The Budapest Transport Authority (BKK, in Hungarian) recently launched an online payment system with the help of a T-Systems Hungary, Deutsche Telekom’s consulting arm. The system, which took three months to build, was supposed to be installed in time for the FINA world championships in Budapest. The software, not unexpectedly for such a project, was full of bugs including the discovery of an administration screen with with a password set to “adminadmin.”
Government incompetence augmented by money-hungry consultants is nothing new. But what happened next is certainly something unique.
On or about July 14 an unnamed 18-year-old – “The boy is nobody. He’s not even a programmer,” said one Hungarian who wished to remain anonymous – emailed BKK about a hole he found in their system. The hole, if it can be called that, let anyone with passing knowledge of modern browsers to set any price they wanted for any ticket in the system. By simply pressing F12 a “hacker” could change the price of a ticket right in the browser, and because there were no server checks, they could purchase the ticket at that price. The 18-year-old “hacker” discovered this and showed BKK that he was able to buy a monthly ticket. “A monthly pass costs 9500HUF (about 30EUR) and he modified the price to 50HUF,” wrote Laszlo Marai in his post on the attack.
In the intervening weeks the Hungarian media had fun with the story. They found countless bugs. BKK and T-Systems went on the defensive, claiming their system worked just fine. Whole media is convinced they made rubbish system and literally the BKK and T-Systems washed themselves of responsibility,” said a translator. “System is 100%, they said. It’s excellent. They said that a lot of people tried to hack the system and they swore that they would defend against them.” For their part, T-Systems claimed to have fixed all of the holes in the software.
A few weeks passed until July 21 when the police arrested the young man at his home after BKK completed an investigation that, presumably, involved reading his email to BKK. It is important to note that the young man lived outside of Budapest and could not use his purloined BKK pass.
“That boy was arrested and the police took him for questioning and booked him,” my source in Hungary told me. “They released him a few hours later.”
BleepingComputer posted a translation of the teen’s statement on Facebook:
I am an 18-year-old, now high school graduate. Perhaps that which differs from the average, is that I trust that I can help solve a mistake.
I discovered last Friday that I could take a monthly ticket for 50 for the new internet e-ticket system in BKK, and then informed them about two minutes later. I did not use the ticket, I do not even live near Budapest, I never traveled on a BKK route. My goal was just to signal the error to the BKK in order to solve it and not to use it (for example, to sell the tickets at a half price for their own benefit).
The BKK has not been able to answer me for four days, but in their press conference today they said it was a cyber attack and was reported. I found an amateur bug that could be exploited by many people – no one seriously thinks an 18-year-old kid would have played a serious security system and wanted to commit a crime by promptly telling the authorities.
I am convinced that if I do not speak about the error, I will not report it. My hire was canceled only after I sent my letter to them.
I would like to publish this post without my name and identity. I ask you to help by sharing this entry with your acquaintances so that the BKK will come to a better understanding and see if my purpose is merely a helper intention, I have not harmed or wanted to harm them in any way. I hope that in this case the BKK will consider withdrawing the report
Over the weekend, the BKK chairman took to the radio in Hungary to blame T-Systems for the situation and T-Systems, as per the usual consulting crisis playbook, released a rambling non-apology.
I personally feel for the young man concerned, however, I would like to underline that under the given circumstances we had no other option, but to press charges against an unknown offender (as the young man did not contact us). Upon pressing charges, we provided all the information and data available about the involved parties to the authorities for clarification purposes, and shall do so in the future, too. In my capacity as head of T-Systems Hungary, and assuming that the ethical conduct of the young man is ascertained, I would like to offer him the possibility that we cooperate in the future, if he is open to such a cooperation.
The case has revealed that a widely accepted practice of ethical hacking does not exist in Hungary, and partly perhaps due to lack of such, a true consensus has also not evolved, yet. It is time to start the social and professional dialogue addressing “ethical hacking” in Hungary, too, and to establish the relevant legal and regulatory frameworks for the activity. Pursuing this objective, T-Systems shall introduce some relevant initiatives (“bug bounty”) in the near future.
Don’t expect much word from the hacker. “As long as the police procedure is not closed (i.e. there is a result of a court hearing), I do not intend to comment, interview, show up in the press,” he said. “Thank you all so much for standing up for me. It was incredible, and I couldn’t have done this without the support of people. Now I’d like to go back to my own life, rest – I think for a reason, it has been quite an impact on me the last few days.”
Already Hungarians are seeing deeper meaning to this national faux pas. Writes Marai:
Why are these guys covering up so violently? Knowing Hungary it’s somewhat granted that people just don’t like to admit if they have screwed it up. But usually it’s the strongest when politics is involved. Add to this the unwarranted arrest of the guy who reported a bug. They could, or according to some lawyers should, have just cite him. Oh, BTW, and according to the law, what he did very probably wasn’t even illegal. He was reported for ‘unauthorized influence’ of the system, which is covered by the paragraph about ‘fraud committed using information systems’, but the conditions mentioned therein are not met. Which makes it hard to believe that the police did their job properly (or maybe that the T-Systems Hungary guys provided all information they reasonably could).
“This is the usual Hungarian way,” said my source in Hungary, exasperated.