Jump to content



Photo

  • Please log in to reply
17 replies to this topic

#1 +V-Tech

V-Tech

    Neowinian Senior

  • 3,036 posts
  • Joined: 06-January 05
  • Location: 127.0.0.1
  • OS: Windows 7 Enterprise
  • Phone: Nexus 5

Posted 29 July 2013 - 05:53

porsche-keys.jpg

 

Giovanni Ribisi had better hope he doesn't botch a job anytime soon. Flavio Garcia from the University of Birmingham cracked the security system that pairs an owner's key to their Porsche, Lamborghini or Audi, and Volkswagen's parent company wants that research to remain unpublished. The UK's high court sided with VW's owner and granted an injunction protecting the Megamos Crypto system. Afterward, Garcia was offered to print his findings, but without the all-important decryption codes. He refused, saying that the public has a right to see the holes in the systems it relies on and that this wasn't an attempt to give criminals a hand in boosting cars. While the court's logic is sound -- once revealed, all manner of "if this ever fell into the wrong hands" situations could arise -- it's unsettling to see government bend to corporate request. At least we know Eleanor can sit in the garage for just a little longer now.

 

 

http://www.engadget....megamos-crypto/




#2 XerXis

XerXis

    Neowinian Senior

  • 5,006 posts
  • Joined: 13-February 06
  • Location: Belgium

Posted 29 July 2013 - 06:58

1) government =/= justice system, in fact, they should be two completely different entities, so saying that the government bends to corporate request because of the decision of a Judge is kind of stupid

2) the decision is completely logical, I really don't see this as censoring just because a company wants to have something censored. Releasing those decryption codes would make it somewhat too easy for the criminals to make their own keys



#3 Brian M.

Brian M.

    Neowinian Senior

  • 12,319 posts
  • Joined: 07-January 05
  • Location: London, UK

Posted 29 July 2013 - 06:58

It's not a "corporate request" so to speak. If it got out, thousands of cars would be much more easily stolen, with potentially no way to patch them.

 

I agree with the court on this. It kinda annoys me how hackers these days call themselves "researchers" and then think that the public has a right to their "research".  No, you're a "hacker", and nobody has any right to see your "crack".



#4 FloatingFatMan

FloatingFatMan

    Resident Fat Dude

  • 14,341 posts
  • Joined: 23-August 04
  • Location: UK

Posted 29 July 2013 - 10:23

Absolutely the right decision IMO. This "researcher" is clearly an ass who just wanted to make a name for himself.  It's absolutely irresponsible to release this information to the public; all it will do is facilitate car theft as VW have no practical way of updating the software in the cars.

 

He should have just contacted VW and tried to work with them on improving security, not wave his epeen at them.  The public does not need to know this information.



#5 Poof

Poof

    Neowinian

  • 200 posts
  • Joined: 06-September 03
  • Location: California

Posted 30 July 2013 - 06:39

Absolutely the right decision IMO. This "researcher" is clearly an ass who just wanted to make a name for himself.  It's absolutely irresponsible to release this information to the public; all it will do is facilitate car theft as VW have no practical way of updating the software in the cars.

 

He should have just contacted VW and tried to work with them on improving security, not wave his epeen at them.  The public does not need to know this information.

The researcher is in the right. With this court order you WON'T see a recall of the cars with this security system. If the information would actually be released then the car manufacturers would have to issue a recall to reprogram the systems.

 

If they can figure out how to do it then anybody can do it, it's not as if car thieves are all stupid, they have their own research teams.



#6 FloatingFatMan

FloatingFatMan

    Resident Fat Dude

  • 14,341 posts
  • Joined: 23-August 04
  • Location: UK

Posted 30 July 2013 - 07:39

The researcher is in the right. With this court order you WON'T see a recall of the cars with this security system. If the information would actually be released then the car manufacturers would have to issue a recall to reprogram the systems.

 

If they can figure out how to do it then anybody can do it, it's not as if car thieves are all stupid, they have their own research teams.

 

Actually, no... they wouldn't have had to recall anything.  This "researcher" found a flaw which cannot be exploited remotely, so there would be no need to recall anything.  Also, car manufacturers only recall cars when there are actual design faults which affect safety; this doesn't come under that heading at all.



