x404.co.uk
http://www.x404.co.uk/forum/

Scientist banned from revealing car codes
http://www.x404.co.uk/forum/viewtopic.php?f=19&t=19503		 Page 1 of 1
Author:  Amnesia10 [ Fri Jul 26, 2013 11:11 pm ]
Post subject:  Scientist banned from revealing car codes
Scientist banned from revealing codes used to start luxury cars

Quote:
A British-based computer scientist has been banned from publishing an academic paper revealing the secret codes used to start luxury cars including Porsches, Audis, Bentleys and Lamborghinis as it could lead to the theft of millions of vehicles, a judge has ruled.

The high court imposed an injunction on the University of Birmingham's Flavio Garcia, a lecturer in computer science, who has cracked the security system by discovering the unique algorithm that allows the car to verify the identity of the ignition key.

The UK injunction is an interim step in a case launched by Volkswagen's parent, which owns the four luxury marques, against Garcia and two other cryptography experts from a Dutch university.

It complained that the publication could "allow someone, especially a sophisticated criminal gang with the right tools, to break the security and steal a car". The cars are protected by a system called Megamos Crypto, an algorithm which works out the codes that are sent between the key and the car.

The scientists wanted to publish their paper at the well-respected Usenix Security Symposium in Washington DC in August, but the court has imposed an interim injunction. Volkswagen had asked the scientists to publish a redacted version of their paper – Dismantling Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobiliser – without the codes, but they declined.

Volkswagen told the court that the technology they examined was used in a number of its vehicles and other mass market cars manufactured by itself and others.

Garcia and his colleagues from the Stichting Katholieke Universiteit, Baris Ege and Roel Verdult, said they were "responsible, legitimate academics doing responsible, legitimate academic work" and their aim was to improve security for everyone, not to give criminals a helping hand at hacking into high-end cars that can cost their owners £250,000.

They argued that "the public have a right to see weaknesses in security on which they rely exposed". Otherwise, the "industry and criminals know security is weak but the public do not".
Author:  jonbwfc [ Sat Jul 27, 2013 7:59 am ]
Post subject:  Re: Scientist banned from revealing car codes
Quote:
They argued that "the public have a right to see weaknesses in security on which they rely exposed".

Now, call me a cynic, but you don't have to actually publish the code to prove that's the case. Plenty of security papers get published with an explanation of a vulnerability that anyone interested will understand without examples of how to abuse it in actual code. Publishing the codes themselves is pretty much unnecessary academically.

But it gets them a lot of publicity...
Author:  Amnesia10 [ Sat Jul 27, 2013 3:51 pm ]
Post subject:  Re: Scientist banned from revealing car codes
jonbwfc wrote:
Quote:
They argued that "the public have a right to see weaknesses in security on which they rely exposed".

Now, call me a cynic, but you don't have to actually publish the code to prove that's the case. Plenty of security papers get published with an explanation of a vulnerability that anyone interested will understand without examples of how to abuse it in actual code. Publishing the codes themselves is pretty much unnecessary academically.

But it gets them a lot of publicity...

If this security problem can be verified via peer review shouldn't the right to free speech trump the commercial impact of a massive recall to fix the cars? The courts have left customers vulnerable to commercial laziness. My concern is that the cars will not have their security fixed and eventually they pay the cost through higher insurance or non payment because this was a known weakness that was not fixed. The fact that there is a hole in the security of these cars is enough to motivate criminals to find that hole. So the customers will be vulnerable and their insurance will be impacted all to save the company face. :oops:
Author:  jonbwfc [ Sat Jul 27, 2013 4:49 pm ]
Post subject:  Re: Scientist banned from revealing car codes
Amnesia10 wrote:
If this security problem can be verified via peer review shouldn't the right to free speech trump the commercial impact of a massive recall to fix the cars?

Well, firstly, his conclusions can be verified by peer review without him having to publish the codes required to bypass the security. And, in fact, all serious academic papers are peer reviewed before they get published anyway. So publishing the codes provides no academic function beyond what publishing a paper that says 'these are my conclusions, if you understand this stuff try it yourself and see' would. Publishing the codes is grand-standing for publicity. It serves no academic purpose.

As to the notion of freedom of speech, is his right to say what he likes trumped by the fact it will essentially save the criminals a bit of time, thus increasing the vulnerability of people's cars (because the crims will know how to break it sooner, so less people will have had their cars fixed by the time the exploit starts being used 'in the wild')? I'd equate it to the 'shouting fire in a theatre' argument. You have freedom of speech, but you have a duty of responsibility. The general requirement when researching security breaches (to encourage makers to get them fixed) has now been served. Everyone knows about the vulnerability and I suspect the makers are working to patch it and will face mounting criticism if they fail to do so. All this has happened without the codes themselves being published. Exactly what beneficial function will publishing the codes now serve? As far as I can see, the only people it will now help is the criminals. Surely events have shown publishing the codes wasn't necessary?

Amnesia10 wrote:
The courts have left customers vulnerable to commercial laziness.

The units have been in use for years and this is the first evidence of vulnerability.

Amnesia10 wrote:
My concern is that the cars will not have their security fixed and eventually they pay the cost through higher insurance or non payment because this was a known weakness that was not fixed. The fact that there is a hole in the security of these cars is enough to motivate criminals to find that hole. So the customers will be vulnerable and their insurance will be impacted all to save the company face. :oops:

The criminals would have found the vulnerability at some point anyway. Publicising the fact it exists (thus precipitating a fix from the manufacturers) has brought it to people's attention efficiently, while still leaving the crims some work to do to if they want to actually use it. If, as the story says, the cars at risk are high end models the population is actually quite small and they tend to use specialist insurers anyway. The effect any extra car theft due to this will have on mine or your insurance is considerably less than the stock market pressure for insurance companies to keep posting increased profits.

Essentially, I can't see how publishing the paper with the codes produces more benefits to car owners than publishing the paper without the codes. I think that's a moot argument. What we're left with is freedom of speech vs social responsibility, which is a blurry line at the best of times.
Author:  Amnesia10 [ Sat Jul 27, 2013 6:27 pm ]
Post subject:  Re: Scientist banned from revealing car codes
I do agree that publishing the codes would achieve nothing more apart from increasing theft. I was more concerned about the impact on free speech. I do think that simply having it peered reviewed should be sufficient. The criminals might take months to crack it, if at all. Social responsibility should be enough to stop the codes being announced. If they did announce it they could be held accountable in the UK under joint enterprise aspects of the law.
Page 1 of 1 All times are UTC
Powered by phpBB® Forum Software © phpBB Group
https://www.phpbb.com/