The security of the special electronic lawyer mailbox (beA) has been controversial for years. Interested parties can now get an idea of at least early versions of the application and details of vulnerability management. The Federal Bar Association (BRAK) has now issued dozens of documents on the beA based on the Freedom of Information Act based on the Freedom of Information Act by FragDenStaat and the Society for Freedom Rights (GFF), which include security audits, results of penetration tests and contracts between the institution and its former service partner Atos.
According to one of the reports, Atos carried out, among other things, “16 complex test cases”, all of which were completed without errors. One already largely approved by the BRAK in November Security analysis by SEC Consult from 2015 refers to three weaknesses around a temporary cross-site scripting with only “low” risk. Markus Drenger from the Chaos Computer Club (CCC) discovered the same gap in 2017. It should therefore have been exploitable for around two years. However, Atos had claimed to have closed the BRAK. The IT service provider has since taken over SEC Consult.
Thousands of pages of approved material get down to business
A total of the released material comprises thousands of pages. It goes down to the nitty-gritty, such as special rules for the payment plan with Atos. In the dispute over access to the files, the BRAK had in vain invoked the existence of trade and business secrets in the contracts and in the security tests. The Berlin Administrative Court ruled in July that the BRAK had to surrender most of the documents requested. On the other hand, the defendant first appealed to the Higher Administrative Court, but later withdrew it.
“This means that the BRAK fails with its tactic of hiding its wrong decisions in connection with beA,” explains Arne Semsrott from FragDenStaat. The attorney’s mailbox started in 2018 with many security mishaps, the servers had to be switched off temporarily. A security analysis by Secunet in 2018 pointed to many security gaps that, according to the BRAK, should now be sealed.
Minimum standard: end-to-end encryption
The special feature of the beA that the communication running over it can be “re-encrypted” on a BRAK server with a hardware security module (HSM) is still hotly contested. This breaks the continuous chain of confidentiality: with the option of temporary decryption and subsequent re-encryption, access to sensitive messages within the HSM is at least technically possible in principle.
Several lawyers are suing this approach together with the GFF. They’re pushing for greater security using end-to-end encryption. The Federal Court of Justice will handle the case negotiate on March 22nd (Az .: AnwZ (Brfg) 2/20) after the Berlin Higher Lawyers’ Court rejected the lawsuit in 2019. “A beA that is only halfway secure is unacceptable,” emphasizes GFF chairman Ulf Buermeyer. The minimum standard of end-to-end encryption for secure communication should not be undercut by lawyers, of all places. The federal government considers the decryption risk to be acceptable.