#7 articuno1au

articuno1au

    Neowinian Senior

  • 4,429 posts
  • Joined: 20-March 11
  • Location: Brisbane, Australia

Posted 30 July 2013 - 08:04

It's not a "corporate request" so to speak. If it got out, thousands of cars would be much more easily stolen, with potentially no way to patch them.

 

I agree with the court on this. It kinda annoys me how hackers these days call themselves "researchers" and then think that the public has a right to their "research".  No, you're a "hacker", and nobody has any right to see your "crack".

Except that the researchers are university researchers from the school of information security at the university. They do this professionally with ethical oversight and peer review (they'd already sought and achieved reviewed status).

 

Absolutely the right decision IMO. This "researcher" is clearly an ass who just wanted to make a name for himself.  It's absolutely irresponsible to release this information to the public; all it will do is facilitate car theft as VW have no practical way of updating the software in the cars.

 

He should have just contacted VW and tried to work with them on improving security, not wave his epeen at them.  The public does not need to know this information.

Clearly haven't read into this properly. They contacted VW 9 months previously and gave them full details of the exploit.

 

On top of this, they asked for VW to ok the release of the work once they had a chance to fix it. VW chose not to respond but rather filed for an injunction.

 

This kind of research is important. Arm chair lawyers like you guys need to do more reading before making judgements like this.

 

EDIT::
It's also worth noting that the research they did was from a leaked copy of the software used to determine codes for the cars. That was already out there and remains on the internet.



#8 FloatingFatMan

FloatingFatMan

    Resident Fat Dude

  • 14,341 posts
  • Joined: 23-August 04
  • Location: UK

Posted 30 July 2013 - 08:14

So? It's still not information which the public "needs to know", so attempting to release it into the wild, especially knowing full well that it's NOT fixed, is completely irresponsible.

 

Would you like it if someone released information on how to hack YOUR car into the public?



#9 Brian M.

Brian M.

    Neowinian Senior

  • 12,319 posts
  • Joined: 07-January 05
  • Location: London, UK

Posted 30 July 2013 - 08:18

Except that the researchers are university researchers from the school of information security at the university. They do this professionally with ethical oversight and peer review (they'd already sought and achieved reviewed status).

 

Clearly haven't read into this properly. They contacted VW 9 months previously and gave them full details of the exploit.

 

On top of this, they asked for VW to ok the release of the work once they had a chance to fix it. VW chose not to respond but rather filed for an injunction.

 

This kind of research is important. Arm chair lawyers like you guys need to do more reading before making judgements like this.

 

EDIT::
It's also worth noting that the research they did was from a leaked copy of the software used to determine codes for the cars. That was already out there and remains on the internet.

 

 

Except that the researchers are university researchers from the school of information security at the university. They do this professionally with ethical oversight and peer review (they'd already sought and achieved reviewed status).

 

Clearly haven't read into this properly. They contacted VW 9 months previously and gave them full details of the exploit.

 

On top of this, they asked for VW to ok the release of the work once they had a chance to fix it. VW chose not to respond but rather filed for an injunction.

 

This kind of research is important. Arm chair lawyers like you guys need to do more reading before making judgements like this.

 

EDIT::
It's also worth noting that the research they did was from a leaked copy of the software used to determine codes for the cars. That was already out there and remains on the internet.

 

So what exactly would VW do if the exploit was made public? Recall EVERY single car? Even if they did - only a small percent of customers would do anything about it.

 

Genuine security researchers aren't in the business of making exploits which could harm members of the public, public. Just because they work for a university, doesn't mean they don't have any malicious ideas.



#10 articuno1au

articuno1au

    Neowinian Senior

  • 4,429 posts
  • Joined: 20-March 11
  • Location: Brisbane, Australia

Posted 30 July 2013 - 08:20

They offered to remove the segments that would allow the hack to be reproduced.

 

VW choosing not to pursue a fix is irresponsible. Obscurity doesn't provide security. If these gentlemen could generate the exploit, other people with lesser morals can.

 

Keeping the exploit secret doesn't protect people; releasing it would force VW to actually fix the issue (which is doable via a key recode).

