Rechtssicherheit Cybersecurity Blog Fraunhofer AISEC

Increased legal certainty for ‘white hat hackers’

Despite taking every precaution, IT-based systems and products are rarely completely free of security vulnerabilities. In order to detect and fix vulnerabilities and attack areas early on, software and hard-ware must endure rigorous security testing. However, cybersecurity researchers who report vulnerabili-ties responsibly and in the interest of common good (so-called “white hat hackers”) are currently at risk of criminal prosecution. The Fraunhofer Institute for Applied and Integrated Security AISEC has responded by developing an internal procedure based on best-practice processes for dealing with vul-nerabilities discovered by its researchers. Fraunhofer AISEC has also collaborated with the Sec4Research interdisciplinary research team to produce a white paper suggesting ways to improve the legal situation of “white hat hackers” from within the research community.

Despite taking every precaution, IT-based systems and products are rarely completely free of security vulnerabilities. In order to detect and fix vulnerabilities and attack areas early on, software and hardware must endure rigorous security testing. However, cybersecurity researchers who report vulnerabilities responsibly and in the interest of common good (so-called “white hat hackers”) are currently at risk of criminal prosecution. The Fraunhofer Institute for Applied and Integrated Security AISEC has responded by developing an internal procedure based on best-practice processes for dealing with vulnerabilities discovered by its researchers. Fraunhofer AISEC has also collaborated with the Sec4Research interdisciplinary research team to produce a white paper suggesting ways to improve the legal situation of “white hat hackers” from within the research community.

Security researchers on legal thin ice

Under current German legislation, some of the tools and practices crucial to uncovering vulnerabilities, and by extension to the work of IT security researchers, are legally prohibited.

For example, reverse engineering is used in security testing to reveal how an unknown system or product functions and is analyzed for vulnerabilities. Under copyright law, certain forms of reverse engineering are permitted but only with the permission of the creator. However, IT systems are made of various components from different, international manufacturers. It is therefore virtually impossible on a practical level to acquire every creator’s consent. This means that reverse engineering activities pose immeasurable liability risks for cybersecurity researchers, who have considerably fewer legal resources at their disposal than the companies responsible for the products.

Coordinated disclosure procedures at Fraunhofer AISEC

Due to the lack of legal requirements, Fraunhofer AISEC has adopted a coordinated vulnerability disclosure (CVD) process that outlines how researchers should handle identified security-related vulnerabilities. This process does not fully disclose vulnerabilities to manufacturers, users, other researchers, intelligence agencies, and criminals directly (so-called full disclosure), and it also does not ignore or downplay any identified security risks. The goal is simply to find a solution favorable for users and manufacturers that prevents criminal misuse of the product vulnerability and safeguards the security of the public.

This procedure for disclosing vulnerabilities applies exclusively to vulnerabilities revealed during Fraunhofer AISEC research projects or as part of publicly funded projects. Any security concerns identified during contractual research for industry partners are confidentially disclosed solely to the customer and are not subject to the coordinated vulnerability disclosure process.

Fig. 1: Coordinated vulnerability disclosure at Fraunhofer AISEC

Step 1 and 2: Discovering and assessing a vulnerability

Any security-relevant vulnerabilities found in the course of Fraunhofer AISEC’s own research are documented internally and then checked to see if it is already entered into the CVE (Common vulnerabilities and exposures, www.cve.org) and therefore already known. The process also involves an internal ethics review board, comprising of Fraunhofer AISEC’s offensive IT security research experts. The experts do a confidential initial assessment regarding the severity of the discovered security vulnerability and can then advise the researchers and the institute’s management on how to best inform those responsible for the product.

Step 3: Report to the party responsible

If the discovered vulnerability is relevant to the security of the product, but is not yet known to the public, the responsible product manufacturers are informed. Where possible, this is followed by a concrete solution outlining ways of preventing any negative effects resulting from the vulnerability.

Meanwhile, Fraunhofer AISEC books an ID number in the MITRE Corporation’s CVE database that does not contain any specific information about the security risk. Should the responsible manufacturer be a CNA (CVE Numbering Authority) — i.e. an IT provider, security company or research institution that issues and manages CVE numbers together with the MITRE Corporation — this vulnerability is registered in the managing manufacturer’s database.

Unfortunately, only few manufacturers have established processes for receiving vulnerability reports according to ISO-Standard 30111 “Vulnerability handling processes”, making it difficult for researchers to identify the relevant contact person and submit encrypted security information about the vulnerability. We therefore advise all manufacturers to set up reporting portals and all necessary processes. We are happy to advise you on this.

The process is simpler when it comes to vulnerabilities that are discovered in open source projects. Generally, it is easier to get in touch with the developers of the software and to notify them of the issues. Furthermore, there are no criminal charges to be feared

Step 4 and 5: Rectifying the security vulnerability and publication

A security vulnerability should be rectified immediately by either the manufacturer or the operator. Fraunhofer AISEC and the manufacturer subsequently publish information about the rectified vulnerability to the public either by means of a scientific paper or a blog post.

However, if the deadline set by the ethics review board passes and no feedback has been received from the manufacturer, or there is reason to believe that no solution will be developed, then Fraunhofer AISEC publishes the vulnerability with the respective CVE reference so that users can take the appropriate precautions and prevent any damage.

This process of coordinated or responsible vulnerability disclosure, like the one implemented at Fraunhofer AISEC, is currently not supported by the German legal framework. However, these processes are vital in order to differentiate scientists acting in the public interest from cybercriminals and to ensure that research institutes can continue to develop effective protective measures against new attacks and security vulnerabilities without facing legal ramifications.

