Tagged: law

Slovenian whistleblower who was convicted for reporting a flaw in Police TETRA with an RTL-SDR requests donations

Back in May 2016 we posted about Dejan Ornig, a then 26 year old student at the University of Maribor's Faculty of Criminal Justice, Slovenia who was almost imprisoned for using an RTL-SDR and finding a security flaw in Police TETRA communications. Dejan's story was one of the first of several stories we presented over the years involving a person getting into legal or political trouble from the use of SDRs like the RTL-SDR in more authoritarian countries.

TETRA is a RF digital voice and text communications protocol often used by authorities in European and other countries due to its ability to be secured via encryption. By using an RTL-SDR and an open source TETRA decoder, Dejan discovered that despite official documents specifying that all Police TETRA terminals must be authenticated (we assume this refers to encryption), none actually were.

Dejan went ahead and ethically reported his findings to the Slovenian authorities, working together with Police officers to disclose all his findings. However, in the end no action was taken, and Dejan took his findings to the press. It was then that Dejan was prosecuted by Slovenian Police, his house raided, and he discovered that Police had been collecting evidence against him for more than a year.

To complicate matters further it appears that Dejan also worked as an intelligence informant for the Police and was illegally instructed and helped by two Police detectives to hack into e-mails, Facebook profiles and other online communications of people deemed suspicious.

After seven years of court hearings, his case on the TETRA hack ended in 2022 with Dejan subjected to a seven month suspended prison sentence . Although suspension means that Dejan will not physically reside in jail, his record still records him as a criminal.

The criminal trial and conviction has led to Dejan having problems securing a job and moving forward with his life. He is currently asking for donations online in order to help get his life back on track. Dejan's full story can be read at the funding site. Alternatively you can donate via PayPal.

NOTE: As donation requests can often be scams, we have independently verified that it is indeed Dejan Ornig who submitted this story to us, and that the donation site and PayPal link is legitimate.

NOTE 2: In the past we have had issues moderating comments with stories involving transgender and female contributors. Dejan's story contains info about his sexual orientation and we will not accept derogatory comments on this site regarding this. If desired, please discuss the technical and legal nature of Dejan's situation, any other comments will be removed.

TETRA Decoding (with telive on Linux)
An Example TETRA decoding setup

Slovenian University Student & Security Researcher Almost Jailed for Researching TETRA with an RTL-SDR

Dejan Ornig, a 26 year old student at the University of Maribor’s Faculty of Criminal Justice and Security was recently almost jailed for finding a security flaw in Police TETRA communications in his home country of Slovenia. Back in 2013 his University Computer Science class of 25 was assigned a task to research security vulnerabilities in TETRA. TETRA is a RF digital communications protocol often used by authorities due to its ability to be secured via encryption. During his research he used an RTL-SDR and the open source Osmocom TETRA decoder, and discovered a flaw in the Slovenian Police’s TETRA configuration which meant that encrypted communications were often being broadcast in the clear. Translated, Ornig said:

For $20 I bought a DVB-T receiver (RTL-SDR), on the Internet, I have found also freely available and open-source software OsmoCOM. Free access solution for decoding the signal Tetra eighth-tetra is already prepared in advance programming framework based on the platform GNU.

He goes on to say (translated):

I was even more surprised when I found that most users do not have authentication turned on the radio terminal, even though the Ministry of the Interior in the documents and tenders repeatedly wrote to all the radio terminals to access networks using authentication.

Shortly after discovering the flaw, Dejan privately contacted the authorities with his findings. But after two years of repeatedly contacting them and waiting for a fix, Dejan decided to take his story to a local news agency in February 2015. At this point the Slovenian Police became interested in Dejan, and instead of fixing the problem, decided to conduct a search on his house, seizing his computer and RTL-SDR. After the search the Police made life harder for Ornig by trying to lump on other problems. During the search they found a “counterfeit police badge” in his house and apparently accused him of impersonating a police officer, and after a search of his PC they also decided to charge him after finding out that he covertly recorded his ex-employer calling him an “idiot”.

Ornig has now been given a 15 month suspended jail sentence for attempting to “hack” the TETRA network. Fortunately the suspended part means that in order to not go to jail Ornig simply must not repeat his crime again within 3 years. While SDR’s and radios are not illegal in most countries this is a reminder to professional and amateur security researchers to check that what you are doing is legal in your country. Even if it is for the overall good, Police often do not have the technical competence to understand security researchers and may react illogically to findings. The good news about Ornig’s story is that apart from the suspended jail sentence the authorities appear to have now worked with him to fix the problems.

TETRA Decoding
TETRA Decoding

Story Sources:
[http://www.ibtimes.co.uk/researcher-jailed-finding-security-flaws-police-communications-1561600]
[http://siol.net/novice/slovenija/kako-za-20-evrov-prisluskovati-slovenskim-varnostnim-organom-video-44923]
[https://podcrto.si/odziv-na-trditve-policije-glede-varnosti-komunikacijskega-sistema-tetra]