Legal Framework
Important
This section provides orientation and does not replace legal advice. When in doubt, consult a lawyer specializing in IT law.
German Criminal Code (StGB)โ
ยง202a - Data Espionageโ
Anyone who unlawfully obtains access to data that is not intended
for them and is specially protected against unauthorized access,
by overcoming the access protection, shall be punished with
imprisonment for up to three years or a fine.
BLE Relevance:
- "Specially protected": Encryption, Pairing, Authentication
- "Overcoming": Actively bypassing security mechanisms
- Passive sniffing of unencrypted advertising packets: Grey area
- Intercepting encrypted connections with LTK extraction: Problematic
ยง202b - Interception of Dataโ
Anyone who unlawfully intercepts data not intended for them from a
non-public data transmission using technical means shall be punished
with imprisonment for up to two years or a fine.
ยง202c - "Hacker Paragraph"โ
Anyone who prepares an offense under ยง 202a or ยง 202b by producing,
acquiring, selling, or making available passwords, security codes, or
computer programs whose purpose is the commission of such an offense,
shall be punished with imprisonment for up to two years or a fine.
BLE Relevance:
- Dual-use tools (Wireshark, nRF Sniffer): Not covered
- Purpose and intent decisive (BVerfG 2009)
- Security research with legitimate intent: Permitted
Planned Legal Reform (November 2024)โ
The German Federal Ministry of Justice published a draft law for modernizing computer criminal law on November 4, 2024.
New ยง202a Para. 3 StGB-E (Safe Harbor)โ
The act is not unlawful if it is performed to identify a
vulnerability or other security risk of an information technology
system, and the person intends to inform the responsible party.
Requirements for Safe Harbor:
- โ Goal: Identification of a security vulnerability
- โ Intent: Notification to responsible party
- โ Proportionality: Necessary technical measures
Status
As of November 2025: The draft law has not yet entered into force. Current legislation remains applicable.
GDPR Aspectsโ
Personal Data in BLEโ
| Data Type | Personal Reference | Example |
|---|---|---|
| MAC Address | Yes (indirect) | Tracking possible |
| Device Name | Possible | "John's iPhone" |
| Health Data | Yes (Art. 9) | Weight, Heart Rate |
| Location | Yes | BLE Beacons |
Legal Basis for Security Researchโ
Art. 6(1)(f) GDPR - Legitimate Interest
โโโ Interest: IT security research
โโโ Balancing: Security vs. Privacy
โโโ Measures: Pseudonymization, Minimization
Art. 89 GDPR / ยง27 BDSG - Research Exception
โโโ Scientific research
โโโ Technical-organizational measures
โโโ Necessity of processing
EU Cyber Resilience Act (CRA)โ
Regulation (EU) 2024/2847 entered into force on December 10, 2024.
Timelineโ
Relevant Articles for Security Researchersโ
Recital 80:
Manufacturers should encourage security researchers and not take retaliatory measures.
Article 13 (Vulnerability Handling):
- Manufacturers must establish CVD process
- Report actively exploited vulnerabilities to CSIRT: 24 hours
- Free security updates: at least 5 years
Best Practices for Legal Security Researchโ
โ Permittedโ
โ Analysis of own devices
โ Passive scanning of public advertising packets
โ Reverse engineering for interoperability
โ Documentation and publication (after disclosure)
โ Development of security tools (with legitimate intent)
โ ๏ธ Grey Areaโ
? Sniffing third-party connections (even unencrypted)
? Key extraction from third-party apps
? PoC development for third-party systems
โ Prohibitedโ
โ Attacks on third-party devices without permission
โ Extraction of access credentials
โ Denial-of-Service attacks
โ Distribution of exploits without disclosure
Responsible Disclosureโ
BSI as Coordinatorโ
The BSI offers a Coordinated Vulnerability Disclosure (CVD) process:
๐ง Contact: [email protected]
Standard Timelineโ
Timeline Variantsโ
| Organization | Standard Deadline | Extension |
|---|---|---|
| Google Project Zero | 90 days | +14 if actively patching |
| ZDI | 120 days | By agreement |
| CERT/CC | 45 days | By agreement |
| BSI | Flexible | By arrangement |
Summary
- Own devices: Largely permitted
- Third-party devices: Only with permission
- Disclosure: Always responsible!
- When in doubt: Seek legal advice