When I tell people what I do for a living, they usually react with curiosity, but often with a certain skepticism as well. Can you really call it ethical hacker work? Is it legal at all?
That’s exactly why we’re taking a closer look at what the legal situation is with hacking in Germany, what options are available for hacking quite legally, and why we actually need many more hackers in this age of digitalization.
What is a hacker?
If you ask one of the search engines of your choice, you will quickly get all kinds of hits. Basically, though, they all sound relatively the same:
According to Google’s top result, hackers are people who
Unauthorized entry into other computer systems by cleverly trying and applying various computer programs using a computer.
The definition is a good example of how hackers are generally viewed by the public. Namely as "the bad guys" that "penetrate other computer systems without authorization". All with the sole purpose of harming others, be it for financial reasons or simply for the sake of chaos.
Of course, this view is only one side of the coin.
Hacker in the 21. Century
The 21. The 21st century is all about digitalization. Industry 4.0, Internet of Things, Cloud, AI – you can hardly escape from buzzwords in the future. Everything has to be networked, automated and as fast as possible. Of course, one’s own speed compared to the competition plays a significant role in this process. Who has its product first on the market, can conquer the market also first. Of course, adequate security for these new digital landscapes and gadgets only costs time and money, and therefore almost always plays only a minor role. The only problem now is that this tactic of many manufacturers may still go well in the short term, but in the long term it is merely a question of, when it comes to a security incident, and not whether it comes to that at all.
In a more connected world, the consequences of a successful cyberattack are also becoming more serious. In 2016, for example, there was a cyberattack at a water treatment plant in the USA, in which hundreds of people were poisoned. Hackers at that time managed to penetrate the control system and change the composition of cleaning chemicals. If drinking water prepared in this way had been put into circulation, it could have led to a catastrophe.
The Chaotic Evil
Colloquially, these, in quotes, "classic hackers" are also known as Cracker or more often also as Black Hat Hacker designated.
So we know that absolute security is simply impossible. Nowadays software, especially in the interaction with each other, is much too complex for that. So what can we do to stay one step ahead of the black hats?
The Lawful Good
The answer: manufacturers simply pay a few hackers to attack their own systems using the same means as the black hats. But the important thing is that the hackers have official permission to do so. The whole thing must also be contractually agreed in advance.
Now, if any vulnerabilities are found, the hackers report them directly to the manufacturers. They can then fix the found gaps afterwards without harming anybody. Such a procedure is also referred to as Penetration Test. Hackers who act only with permission and within the legal framework are generally referred to as White Hat Hackers.
The Chaotic Neutral
If there are White Hats and black hats there are, then there are certainly Grey Hat hackers, or? Grey Hats Are those who walk a very fine line of legality and are happy to violate a law or two. The condition is that the act serves a higher goal in the end.
In 2018, for example, a Russian hacker secured over 100.000 MikroTik routers were taken over and the vulnerabilities in them eliminated themselves.
In the same year, another hacker took control of 50.000 printers around the world are taken over. Instead of stealing data or installing malware on it, he has chosen to advertise PewDiePies Print channel. With it he wanted PewDiePie in the fight against T-Series for the channel with the most subscribers support.
Hacking in Germany
So, how does it look now in Germany with the legal situation in addition actually from? At what point does the state officially classify me as a Black Hat hackers viewed?
The linchpin are the paragraphs § 202a until d of the penal code (StGB). These are subparagraphs of the secrecy of correspondence, which regulates the transmission of data by physical means.
When the subparagraphs were newly introduced in 1986, mere hacking, i.e. penetrating systems without also acquiring data, was not yet illegal. At that time, the Internet was still uncharted territory and people were afraid of too much overcriminalization.
Spying out data
Only on 11. In August 2007, the law was finally tightened. Since then, the "Unauthorized gain access" a criminal offense. Paragraph 202a literally states:
(1) Whoever, without authorization, gains access for himself or another to data which is not intended for him and which is specially secured against unauthorized access, by overcoming the access security, shall be punished with imprisonment for not more than three years or with a fine.
Source: § 202a spying out of data
Particularly interesting is the subordinate clause "under overcoming the access protection". At what point is data considered to be secured with access protection??
We speak of access protection when a not inconsiderable amount of effort is required to access the data. There is no distinction between digital or physical security. D.h. so that under it both a non removable disk, which is locked in a box, or which is secured with an encryption falls.
If a layman, i.e. someone without any background knowledge, manages to bypass the security without any effort, one can no longer speak of access security. Basically, however, it can be said that the entire passage was deliberately worded in a very woolly manner and can generally be interpreted broadly.
Data ≠ Data
To distinguish it from the secrecy of correspondence, I want to mention that if in the subparagraphs of Data is spoken, the law means exclusively digital data, which "electronically, magnetically or otherwise not directly perceptible" are.
Interception of data
Section 202b deals with the unauthorized interception of data. In detail it says there:
Whoever, without authorization, obtains data from a non-public data transmission or from the electromagnetic radiation of a data processing system for himself or another person by using technical means not intended for him, shall be punished by imprisonment for not more than two years or by a fine, unless the act is punishable by more severe penalties under other provisions.
Source: § 202b Interception of data
An example of such interception of data would be if I eavesdrop and record my neighbor’s WLAN connection without permission. The paragraph explicitly doesn’t mention that the data is thereby additionally encrypted must be. Nevertheless, however, it is said that it is from a "non-public data transmission" must originate. With WLAN, however, the router basically transmits in all directions. Then, in the case of a non-encrypted connection, such as in the Starbucks around the corner, can one really still speak of a "non-public data transmission" speak?
