A student reported a vulnerability in a police communications protocol. Received 15 months conditionally

No good deed should go unpunished.

A student of the Faculty of Criminal Justice and Security from Maribor (Slovenia) was found guilty and sentenced to 15 months of imprisonment with a probation period of three years. If the guy repeats his actions for three years, then go to jail.



The 26-year-old Dejan Ornig’s fault lies in the fact that he discovered and publicly reported a vulnerability in the TETRA radio encryption protocol. The protocol is used by the police, some units of the army, the intelligence and security service of the Slovenian Intelligence and Security Agency (SOVA), the Department for the Execution of Sentences (that is, the prison administrations and wardens), and some departments in the Ministry of Finance.



As the investigation found out, the future criminal started searching for vulnerabilities in TETRA as early as 2012, completing a student project with 25 classmates. By September 2013, he found that the Slovenian government services had installed the wrong protocol configuration.

')

Due to improper configuration, TETRA encrypted messages were decrypted in 70% of cases.



Seeing such negligence, the student immediately informed the police. The authorities did not respond. More than a year later, in March 2015, Dejan Ornig decided to post information on the Internet, and it quickly spread .





^{Dejan Ornig}



In this case, the authorities reacted immediately. They not only changed the protocol configuration, but also brought a criminal case to the student. He was accused of three attempts of unauthorized entry into the TETRA network in February, March and December 2014.



In April 2015, Dejan’s apartment was searched, a laptop and home-made equipment worth $ 25 were confiscated, with which the student listened to police communications (pictured).







The police also found a fake police ID in the apartment, after which she made the second accusation: Ornig illegally posing as a police officer.



After analyzing the hard disk, the PC launched a third accusation of illegally recording conversations. In the recorded conversation between Ornig and his former boss, he used offensive language, called the interlocutor “stupid” and other more offensive words.



Although Dejan clearly demonstrated a desire to cooperate with law enforcement agencies and immediately informed the police about the vulnerability, this did not save him from a conviction. As they say, no good deed should go unpunished.