Don't shoot the messenger: Teenager arrested for showing security flaw in Hungarian transport system

Teenager arrest incident highlights need for ethical hacking legal framework in Hungary.

About 500 people protested outside the Budapest Transit Authority on Monday 24 July over its decision to arrest a teenager for pointing out a mistake in its new electronic ticketing systemIndex.hu

Ethical hacking has become a key national issue in Hungary, after an embarrassing incident where a teenager who reported a serious security flaw in Budapest's public transport ticketing system was arrested. The police report was made by the Budapest Transit Authority and its partner T-Systems Hungary, who have since been forced to publicly apologise.

The 18-year-old, who has not been named in Hungarian media, was arrested in the middle of the night in early July after he found a security flaw in the newly-launched online ticket booking system on the official website of Budapest's public transport authority Budapesti Közlekedési Központ (BKK).

He discovered that if a user were to press F12 while on the website, the user could access the browser's developer tools mode, modify the webpage's source code and change the price of tickets to make them cheaper (first reported by Bleeping Computer).

Advertisement

Because the transport authority had not put in place any checks or balances to prevent users from doing this, the website would unwittingly accept the change and immediately issue a new, cheaper transport ticket.

To prove the flaw was possible, the young man tested it out and was able to buy a ticket that usually costs 9459 Hungarian Forints ($36.30, £27.75) for just 50 Hungarian forints ($0.13, £0.15).

What he did is known as "white-hat hacking" — a practice where software developers test operating systems and software repeatedly until they discover a security vulnerability that hasn't yet been patched. Tech giants now pay huge rewards to ethical hackers who can discover critical security flaws so that they can be fixed.

Arrested for pointing out a mistake

The young man reported the security problem directly to BKK and T-Systems, the company that developed the online ticketing system, but instead of thanking him, T-Systems called the police.

The young man was interrogated and his photograph and fingerprints were taken before he was permitted to go home, according to Hungarian news portal Index.

BKK then followed this up by holding a press conference on 18 July, according to popular Hungarian news site 24. BKK's chief executive Kálmán Dabóczi and Budapest's deputy mayor of urban development Balázs Szeneczey claimed that cyberattacks had been carried out against the BKK website and T-Systems for two days, but that the hacker had now been arrested.

Dabóczi emplasised the fact that its electronic ticketing system was still secure, and it was only the website that had experienced problems. BKK also said that 150 people had tried to illegally obtain tickets for free by trying to pretend to be BKK site administrators, and that they had all been arrested.

Advertisement

BKK's chief executive tried to justify the young man's arrest by saying that his actions were still a crime – he said that if you were to turn the door knobs of the front doors of apartments, and you managed to find one that was unlocked and get in, it would still be a crime, and should not be done.

Public backlash

After the press conference, the young man wrote a Facebook post about his experience, asking other users to share it in the hopes that the police report would be withdrawn.

The young man's comments and coverage of the issue prompted over 47,000 people in Hungary and abroad to post one-star reviews on the BKK's Facebook page. The posts feature criticism of the BKK, as well as a re-paste of the teenager's original message explaining his actions.

Numerous people also began testing the BKK website and posting the security vulnerabilities they found on Twitter.

Hungary needs an ethical hacking culture

The Budapest Transit Authority and T-Systems Hungary have incurred the wrath of the Hungarian public over arresting a young ethical hackerBudapesti Közlekedési Központ

Following the public backlash, on Saturday 22 July BKK's chief executive apologised for the problems with the ticketing system. However, he did not mention anything else. Instead, T-Systems Hungary's chief executive Zoltán Kaszás apologised in a public post on Facebook, and he extended an offer to the young man to collaborate with the company in future.

"Personally, I am also touched by the young man's case, but I would like to point out that, under the circumstances, there was no other option than to report an unknown culprit (the young man was not indicated to us)," wrote Kaszás (translated from Hungarian).

"Following the report, and further to all the parties concerned, the information and data relating to all parties concerned shall be made available to the authorities. As head of the management of T-systems Hungary, I would like to offer the opportunity for future cooperation if he is open to it."

Kaszás said that Hungary currently has no practices when it comes to ethical hacking, and that T-Systems wanted to try to help create a legal, regulated framework for white hat hackers.

Despite the apology, Hungarian organisation Occupy Oktogon decided to hold a demonstration in front of the BKK building at 7pm on Monday 24 July, which was attended by at least 500 people.

It is not clear whether any further legal action has been taken against the young man, but the National Bureau of Investigation, which is tasked with fighting major crimes, has until 15 September to complete its investigation.

An IT training firm in Hungary has also offered the young man a fully-paid scholarship to complete a four-month-long software engineering or hardware programming training course at the Green Fox Academy in Budapest, worth 1.3 million Hungarian Forints.

© Copyright 2017 IBTimes Co., Ltd. All Rights Reserved.