18 year old guy arrested for reporting a shamefully stupid bug in the new Budapest e-Ticket system

The amount of stupidity in this story warrants that this is going to be somewhat long, so I start at the end: as the title says, an 18 year old guy was arrested two days ago for 'hacking' the new Budapest public transport e-Ticket system a week before, even though he immediately reported the vulnerability he found.

As the story has stirred the online and the social media, this outrageous move from the police brought about fierce reaction resulting in tens of thousands of 1-star reviews on the facebook pages of the companies involved: the Budapest Transport Authority (operator of the new service, abbreviated as BKK for its Hungarian name) and T-Systems Hungary, developers and maintainers of the e-Ticket System. T-Systems Hungary happens to be owned by Telekom Hungary, which itself is a subsidiary of Deutsche Telekom and T-Systems is also a brand of DT and is a pretty big player being present across all Europe. (The reason the reviews landed on the global/German page instead of the Hungarian one is that the latter doesn't have this feature enabled.)

The story started a few weeks ago, when the BKK announced that it would launch mobile based a e-Ticketing system. Everyone, including me, was enthusiastic and surprised at the same time. We knew that they have been working on an NFC/smart card based system for around 4 years, without any visible result despite the millions of EURs spent. (The last article I've seen quotes 9 million EURs as the final cost.) The first questions that came to my mind when I heard the announcement were: 'How come so suddenly, without any previous rumours, news?' and 'I wonder how will they make it really hard to cheat, what copy protection/authentication mechanisms will be there...'

The answer to the first question, well, at least the partial answer, is that they wanted it to be available for the visitors of the FINA world championships, that is being held in Budapest right now. Even more cleverly, they timed the public launch to be on the day of the official opening event (14th July). This already stinks a bit. First of all, of course, you don't just launch such a system in a city, with a pretty large public transport system and 1.7 million people, without serious testing. For example the public bike system, built by the same company, was in public beta with thousands of testers for months, even though it has far less users and far smaller importance. Second, you definitely don't launch it during an event that attracts a lot of extra tourists. Third, if the goal is to be usable by the visitors, you probably want it to be available at least a few days before the opening event, because well, a lot of them will arrive early.

But the second question is more intriguing: how do you make it secure. What we knew ahead is that the e-Ticket would be web based, so no app install is necessary, which makes it even harder to fight tricksters. (Otherwise a user friendly move in itself.)

Now what happened on launch day was unexpected even if you are an overly cynical 'been there, done that' type of software engineer born in a small, Central (or Eastern, if you will) European country during the Soviet era. Yes, of course there were problems, yes of course, the ticket was simple to copy between devices, but it was even worse. We quickly learned about a few serious flaws (as reported by the non-government controlled part of the press):

  • the system stored the passwords in clear text and it emailed it to you if you asked for a password reminder. Now, this means that for most people, anyone who had access to the system, got probably access to their email account as well. (Because, let's be hones, most people will just use the same password everywhere.)
  • after logging in, people were also able to get the data of other users (probably through manipulating the url, the news report was not 100% clear here). I.e. the app didn't have proper permission handling. Some people claimed that they were able to access the profiles of other users this way. Now, to register, you have to provide your name, your address and an ID number (national id, driving license or passport). These have to be real, because you may have to prove ticket controllers that the pass belongs to you.
  • if you just typed in the url (shop.bkk.hu), the site just wouldn't appear. At first I thought they've taken it offline, but it turns out that they just didn't set up the http -> https redirection. And it was left like that for days. If you just heard about it, you couldn't use it. You had to click a link (normal users won't figure out to put an https in front of the host name, even I didn't think of it).
  • the ticket wouldn't show up properly in Safary on iPhones.
  • someone found out that the admin password was adminadmin and managed to log in using that.
  • of course the tickets were 100% copyable, a few guys made a video of passing ticket control 10 out of 10 times without being caught. The ticket controllers used a QR reader only twice (majority of them doesn't have it, nor knew much about the app at all) and even then they wouldn't be caught. (Unsurprisingly, I would add.)
  • but the most ridiculous flaw, and as far as I know the first security issue to have been discovered, was that you could just set the price for the pass you were about to buy.

This last one was the one found by the 18 year old gentleman I started my story with. According to him, he doesn't even know how to program yet (he'll start the university this autumn). He just used the developer tools in the browser, that everybody has access to, saw that the price was being sent back to the server when he was about to make a purchase, and tried if he could change it. A monthly pass costs 9500HUF (about 30EUR) and he modified the price to 50HUF. When he got the confirmation that it worked and was able to see his pass in the app, he immediately emailed the BKK (the Transport Authority) that there was a serious problem. He got an email that his pass was invalidated, but otherwise they didn't get back to him. Instead, when it got leaked out to the press, and in a few hours everyone were talking about the above issues (not just this one), BKK together with T-Sytems Hungary started to, what I would call, massively covering their arses.

