Aussie Security Researcher Avoids Prison Over HackingNik Cubrilovic Must Pay GoGet, Do Community Service
An Australian security researcher who pleaded guilty to several charges related to breaching the network of a popular car-sharing service, including accessing customer data, has avoided jail time.
ITNews reports that Nik Cubrilovic of Penrose, New South Wales, was sentenced in Sydney's Downing Centre Local Court on Wednesday to a two-year community corrections order. The order requires 400 hours of community service.
Cubrilovic was also ordered to pay GoGet $938.70 and pay another individual $678.50. According to ITNews, the magistrate took into account that he has been without access to the internet for 15 months. After his arrest, he was banned from using the internet.
A GoGet spokesperson says: "We're grateful for the hard work of the State Crime Command Cyber Crime Unit on seeing this case to its resolution."
The sentencing closes a relatively rare instance in Australia of a security researcher with a public profile whose actions triggered a criminal investigation.
Cubrilovic was charged in January 2018. He initially faced more than 30 charges, but most were eventually dismissed. He was accused of gaining unauthorized access to the network of GoGet, which has fleet of 3,000 vehicles across five Australian cities that can be rented by the hour or day.
Cubrilovic allegedly accessed administrative sections of GoGet's network to use its vehicles without consent more than 30 times between May and June 2017.
According to the Illawarra Mercury, a publication close to Cubrilovic's home, he made bookings for five vehicles, including an Audi A3 convertible. The charges were incurred on someone else's account.
Cubrilovic pleaded guilty in early March to charges of taking a vehicle without consent. He also pleaded guilty to one charge of dealing with identity information and one charge of obtaining a financial advantage.
Intrusion: Difficult to Detect
ITNews reports that Magistrate Georgina Darcy said during sentencing that Cubrilovic's intrusions were "notoriously difficult to detect" and had "required a great deal of resources to investigate." Still, she felt the offenses didn't merit prison, it reported.
Indeed, it was six months before charges were filed against Cubrilovic. The New South Wales State Crime Command's Cybercrime Squad began started an investigation around July 2017 and formed a tasked force dubbed Strike Force Artsy.
The investigation was triggered after GoGet informed police of irregularities it detected. One signal was unauthorized access into the company's fleet booking system and the downloading of customer identification information, police said in January 2018.
Cubrilovic was arrested at his home that month, and police seized computers, laptops and storage devices. The Mercury reported it was alleged he was "extremely uncooperative with police, refusing to supply any passwords to any devices."
ITNews reports that New South Wales police plan to make an application for permission to destroy two of his iPhones and two laptop hard drives, which could potentially contain GoGet customer details.
Discovered Serious Vulnerability
Cubrilovic had a sizable following on Twitter but stopped tweeting in early 2017, about year before his arrest.
He gave a presentation in 2016 at one of the largest Australia computer security conferences, AusCERT. The title of his presentation was "Stock Hacks: Applying Information Leakage to Profitably Trade Stocks," a video of which is still on YouTube.
The Age spoke to Cubrilovic in 2015 after he found cross-site scripting vulnerabilities MyGove, which is the Australian government's portal for tax information, health services and other benefits.
In a video accompanying Age's story, Cubrilovic explains how he could use the flaws to take over someone's MyGov account. It involved hijacking the cookie of a logged-in user after a victim clicks a malicious link or website with a malicious script.