploits, according to the hacking authority. Both local security authorities are partnering with Dutch Forensic Institute, Norwegian police, and French company Synacktiv in the Overclock project. The project is aimed at providing investigators with “live” access to encrypted smartphones. The project started on October 1, 2021 and will run for 36 months. It builds on the predecessor initiative Cerberus, a platform used by EU law enforcement agencies to crack passwords and access encrypted devices, which the EU is funding with 3.8 million euros.
Overclock aims to enable “readable data extraction” from criminals’ secured IT devices at the highest level “by discovering technical vulnerabilities and reverse engineering the applications used by criminal networks”. They want real-time access through a “special exploit”, which makes it partially possible to read out data “without having to crack the original password.” Security experts suggest that people involved in overclocking might have found zero-day vulnerabilities “in specially adapted smartphones and their basic versions.” These are security gaps that are not yet known to the general public, and therefore particularly dangerous.
In response to the project, Cornelia Ernst, MEP for the left, asked the Commission in October what types of vulnerabilities were being exploited for the intended live access. The response from Home Affairs Commissioner Ylva Johansson, which has been available since the end of January, contradicts the project description on the basis of which the Brussels government institution released the state funds. The Swede claims that Overclock “is not intended for research or the development of any form of spyware or real-time access to encrypted devices”. The project is only meant to provide “crime scene investigation guidelines for law enforcement to ensure proper handling of encrypted devices.”
State Secretary Johann Saathoff said in an answer to a question from member of parliament Anke Domscheit-Berg last week that the federal government had “no knowledge” about such security gaps within the framework of the project. The topic is delicate since, in the coalition agreement, the traffic light government alliance spoke out in favour of the state “not buying any security gaps or keeping them open” and “always taking action” under the leadership of a more independent Federal Office for Information Security (BSI) to try to close it as soon as possible.