On 9th February 2018, the CISPA Building at the Saarland University hosted an information event on the subject of the "beA from an IT-Security perspective" which was organised by the professional body for lawyers in the Saarland (Rechtsanwaltskammer des Saarlandes).
As part of this event, the Institute of Legal Informatics' Stefan Hessel and Frederik Möllers, who both work for the juris-Professorship of Legal Informatics and are Managing Directors of the Defendo GbR), lectured on the question of "how secure is the beA"?
On 27.12.2017, the national professional body for German lawyers (Bundesrechtsanwaltskammer (BRAK)) announced in a press release (Nr. 15/2017) that the special electronic mailbox for lawyers (besondere elektronische Anwaltspostfach: beA) would not go online on 1st January 2018 as planned and the beA web-based application would be taken off the net.
The reason for this was that a security certificate had been classed as insecure. A new security certificate was to have been installed but this also turned out to be insecure. In a press release (Nr. 04/2018) dated 26th January 2018, the BRAK pointed out that the Client Security could pose a loop hole for an external attack and so should be deactivated.
In their lecture, Stefan Hessel and Frederik Möllers explained how the sending of encrypted messages works by reference to the beA-architecture and highlighted where security risks and the contested security loop holes are. Using a live demonstration, they showed an attack on the beA-key. They also dealt with other problems relating to the beA, such as the limitation of use and the question of further development.
You can find a summary of the lecture as a podcast (which is approximately 20 minutes long) here.