Many IT security incidents and technical mishaps in data protection are caused by IT security vulnerabilities: Errors in software, hardware or information technology processes through which attackers can penetrate technical systems. IT security vulnerabilities can have a variety of causes, ranging from errors in design to software errors in implementation.
Errors in the design relate, for example, to the use of weak cryptographic procedures. In the past, for example, some manufacturers used weak ciphers instead of known and standardized ones. Protection mechanisms are also often missing altogether if a threat was overlooked during system design.
However, most IT security incidents are caused by errors in the implementation of software. It is estimated that there is one program error for every 1,000 lines of code, and significantly more errors can occur if the software quality is poor. Some software errors can be deliberately used by attackers to introduce malware such as viruses or Trojans that “remote control” the affected computer, divert data or completely prevent access to data (for example, in the case of encryption Trojans that encrypt all data on a computer and only allow access again after payment of a ransom). According to a report by the German Federal Office for Information Security [1], an average of 2,000 software vulnerabilities were identified every month in 2023.
The best-known class of software errors is buffer overflow, where an attacker introduces data into a system that is longer than expected. This unintentionally overwrites memory areas in the computer. If the injected data contains code that is later executed, an attacker can inject arbitrary code into a system [2].
Bugs in software that do not noticeably impair functionality can remain undetected for a long time before they become public knowledge. Bugs that only become known when they are used in an attack are called zero days.
The responsible disclosure approach has proven to be practicable when dealing with security-relevant errors: If such a bug is discovered, the manufacturer is contacted immediately to give them the opportunity to fix the bug before it is exploited by attackers. After a reasonable period of time (ideally, the bug should already have been closed by the manufacturer by this time), the bug is made public. This allows the interests of the manufacturer in closing the vulnerability to be weighed against the interests of the public in recognizing errors in their own infrastructure at an early stage and initiating appropriate countermeasures. Responsible disclosure also forces manufacturers to act promptly and thus increase the level of security. Large manufacturers often operate their own bug bounty programs, with which information on previously unknown errors in their own software is financially rewarded.
Comparability with analogue phenomena
IT security vulnerabilities are an inherently digital phenomenon that have hardly any equivalent in the analog world. Vulnerabilities can best be compared to faults in products that only become known after the product has been sold.
While serious product errors occur comparatively rarely in the analog world, it can be assumed that security vulnerabilities are present in all software products and remain undetected for years. The ubiquitous availability of commercial standard software means that attackers can easily analyze it and exploit any vulnerabilities found. Suitable processes for identifying and eliminating security vulnerabilities must therefore be introduced by every manufacturer and commercial user.
Social relevance
Many IT security attacks and data leaks can be traced back to IT security vulnerabilities. The ability to eliminate software errors through appropriate updates is therefore essential for all digital products. It is largely unclear what update capability a product must provide, whether updates can be installed against the will of the user and how to proceed if the manufacturer no longer provides updates[3].
Dealing with security vulnerabilities is also socially relevant. Law enforcement agencies and government services use them to penetrate IT systems and thus enable the surveillance of suspects’ end devices (state Trojans). However, this requires security vulnerabilities that remain hidden from the general public for a long time in order to be able to use the developed surveillance software for as long as possible. This approach contradicts responsible disclosure and the requirement to secure IT systems in the best possible way, as the security vulnerabilities used can be found independently by third parties and used for attacks despite being kept secret. Keeping security vulnerabilities secret therefore generally leads to a weakening of the security level.
Sources
- BSI (2023). Lage der IT-Sicherheit in Deutschland.
- Erickson, J. (2004). Forbidden Code. Bonn.
- Brenner, R. et al. (2024). Eine rechtliche Begriffsbildung von Updatefähigkeit als Konstruktionsanforderung. In: Recht Digital, 252–264.
