The BSI has published its first report on digital consumer protection. He is particularly concerned about the Internet of Things and health apps.
Far too often, software and systems contain “highly complex vulnerabilities” that cause harm to society. The Federal Office for Information Security (BSI) criticizes this in its report on digital consumer protection, which was published for the first time on Wednesday. “Consumers were often helpless at the mercy of these incidents, especially since due to the technical and sometimes complex circumstances, no traceability could be achieved.” Supermarket’ summarized from the previous year for multipliers such as consumer protection organizations and associations. According to them, there have been relevant incidents in the area of applications for the Internet of Things. The collections of security vulnerabilities in TCP/IP stacks known under the names Ripple20 and Amnesia:33 would have “a special challenge” for consumers. shown.
Lack of willingness to react
The technical complexity is very high, which also means that even experienced users are hardly aware of how affected they are the BSI explains. Furthermore, “it is not clear for many of the affected devices how they can receive the necessary update to close the security gaps”. There is “a serious omission in the security design of the products”.
The authority also complains about the partial lack of willingness to react on the part of the providers concerned: In December it was found that the 31 companies contacted in September in As part of the “Coordinated Vulnerability Disclosure” process, a certain number did not report at all.
Networked doorbells and Windows 7 installations
There are also dangerous security gaps in networked doorbells or “smartem” Toys occurred, it says on the 30 pages. Even products that are not in the direct focus of consumers, such as WLAN routers, “were noticed by deficiencies in IT security”. As the ‘heart of every networked household’ However, these are of particular importance for IT security. The BSI has published a technical guideline for this, but it is controversial.
The “sheer mass of security gaps found” shows, according to the authority, “that IT security in the development process was by no means given the consideration that would be necessary for a holistically secure product”. Apparently there was no incentive to do so. This carelessness extends to providers and consumers. Another example is that more than eight percent of the Microsoft operating systems used in Germany were still using Windows 7 at the end of 2020. This corresponds to around four million systems that have not been supplied with security updates free of charge since January 14, 2020 and are thus “progressively more vulnerable unless this support is purchased”.
Banal configuration errors on servers
According to the BSI, it is therefore necessary to provide “area-wide troubleshooting measures and updates for affected products in order to prevent the active exploitation of vulnerabilities by criminals”. Equally, consumers need to be better informed about potential risks. For example, it is known that security updates are sometimes ignored for long periods of time, “which means that significant risks are unconsciously taken”.
Leaky IT systems are another major problem according to the report. It is often “simply due to comparatively banal configuration errors on the server” Customer databases with millions of data sets could be called up without great effort. In January 2020, this applied to around three million customer data from the Buchbinder car rental company. Those affected “also included numerous personalities from politics and administration”. Among them was BSI President Arne Schönbohm, whose traces of movement were also posted online. After ransomware attacks, ransom demands and threats to publish captured data have also been added.
No plan for dealing with vulnerabilities found
One focus of the BSI’s consumer work in recent months has been on the topic of cyber security in healthcare , for which the BSI has already published special reports. In addition, there is now a new study with which the experts examined seven selected health apps that were not released on prescription and tapped for major weaknesses. According to Nicolas Stöcker from the BSI, these included particularly popular but also more specific services. His summary: “We found that there was simply a lack of a holistic understanding of IT security.”
All apps used cloud environments from several providers at the same time, which represented an increased risk, Stöcker explained. Six out of seven applications were vulnerable to a “man-in-the-middle” attack. After overcoming the transport encryption, it would have been shown that just as many “passwords are transmitted in plain text”. The manufacturers, with whom one is in conversation and who are therefore not yet naming names, have disregarded such common standards and recommendations. Half of them also had no plan for dealing with the vulnerabilities found.
Smart Home instead of “Stupid Home”
The Corona warning App briefly touches on the authors. From the outset, the authority has supported its development in an advisory capacity and carried out penetration tests of the code. The implementation of “Security by Design” have ‘top priority’ receive. According to the BSI, the Covid-19 pandemic has generally shown “how quickly and flexibly cybercriminals can act”. The diverse use of attack tools such as “phishing emails or DDoS attacks on digital offers” offer an “exemplary insight into the danger situation”.
BSI boss Schönbohm welcomed the decision of the Bundestag to entrust the office with the IT Security Act 2.0 with the task of digital consumer protection. In the future, “as many consumer products as possible should have an IT security label”. It is important to prevent “due to sloppy work” from the Smart Home to a ‘Stupid Home’ will. The BSI has set up a special department and advisory board for the new function and is using the information campaign “#justaBSichern” to the citizens. The consumer report will be continuously expanded and published annually.