A white hat hacker who discovered a vulnerability in Magyar Telekom’s IT systems is facing 8 years in prison. The hacker discovered the vulnerability Hungarian telecommunications company’s system in April 2018. He informed Magyar Telekom of the security issues and met with them to discuss a possible future collaboration, however, nothing became of this.
The hacker continued to probe Magyar Telekom’s systems for vulnerabilities, without permission and discovered another vulnerability. This vulnerability would allow attackers to “access all public and retail mobile and data traffic and monitor the servers of the companies served by T-Systems,”
The second intrusion was detected Magyar Telekom and they reported it to the authorities.
The Hungarian Civil Liberties Union, who have defended white hat hackers in the past, has commented that ethical hackers shouldn’t be prosecuted because they are providing a service that helps society. However, the Hungarian Prosecutor’s office doesn’t see it that way. They argue that the hacker “crossed a line and due to the danger his actions may have posed to society, he must face the consequences of criminal law.”
Magyar Telekom released a statement declaring that they filed a complaint because the hacker didn’t comply with their investigation and launched new attacks.
The Hungarian Prosecutor’s office offered the man a plea deal in which he would be given a 2 year suspended sentence if he admits guilt. At the time the deal was on the table, if the man turned it down, he would serve 5 years in prison if found guilty.
The hacker refused the deal. Since then a new charge has been added to the indictment for disrupting the operation of a public utility. Now, if proven guilty, he could face a maximum of 8 years in prison.
This case raises some concerns about the ethical implications of white hat hacking. If intentions are pure, does that make it ok?
Ethical hacking is a career that is on the rise, and many cybersecurity professionals have built a career from being a white hat hacker. So where are the ethical lines? For some people, as long as no harm was done, the intentions were not malicious, and they inform the company, then it’s ok. For other people, hacking is only ok with express permission from the company, and it should not be conducted otherwise, even if it does lead to important discoveries.
Consider this analogy. You walk past a house and decide to check if their door is locked by attempting to open it. Your intentions are pure, you only want to check the door in order to inform the owner of the security risk if it is in fact unlocked. Many people would consider the fact that you tried the door to be a threat, a line you shouldn’t have crossed, even if it makes them more aware of the risks.
Hacking without permission is often a crime and one which companies may potentially take very seriously. For this reason, it is better to air on the side of caution.