No encryption, no mercy?
Yes and no. Every average consumer will say that an unencrypted WLAN is clearly public. Colloquially we even call this a public WLAN hotspot. On the other hand, the exact recipient’s address is included in every data packet transmitted. It could be argued that the transmission can therefore be regarded as non-public.
As complex as the interpretation may sound in theory, in practice the paragraph has so far had very little relevance in court.
Preparing to spy on and intercept data
With the next paragraph, however, it gets much more exciting. § 202c is probably the best known and at the same time the most critical of the four subparagraphs. In the vernacular one speaks also of the Hacker Paragraph. Literally it says:
(1) A person who prepares an offense under section 202a (spying on data) or section 202b (interception of data) by
1. Passwords or other security codes that allow access to data, or
2. computer programs, whose purpose is the commission of such an act,
If a person manufactures, obtains, sells, gives to another person, distributes, or otherwise makes accessible data to himself or to another person, he is punished with imprisonment of up to two years or a fine.
Source: § 202c Preparing to spy on and intercept data
From a naive world view in which there is only the evil side, i.e Black Hat hackers, the wording of the law may sound reasonable. As we noted at the beginning of this post White Hat Hackers, that is, hackers with good intentions, but essential to the industry and the safety of our society as a whole. And we as White Hats need legal leeway to develop attack tools that use the same techniques as our counterparts’.
Well meant, badly done
After the section was introduced in 2007, the then Minister of Justice Zypris had to face fierce criticism for this reason. According to the Federal Constitutional Court, the development of dual-use tools, i.e. tools that can be used for both good and evil, is not subject to "Purpose to commit a crime" given.
In the course of my research, I have not been able to find a single case since 2007 in which there has been a conviction on this basis. As a logically thinking person one asks oneself why the paragraph still exists in this form.
Unsurprisingly, the last subparagraph in the bunch, viz § 202d – Data theft. There it is basically only stated that I am not allowed to pass on illegally obtained data for my own enrichment or to harm another person.
(1) Whoever procures, gives to another, disseminates or otherwise makes accessible data which is not generally accessible and which another has obtained by an unlawful act, in order to enrich himself or a third party or to harm another, shall be punished with imprisonment for not more than three years or with a fine.
Source: § 202d Data theft
In the past, for example, we have seen several times how cybercriminals first shorted large amounts of shares in a company. This means that they are more or less betting that the company’s stock market value will fall in the near future. To speed things up a bit, stolen data was then leaked incriminating the company. Colloquially this is also called stock doxxing Designates.
No punishment where there is no plaintiff
All of the paragraphs mentioned are application offenses. That is, only if the injured party actually files a request for prosecution will an official investigation even be initiated. At spying out data and the Data theft however, the public prosecutor’s office can establish a special public interest and initiate criminal prosecution even without a criminal complaint by the aggrieved party.
data alteration& Computer sabotage
Finally, I would like to briefly refer to the paragraphs § 303a and b enter. There it concerns on the one hand the unauthorized data change.
(1) Whoever unlawfully transfers data (§ 202a para. 2) deletes, suppresses, renders unusable or alters data is punishable by imprisonment of up to two years or a fine.
source: § 303a data alteration
One of the most well-known examples of this is probably the massive spread of encryption Trojans. Such malware encrypts the victim’s entire hard drive and then demands a ransom to restore the data. Since already the attempt of the data change is punishable, it is sufficient already, if one sends an infected PDF or Word file by E-Mail.
§ 303b is quite detailed. This is all about computer sabotage. In summary, it is listed here that it is a punishable offence to commit smooth operation of another computer, be it through the aforementioned data modification but also through denial-of-service attacks, for example.
Basically, there is no distinction in the legal texts of German criminal law between good and evil Hackers. Whether hacking is actually illegal always depends heavily on the context and the intention of the hacker in question. In an international comparison, however, Germany is relatively liberal and does not deal with hackers quite as harshly as is the case in other countries.
Your own laboratory
On the one hand you can create your own little Hacking Lab set up. Nowadays, you don’t need a fat wallet to do this either. Often, just a few virtual machines on your own computer are enough. There are also providers that provide complete practice environments with matching educational material and tasks to go with it. An excellent example of this would be Pentesterlab.com.
On the other hand, there are always so-called Caputer-the-Flag competitions, where you can compete against other hackers either alone or with a team. Either you then have to solve various puzzles, which is called a Jeopardy CTF referred to as a "hacking game", or you can actually attack each other, which is a Attack& Defence CTF would be.
From hobby to profession
If you don’t just want to hack in your spare time, you can also make a living doing it legally. For example, you can act as a house-internal Penetration Tester work and check your employer’s own software and hardware for security vulnerabilities. Alternatively you can also use external IT security consultant work. Then you will be hired by other companies to hack into their systems and find vulnerabilities in them. There are many other possibilities and the demand for professional hackers is growing from year to year.
In summary, you can also ethically, morally, and completely legally live, learn, and maybe even earn a living as a hacker in Germany. If you want to know more about this topic, feel free to contact me. Happy hacking!
HAK5 Bash Bunny – Installing new firmware and Metasploit
5. August 2019
Android Hacking Course: Part 1 – Decompile& Source Code
14. October 2019