Student Gets A Suspended 15 Months Prison Sentence For Finding Flaws In Police Communications Protocol

Sometimes, it just does not pay to be a ethical hacker as a student from Slovenia found out the hard way. Not only did the authorities not reward him, he was also given a prison sentence to add salt to his injuries.

A 26-year-old student at the Faculty of Criminal Justice and Security in Maribor, Slovenia this week received a suspended jail sentence of 15 months, and will not go to jail if he does not repeat his crime within the subsequent three years.

According to local news site Pod Crto, Dejan Ornig had found security flaws in the state-developed TETRA encrypted communications protocol, which he later disclosed to the public.

TETRA is utilized by Slovenian police, but additionally by some components of the military, the Slovenian Intelligence and Safety Company (SOVA), the jail administration, and even some entities in monetary administration departments.

In 2012, Ornig alongwith 25 other faculty colleagues started his work on examining TETRA, as part of a school project. However, by September 2013, he found out that Slovenian authorities had misconfigured the TETRA protocol.

It was discovered that the protocol was transmitting unencrypted sensitive data over the Internet around 70 percent of the time, which was basically aimed to encode subtle communications.

Ornig provided information to the police regarding his findings by following a responsible disclosure practice. However, on seeing that no action was taken by the authorities on his claims, he decided to make his findings public in March 2015.

While officials made changes to TETRA’s encryption issues, they accused Ornig for trying to hack their network on three separate occasions in February, March and December 2014.

A month later after making his findings public, which is in April 2015, the authorities carried out a search of his house. Other than seizing Ornig’s computer and a $25 custom device with which he was able to interrupt TETRA communications, officers also found a fake police badge, and also charged him of imitating a police officer.

Further, after examining his hard drive, police filed a third charge against him for illegitimately recording his former employer. The recordings revealed that Ornig’s former boss was speaking to him in a rude language, who was also calling Ornig “stupid” and speaking to him with other expletive words.

However, in spite of Ornig’s cooperation with the authorities and good intentions, police claimed that Ornig should have obtained official permission to perform his research, which they stated hindered the normal operation of some of its radio stations.

As said above, it does not always pay to be a good samaritan!