Tetra police radios
A cybersecurity researcher in Slovenia has received a suspended jail sentence for helping to uncover security vulnerabilities exposing sensitive military and police radio communications Sepura

A cybersecurity researcher in Slovenia has received a suspended jail sentence of 15 months for publicly disclosing security flaws in a police-encrypted communications protocol after Slovenian police took no action to fix the problems.

Dejan Ornig, 26, was a student at the University of Maribor's Faculty of Criminal Justice and Security in 2012 when he and 25 other students were asked to analyse network vulnerabilities in Terrestrial Trunked Radio (Tetra), which is an ETSI standard for mobile radios and two-way transceivers specifically designed to secure sensitive communications for public safety networks, emergency services and the military.

While working on the project, Ornig discovered that the Slovenian authorities had incorrectly configured the Tetra protocol, meaning that unencrypted sensitive military and police data was being sent over the internet about 70% of the time that was available for anyone to intercept.

He contacted the police to inform them about the security flaws he had found, but the police took no action despite repeated attempts to inform them of the problem.

Eventually in February 2015 he decided to go public with his research and contacted online investigative newspaper Podcrto.si. The newspaper also tried to contact the Slovenian Ministry of Defence in the same month, but its public relations department did not respond when given evidence that military communications were not being protected.

Charged for trying to highlight an important problem

So eventually Podcrto.si went live with the story on 14 March 2015, and in April Slovenian police finally released a press release addressing the claims in the article, downplaying the security flaws. They also decided to raid Ornig's home in April, seizing his computer and a €20 device that Ornig had used to passively intercept Tetra traffic data as it passed between the mobile radios and the Tetra base stations.

The police apparently did fix the security flaws in their Tetra network, but according to subsequent Podcrto.si coverage, they also charged Ornig with trying to hack their network on three different occasions in February, March and December 2014.

In addition, the police found a fake police badge at Ornig's home, so they decided to accuse him of impersonating a police officer, and they also added on another charge from looking at data on his computer hard drive.

In 2014, Ornig had been working with G4S Security Service. He claims that his former supervisor was trying to get him fired so he recorded a conversation where his supervisor was heard insulting Ornig and calling him an "idiot", as well as other Slovene insults. The police decided that Ornig should be charged for illegally recording his former employer.

And now Podcrto.si says that as a reward for Ornig's help in pointing out serious security vulnerabilities, instead of being thanked, he has now been handed a-15 month suspended jail sentence. The district court of Ljubljana criticised him for illegally accessing the Tetra network in 2014, and to avoid going to jail, Ornig must make sure he does not repeat the alleged crimes within the next three years.