Manipulation through participation: Social engineering as a security risk in the open-source context
- Knowledge Sharing
Open-source components are pillars of digital infrastructure and are therefore a central topic in the debate on sovereignty. As fundamental infrastructure components, their security is crucial. Open source projects have at least one special condition in terms of their security: their collaborative development is a strength on the one hand, but on the other hand it can be exploited as a target for social engineering attacks. For our latest report we looked at measures to reduce the risk of social engineering attacks and the associated challenges for FOSS.
Social engineering as an attack pattern
Social engineering is an increasingly used method to attack digital infrastructure. Instead of exploiting technical vulnerabilities, attackers exploit human characteristics by deceiving people in order to gain access to information or systems. Phishing emails or calls from supposed grandchildren are examples of social engineering in the private sphere. This practice is increasingly occurring in collaborative software development on platforms such as GitHub, GitLab and Codeberg. Attackers attempt to gain access to projects through lengthy and complex deception manoeuvres in order to commit malicious code to projects. Since the attack on a central FOSS library xz-utils in 2024, this topic has been put on the security agenda for open-source infrastructure. Our latest focus report therefore deals with approaches to deal with social engineering attacks and the challenges they pose. You can find the full report (in German) here.
Measures to protect against social-engineering attacks
For the report, we have compiled countermeasures at various levels. At the project level, the focus is on clear structures, transparency and technical security measures such as access controls and code signatures, which are complemented by the security-oriented design of software development platforms. At the policy level, legislation, capacity building and support programmes play a central role in securing FOSS infrastructure.
Voices from the community
In order to place these measures in the context of the Prototype Fund and to incorporate voices from the FOSS community, we conducted interviews with project facilitators funded by the Prototype Fund and held a workshop at a Chaos Computer Club event.
In addition to technical measures, social factors such as trust building through personal meetings, human fallibility and different stakeholder groups along the software supply chain were highlighted. At the same time, resource scarcity and the need for stronger political and economic support were identified as key challenges.
Considerations for FOSS ecosystems
From various perspectives, it is clear that social-engineering attacks take place in a complex, heterogeneous and, above all, social FOSS ecosystem. While many measures follow a formalised and procedural approach, it becomes clear, particularly in interviews and workshops, that security measures are particularly promising if they take into account the social nature of the FOSS ecosystem and the needs of contributors. Furthermore, a healthy ecosystem also increases the resilience of projects that originate within it. Face-to-face events, for example, can help build personal trust between contributors and maintainers. Further, the already central issue of financing FOSS is exacerbated by structurally advantaged and often better-funded attackers.
Following high-profile attacks and the resulting increase in awareness of social-engineering attacks, some players have begun to take countermeasures. However, since social engineering attacks target the collaborative core of FOSS projects, dealing with this threat is a balancing act between openness and security. This requires a high level of sensitivity to the specific characteristics of FOSS projects, sufficient resources and sufficient awareness and political will to secure digital open-source infrastructure.
