Sophos Cloud Optix
A student from the University of Maribor in Slovenia has ended up with a prison sentence after finding cryptographic flaws in the country’s implementation of its secure communications system, known as TETRA.
TETRA is short for Terrestrial Trunked Radio, a radio communications protocol that is widely used around the world, notably by law enforcement and emergency services.
Trunked radio needs fewer base stations and has a longer range than mobile phone networks, which helps in remote areas; and it supports both point-to-point and broadcast communications, desirable when co-ordinating law enforcement or rescue efforts.
Although the protocol supports encryption, the just-convicted student, Dejan Ornig (26), is said to have discovered that Slovenia’s TETRA implementation frequently didn’t encrypt communications, clearly an unintended situation with dangerous consequences.
The charges
Actually, and as usual in stories of this sort, there’s a bit more to the case than that.
Ornig, it seems, was charged not for his findings but for hacking into TETRA on three occasions during 2014, apparently out of dissatisfaction that his original report hadn’t been acted upon.
He eventually went public with his findings in March 2015, presumably hoping to force the hand of the operators of the TETRA network to act.
The history of vulnerability research is littered with outcomes of this sort: you start with responsible disclosure; you lose faith when nothing is done; you do a bit of hacking of your own, knowing it’s illegal (and possibly dangerous, because you might break something along the way), but figuring it’s a good way to prove your point; and in the end you spill the beans to the whole world in an attempt to get things fixed by revolution when security evolution has failed.
Ironically, given that Ornig was a student in the Faculty of Criminal Justice and Security, there was one lesson he didn’t learn, even though he could have picked it up from popular music:
I fought the law and the law won.
Fortunately, Ornig’s 15-month sentence was suspended, so he won’t actually have to go to prison if he keeps his nose clean.
What to do?
- If you’re on the receiving end of a responsibly-disclosed vulnerability report, do your best to keep in touch with the reporter and to provide a date by which you intend to fix the problem, assuming it’s real and repeatable.
- If you’ve reported a vulnerability responsibly, don’t slide back into irresponsibility or illegality if you fail to get the attention you think you deserve.
- If you’re implementing a security solution such as encryption, make sure that it’s actually configured and operating correctly. If you don’t check for yourself, someone else will check for you.
The best advice is to stop believing the law and government matters or is on sheeple a side. Trust nothing coming from that part of our society.
Not even if you live in a country where there is a reasonable sense of law and order, largely uncorrupt law enforcement, satisfactory social welfare, a functioning national health service, safe drinking water, and toilets that flush when asked? Trust *nothing*?
Well, two sides here failed to act responsibly. Notice that only one, however, wound up being prosecuted.
I do empathize a bit with the ‘trust nothing’ crowd, because anecdotal evidence of abused trust is numerous, varied, and consistent.
That being said, you can’t force others to be responsible; If they ignore your warning, on their own heads be it. Don’t make the mistake of deciding you are the arbiter of all that is Right & Good in the world, because the powers that be most certainly will NOT agree, and the only one you’ll ‘punish’ in the end is yourself. Even in Slovenia. đ
I don’t trust my toilet. It eats poop for a living.
State is a religion. That’s why you have so many downvotes. Hey, take the upvote from me.
Does anyone ever notice that these cases almost always involve someone under the age of 30? It’s really important for the younger generation to get the message that YES you are useful by pointing out system flaws if found… but NO you can’t take things into your own hands if you don’t like the response you get upon submitting your report. If you’re ignored, submit another report, or make another phone call up the chain of command. Rinse and repeat. Eventually someone will get back to you. Otherwise if you breach a system (i.e. break the law) then you need to expect punishment and not praise. I’m not saying it’s right, it’s just the way it is, and no matter how good your intentions are the government will not see you as harmless. My advice for the younger generation is to yourself out of jail and just contact the next supervisor up, as opposed to force-creating the breach that you’re trying to warn them about. It never ends well for the guy doing the breaching.
“Trust nothing?” Umm. Yes. The United States arguably meets your requirements but recently breaking news shows that the NSA buried and destroyed evidence reported by a whistle blower who preceded Snowden and destroyed his career. I’m 70 years old and I’m becoming as disillusioned as a kid learning there’s no Santa Claus.
Some years ago I accidentally discovered how to lock every online user out of a major UK bank. I phones them, I wrote to them. To paraphrase their reply – “don’t worry your pretty little head about it”. Only after 14 months when I had escalated it to the banking ombudsman did they contact me and own up to the flaw and tell me that they were fixing it. It was the best part of another year before they did fix it.
On another occasion, a change to their systems meant that under some circumstances it was possible for confidential data to be exposed. Because I stumbled upon it through an external service they used as part of a benefits package, they insisted it was not a flaw. This was despite the fact I could talk the guy through it on his own internal system to replicate it without every leaving the bank’s systems.
So I fully understand this student’s outrage that when you tell them responsibly, they do FA about it.
That was some good advice at the end of your article. Very interesting, thanks.
I can’t blame him for being disillusioned (or TonyG for that matter…a good motivation to switch financial institutions). Unfortunately yes… he learned the hard way just like The Clash.
“If you donât check for yourself, someone else will check for you.”
You’re undermining your own point, Duck! I don’t need to concern myself now with securing my [enter resource name here]… I’ve got free beta testing available 24/7 from all over the interwebs.
đ
another rule: If you’re on the receiving end of a security vulnerability report, DO NOT TAKE LEGAL ACTION.
That wasnât quite what happened here, as far as I can tell. There was no âtaking legal actionâ (in the sense of being sued in a civil case). He reported a problem. Nothing happened.
He hacked the system three times. That provoked a criminal case that would surely have happened anyway, whether heâd submitted an earlier report or not.
Reporting a fault in something doesnât give you eternal immunity from criminal responsibility for later abusing that fault. If you let someone know they left their keys in the car that doesnât mean you are allowed to take it for a joyride without consequence…