An ethical hacker who reported serious vulnerabilities in Magyar Telekom has been arrested and faces years behind bars for "disturbing a public utility."
Magyar Telekom, a Hungarian telecommunications company, filed a complaint against the hacker who is now being defended by the Hungarian Civil Liberties Union (HCLU/TASZ).
According to local media, the man discovered a severe vulnerability in the telecom provider's systems in April 2018. These findings were reported to the company and both parties met.
The idea of working together was floated but never came into fruition, and in the meantime, the researcher continued probing Magyar Telekom's networks.
In May, the hacker found another vulnerability which the publication says, if exploited, could have been used to "access all public and retail mobile and data traffic, and monitor servers."
According to Index.hu, the first vulnerability allowed the hacker to obtain an administrator password through a public-facing service. The second bug allowed him to "create a test user with administrative privileges."
On the same day, the company noticed strange activity on their network and reported a cyberintrusion to the police, leading to the man's arrest.
The trial has already begun. Hungary's prosecution service is requesting a prison term, while the HCLU has fought back, claiming that the indictment is "incomplete" as "it is not clear what exactly he has done."
Magyar Telekom told Napi.hu:
"The hacker, beyond the limits of ethical hacking, launched new attacks after the first attack, and began to crack additional systems with the data he had acquired so far."
A plea deal was on the table. If the man admitted his 'guilt,' he would be given a two-year suspended sentence. However, this was refused and now the researcher is being charged with an upgraded crime -- the "disrupting the operation of a public utility" -- and could end up behind bars for up to eight years.
Ethical hacking is often considered outside of criminal law as intrusions can benefit companies and society as a whole, a "good faith" concept which is argued as part of HCLU's defense strategy.
However, there are still rules which should be observed, such as making sure no private data is taken and day-to-day operations are not disrupted due to testing and probes.
This encapsulates the prosecutor's case. Law enforcement claim that the hacker crossed an ethical line and his actions may have posed a "danger to society," and therefore he can be charged under the country's criminal laws.
However, there is no evidence that the man in question disregarded these rules, and in a separate statement, the company said itself that the customer data was "safe and secure."
"If someone finds a mistake on a system of Magyar Telekom Group and reports it to Telekom immediately, it does not use it in any way (eg does not modify, delete, save information, etc.), cooperates with Telekom's own investigation and does not publish (this endangers the system), Telekom will not file a complaint against it," Magyar Telekom added.
The case is ongoing.