The Ontario university student charged with breaching Canada Revenue Agency computers previously engaged in ethical hacking while in high school in order to alert his school board that its servers were vulnerable, his lawyer says.
Stephen Arthuro Solis-Reyes is a 19-year-old computer science student at the University of Western Ontario. The police announced on Wednesday that Mr. Solis has been charged after someone exploited the Heartbleed Internet bug to steal about 900 social insurance numbers from the CRA.
Mr. Solis is to appear at the Ottawa courthouse on July 17 to face one count of unauthorized use of a computer and one count of mischief in relation to data.
While underlining that there is no admission that this client had hacked into the CRA system, lawyer Faisal Joseph suggested a possible defence when he said Mr. Solis had once demonstrated that his school board's computers could be breached.
He said Mr. Solis was 14 and a student at Mother Teresa Catholic Secondary School when he contacted the London District Catholic School Board.
"He communicates with the board and tells them that they have a problem with their computer system, that it's susceptible to hacking," Mr. Joseph said in an interview. "They didn't take him seriously."
Mr. Solis then went on to "prove to them that there was a deficiency," his lawyer said.
The school board would neither deny nor confirm Mr. Joseph's account. LDCSB spokesman John Boles said the board will not make comments out of respect for Mr. Solis's privacy.
Allegations of rough tactics
The police investigation began some time after April 7, when computer security researchers announced the existence of the Heartbleed bug, a programming error in the OpenSSL cryptographic platform.
Mr. Joseph said his client first heard from the RCMP "four or five days ago" when National Division investigators showed up at his family's home at 1 a.m. to execute a search warrant.
The investigators left after a search that lasted five to six hours, taking with them several computers, including Mr. Solis's laptop.
On Tuesday, the RCMP contacted Mr. Solis at his home and asked him to go to the London police headquarters for questioning that afternoon.
"They told him that if he did not come voluntarily, because they did not have a warrant for his arrest, that they would embarrass him, make a public spectacle out of him while he was writing his exams at the University of Western Ontario," Mr. Joseph said.
Mr. Solis went to meet the investigators, but he called his lawyer beforehand, around 4:45 p.m.
Mr. Joseph said he tried to visit his client, but he was denied access for six hours while the young man was shuttled between a cell and the interrogation room until his release shortly before 11 p.m.
"They were trying to sweat him out," Mr. Joseph said.
The following day, the RCMP announced the charges, a day ahead of Mr. Solis's exams.
"If there were any utterances that were made during this six-hour interrogation under the conditions of threats and coercion, then I will obviously be raising those facts in court," the lawyer said.
When contacted about Mr. Joseph's allegations, an RCMP spokeswoman, Corporal Lucy Shorey, said the force had not further comments because "the investigation is still ongoing."
Mr. Solis is not the only person who is alleged to have used the Heartbleed flaw to break into computer systems.
After the flaw was publicly revealed on April 7, there would have been a race between hackers and system operators who were scrambling to apply corrective software patches.
Researchers at the University of Michigan say they set up three "honeypots" – computers purposely left unprotected to document hacking attempts.
By April 8, they noticed a first attempt by someone trying to breach one of the honeypots. Within a week, there were attacks from 41 intruding computers that were "scanning for and attempting to exploit the Heartbeat vulnerability," the Michigan team said in an online report.
Because the honeypot computers were stationed in little-known online locations, the researchers believe that the intruders found them by systematically scanning through a large swath of the Internet, looking for unpatched servers.
Of the 41 invasive computers, 59 per cent were located in China and accounted for 45 per cent of the attacks, the researchers said.
The Internet Protocol address of one intruder, located in Guangzhou, in southern China, had previously been identified last fall with malicious activities, the Michigan report said.