Convicted for finding TETRA network flaws

Wednesday, 25 May, 2016

In a bizarre case of trying to do the right thing but losing out instead, a Slovenian researcher has received a 15-month suspended prison sentence for publicly disclosing security flaws in the country’s police TETRA network — after being repeatedly ignored when he tried to inform them of the problem.

As reported by the International Business Times, Dejan Ornig, 26, was studying at the University of Maribor’s Faculty of Criminal Justice and Security in 2012 when he and other students were asked to analyse network vulnerabilities in Terrestrial Trunked Radio (TETRA). Ornig allegedly discovered that the Slovenian authorities had incorrectly configured the TETRA protocol, meaning that unencrypted sensitive military and police data was being sent over the internet and open to anyone to intercept. Upon his discovery, Ornig reportedly took the information to the police, on more than one occasion, but no action was taken by them.

No doubt believing this was an important national security issue, by February 2015 the cybersecurity researcher decided to hand the information over to a Slovenian newspaper, Podcrto.si. The newspaper also attempted to contact the Slovenian Ministry of Defence with evidence that military communications were not being protected, but received no follow-up.

Police go on the attack

After the story went public in April 2015, Slovenian police attempted to talk down the article’s claims and finally proceeded to fix their network’s vulnerabilities. That same month they also decided to raid Ornig’s home, confiscating his computer and a cheap device he had reportedly used to intercept traffic data as it passed between their radios and the TETRA base stations. Police then charged him with several counts of attempting to hack into their system.

To top matters off, they also allegedly accused him of impersonating a police officer (because they came across a fake police badge in his house) and charged him with illegally recording one of his former employers after finding a video on his computer. Ornig is believed to have done so because he thought his supervisor at the time was trying to get him fired — the video apparently does provide evidence of this person clearly insulting him.

According to other news reports from Podcrto.si, the district court of Ljubljana criticised Ornig for illegally accessing the TETRA network in 2014, and to avoid going to prison he must not repeat the alleged crimes over the next three years. Unfortunately for this good Samaritan, he will now always have a police record against his name.

Note to self: when uncovering a national security threat, try to do so anonymously.

Image credit: ©FreeImages.com/Kenn Kiser