They started to talk about a series of hacker attacks (which may have been true), how the society wasn't acting like grown ups, that every system can be broken but their firewall has caught a number of attacks, that people were using indecent names for registration, that they have of course deleted, etc.

One T-Systems Hungary representative also told at a press conference four days later, that they are happy to receive bug reports AND that they have reported one case, that was definitely an illegal hacking attempt. While they have also mentioned what sounded like SQL injection attack attempts, you could be just sure that it was the poor 18 year old 'hacker' who was stupid enough to email them. BKK representatives talked about how the system was under continuous attacks, of which none were successful, that no need to stop the system, everyone's data is safe.

And a week later the news broke out that he was taken from his home by the police in the early morning and taken to custody. (He was released after a few hours.) Now, of course, in a normal country, in a well functioning democracy whoever reports a suspected crime is not responsible for whatever the police does afterwards. (Even if that's totally assholish and amateurish from their part to do so, instead of saying thank you and maybe giving a small bounty.) But in such a country the police doesn't raid the house to catch someone who is not dangerous to the society. Especially if it's not legal. And in Hungary, according to the law, this was pretty much illegal. The only reason they did this is to threaten.

After the ensuing outrage, they have softened their tone, going from 100% accusation and denial to a kind of a "we're sorry that it happened to him". Even the CEO of T-Systems wrote a somewhat apologetic post, but never admitted that reporting the guy wasn't the best thing to do (instead he pointed at internal policies that he said compelled them to do so) or that the system doesn't meet the expectations. He talked about how this was controversial and demonstrating how there wasn't a widely accepted consensus about ethical hacking. But the interesting thing is that, first of all, they earlier talked about how this was not ethical hacking because no one asked the guy to do it and also, of course, if anyone looks at the reactions from the IT professionals, then it becomes 100% obvious that there is a pretty strong consensus on this among us.

If you start to put together the pieces it starts to look really-really bad for all the parties involved.

  • BKK ordered and accepted a system that was full of amateurish errors. Make no mistake, your average just-out-of-the-bootcamp junior developer would have created a better solution than this in one or two weeks. Even if you think it's an exaggeration, it wouldn't have been a problem for an experienced engineer.
  • T-Systems Hungary agreed to develop (probably with an unrealistic deadline) a solution that couldn't have been good enough even if built properly. (Assuming that it wasn't their task to figure out how to make the tickets hard to copy or cheat with.) And then they've built it out as they did. And then some manager said OK, let's do a release.
  • BKK pays T-Systems Hungary 80kEUR/month to operate this system. Which sounds surprising, because the 80k sounds like enough to cover all the development cost of a decent implementation of this idea. Or maybe 2-3x the 80k of you add a few managers, some extra testing and just a little bit of corruption. (I haven't factored in the QR readers + mobiles used by some ticker controllers, but those seem to be pretty few and far between so far.)

You might ask the question: why was it so-so fucking urgent to do a release for the FINA championship? They said at the press conference that they wanted to test it and gather experiences, so that they can perfect the system by September, when the (public transport) high season starts. But let's forget about the BKK people, as that organization is controlled by the politics top down. How come any sane professional manager would let this pile of crap into release? Didn't any of the engineers on the team tell their managers that something isn't right? I find it hard to believe.

Again, was it related to the FINA event? Why are these guys covering up so violently? Knowing Hungary it's somewhat granted that people just don't like to admit if they have screwed it up. But usually it's the strongest when politics is involved. Add to this the unwarranted arrest of the guy who reported a bug. They could, or according to some lawyers should, have just cite him. Oh, BTW, and according to the law, what he did very probably wasn't even illegal. He was reported for 'unauthorized influence' of the system, which is covered by the paragraph about 'fraud committed using information systems', but the conditions mentioned therein are not met. Which makes it hard to believe that the police did their job properly (or maybe that the T-Systems Hungary guys provided all information they reasonably could).

UPDATE: He is being a suspect based on a different paragraph than I thought: unauthorized access to a computer system or data. IANAL, but after reading into it, that doesn't seem to hold either.

UPDATE2: The BKK CEO told the press that they didn't receive the original report from the guy, because he sent it to the wrong email address. Of course, this was refuted with a screenshot pretty quickly.