The need for legislative reforms for offensive security research

Fraunhofer AISEC teamed up with the Sec4Research interdisciplinary research team to bring attention to legislative gaps and to allow security researchers to disclose vulnerabilities safely and legally. The co-authored whitepaper compiled in 2021 explores the current legal situation surrounding the discovery and the disclosure of security vulnerabilities. In it, 22 authors call for legal clarity for IT security research, defined standards for dealing with security vulnerabilities, international cooperation as well as a clear commitment on the part of policymakers to cybersecurity research.

Fraunhofer AISEC's recommendations for action

In addition to the whitepaper, Fraunhofer AISEC proposes three practical recommended actions to ensure that vulnerabilities are disclosed in a legally compliant and responsible manner across Germany to protect those affected and reinforce the security of IT-based systems and products:

  • Legalization of reverse engineering in software: While hardware can be disassembled and analyzed, software licensing terms have so far prohibited almost all attempts involving the examination of software to identify individual components and their relationships to each other. This significantly restricts the possibility of discovering security vulnerabilities and protecting users.
  • Developing an independent reporting office: An independent reporting office for vulnerability discoveries is necessary for IT security researchers to be able to clearly distinguish themselves from cybercriminals and to prove their good intentions for the general public. It should coordinate and document if and when manufacturers have been notified about a vulnerability found in one of their products.
  • Establishing a service organization: On top of the current legal situation, the balance between ethical hackers and the manufacturers or operators of vulnerable products is clearly skewed. An independent organization, modeled on the French Cybersecurity Advisors Network (CyAN) initiative (de) could help by providing consulting services and legal assistance to white hat hackers. At the same time, this organization could encourage an eye level exchange with large corporations and promote ethical hackers’ interests on a political level.

Politics, society and IT system manufacturers and operators must strive to create conditions which allow for the responsible and coordinated disclosure of IT security vulnerabilities, prevent damage to users and companies, and ensure that Germany continues to be an internationally competitive location for IT security research.

Additional information

» Sec4Research homepage: https://sec4research.de/english

» Fraunhofer AISEC homepage: https://www.aisec.fraunhofer.de/en.html

Autors
Grau_Logo_Blog_Author
Marc Schink

Marc Schink carries out research in the field of “Hardware Security” at Fraunhofer AISEC. In his private life as well as at the institute, he strives to detect vulnerabilities in hardware and software. He has conducted several vulnerability disclosure processes with renowned and international manufacturers.

Grau_Logo_Blog_Author
Dieter Schuster

Dieter Schuster works in the research department “Product Protection and Industrial Security” at Fraunhofer AISEC. He coordinates the field of Offensive Security and Penetration Testing.

Most Popular

Never want to miss a post?

Please submit your e-mail address to be notified about new blog posts.
 
Bitte füllen Sie das Pflichtfeld aus.
Bitte füllen Sie das Pflichtfeld aus.
Bitte füllen Sie das Pflichtfeld aus.

* Mandatory

* Mandatory

By filling out the form you accept our privacy policy.

One comment

Leave a Reply

You have to agree to the comment policy.

Other Articles

Digital twins and their potential for OT security

A digital twin is a virtual representation of a real system or device. It accompanies its physical counterpart during its entire life cycle. Tests, optimization procedures and bug hunting can be carried out on the twin first without involving the real device (that may not even exist at that moment). In this article, I want to give you some recommendations on how to harness that potential for improving upon the state of OT security (Operational Technology Security), e.g., within manufacturing or building automation.

Read More »

Post-quantum cryptography in practice

The threat posed by quantum computers to the asymmetric cryptography in use today has been well known in the scientific community for more than 25 years, since Peter Shor published a polynomial algorithm for prime factorization to solve the discrete logarithm on a quantum computer. In recent years, crypto experts have increasingly been warning of the progress that is being made in quantum computing and its relevance for cryptography.

Research on post-quantum cryptography (PQC) at the Fraunhofer Institute for Applied and Integrated Security AISEC aims to enable businesses, government bodies and citizens to continue to have access to usable cryptography that will remain secure in the long term so they can keep their data secure. This blog article provides a brief overview of four ongoing projects.

Read More »

Digital identities — a statement by our expert Marian Margraf for the German Federal Parliament’s Committee on Digital Affairs

On July 4, 2022, the Committee on Digital Affairs held a public hearing on “Digital identities” at the German Federal Parliament (Bundestag). Our expert Marian Margraf, Head of Secure Systems Engineering at Fraunhofer AISEC and Professor at Freie Universität Berlin, was invited to the event. He addressed in particular the use of the self-sovereign identity (SSI) principle in current solutions, for example in mobile end devices. In addition to the challenges presented by the widespread use of digital identities, he also outlined possible solutions for electronic trust services that are both secure and socially accepted. This blog article is an abridged transcript of his statement.

Read More »

Innovating with security: Fraunhofer AISEC launches its cybersecurity blog

The cybersecurity blog goes live: Fraunhofer AISEC’s new blog is presenting exciting topics from the IT security research world in a new format: Expect fascinating content from the areas of trusted AI, trusted electronics, quantum computing and much more. The mega-trend of digitalization is becoming increasingly important to both the economy and society. Networked infrastructures and sensitive data need to be protected, while attacks by cybercriminals must be detected and prevented. More than 100 experts at the Fraunhofer Institute for Applied and Integrated Security AISEC are developing cybersecurity concepts and solutions that are necessary to achieve this. This blog will

Read More »