A student from the University of Maribor in Slovenia has ended up with a prison sentence after finding cryptographic flaws in the country’s implementation of its secure communications system, known as TETRA.
TETRA is short for Terrestrial Trunked Radio, a radio communications protocol that is widely used around the world, notably by law enforcement and emergency services.
Trunked radio needs fewer base stations and has a longer range than mobile phone networks, which helps in remote areas; and it supports both point-to-point and broadcast communications, desirable when co-ordinating law enforcement or rescue efforts.
Although the protocol supports encryption, the just-convicted student, Dejan Ornig (26), is said to have discovered that Slovenia’s TETRA implementation frequently didn’t encrypt communications, clearly an unintended situation with dangerous consequences.
Actually, and as usual in stories of this sort, there’s a bit more to the case than that.
Ornig, it seems, was charged not for his findings but for hacking into TETRA on three occasions during 2014, apparently out of dissatisfaction that his original report hadn’t been acted upon.
He eventually went public with his findings in March 2015, presumably hoping to force the hand of the operators of the TETRA network to act.
The history of vulnerability research is littered with outcomes of this sort: you start with responsible disclosure; you lose faith when nothing is done; you do a bit of hacking of your own, knowing it’s illegal (and possibly dangerous, because you might break something along the way), but figuring it’s a good way to prove your point; and in the end you spill the beans to the whole world in an attempt to get things fixed by revolution when security evolution has failed.
Ironically, given that Ornig was a student in the Faculty of Criminal Justice and Security, there was one lesson he didn’t learn, even though he could have picked it up from popular music:
I fought the law and the law won.
Fortunately, Ornig’s 15-month sentence was suspended, so he won’t actually have to go to prison if he keeps his nose clean.
What to do?
- If you’re on the receiving end of a responsibly-disclosed vulnerability report, do your best to keep in touch with the reporter and to provide a date by which you intend to fix the problem, assuming it’s real and repeatable.
- If you’ve reported a vulnerability responsibly, don’t slide back into irresponsibility or illegality if you fail to get the attention you think you deserve.
- If you’re implementing a security solution such as encryption, make sure that it’s actually configured and operating correctly. If you don’t check for yourself, someone else will check for you.