 

Would I like it if it was my car? No. Do I think it's necessary despite it being a pain in the arse? Damn straight I do



#11 articuno1au

articuno1au

    Neowinian Senior

  • 4,429 posts
  • Joined: 20-March 11
  • Location: Brisbane, Australia

Posted 30 July 2013 - 08:25

So what exactly would VW do if the exploit was made public? Recall EVERY single car? Even if they did - only a small percent of customers would do anything about it.

 

Genuine security researchers aren't in the business of making exploits which could harm members of the public, public. Just because they work for a university, doesn't mean they don't have any malicious ideas.

On that basis any security researcher who identifies a bug and publishes the research is malicious.

 

The re-key can be done in about an hour during a regular service. That would cover the vast majority of people.

 

In the meantime, whilst this information is not out in the public, other manufacturers are not aware of how the system was defeated (and thus how to improve their systems or even whether their systems are still secured) and people aren't aware that their cars can be accessed illegally.

 

There's a plethora of good reasons to release information that could be detrimental to the public. The balance that must be struck is whether keeping it private exposes people to greater risk. If VW didn't have a reason to change their key coding system, what do you reckon the chances that they would are?

 

For the record, the software is that was used to derive this attack is still online (as was noted in the court case). People are still vulnerable, only unknowingly so now.



#12 Sir Topham Hatt

Sir Topham Hatt

    A Very Talented Individual

  • 6,625 posts
  • Joined: 02-November 03
  • Location: Island of Sodor, UK

Posted 30 July 2013 - 08:29

The problem is, no system will be completely un-hackable.

If you stare enough at the same data, you will make patterns out of it.  Just like hacking, the more you try to crack something, the shorter the time of the crack will be.

 

Why these companies don't take on the "hacker" to produce the next "secure" system, I don't know.



#13 articuno1au

articuno1au

    Neowinian Senior

  • 4,429 posts
  • Joined: 20-March 11
  • Location: Brisbane, Australia

Posted 30 July 2013 - 08:33

The problem is, no system will be completely un-hackable.

If you stare enough at the same data, you will make patterns out of it.  Just like hacking, the more you try to crack something, the shorter the time of the crack will be.

 

Why these companies don't take on the "hacker" to produce the next "secure" system, I don't know.

Indeed.

 

The answer to the latter is that creating secure systems is the exact opposite process of assessing them.



#14 Brian M.

Brian M.

    Neowinian Senior

  • 12,319 posts
  • Joined: 07-January 05
  • Location: London, UK

Posted 30 July 2013 - 11:32



On that basis any security researcher who identifies a bug and publishes the research is malicious.

 

The re-key can be done in about an hour during a regular service. That would cover the vast majority of people.

 

In the meantime, whilst this information is not out in the public, other manufacturers are not aware of how the system was defeated (and thus how to improve their systems or even whether their systems are still secured) and people aren't aware that their cars can be accessed illegally.

 

There's a plethora of good reasons to release information that could be detrimental to the public. The balance that must be struck is whether keeping it private exposes people to greater risk. If VW didn't have a reason to change their key coding system, what do you reckon the chances that they would are?

 

For the record, the software is that was used to derive this attack is still online (as was noted in the court case). People are still vulnerable, only unknowingly so now.

 

That's great - if you have your car serviced at a main dealer. What % of people do that? Considering the prices they charge, not many.

 

So - VW could send a mailshot. Cool. Except - what about people that bought the car used? How to they get contacted. He has contacted VW - they do know how it was defeated. And how do you know car manufacturers don't share security information (which it's in all of their interests to do)?



#15 articuno1au

articuno1au

    Neowinian Senior

  • 4,429 posts
  • Joined: 20-March 11
  • Location: Brisbane, Australia

Posted 03 August 2013 - 12:36

Everyone, because it's a manufacturer fault. It will be covered by VW.

 

Your position on this plays into my stance. My point is that you must publish the information publicly, otherwise people who have a second hand car have no chance of finding out about the issue. You can publish without details of how to exploit the issue and people can get their cars looked into. This is what VW has chosen to block. If you read into this, you will the researchers offered to publish without including the key codes or details about the exploits execution. VW filed for an injunction regardless.

 

To answer your final point: given VW is approaching this as security through obscurity, I'd suggest that they aren't sharing.. Not very obscure if you share how you do it.

 

The basic principles of cryptography are well known. Something VW is doing isn't in line with best practices, that's how it got cracked.

 

Even if you want to suggest VW isn't doing the wrong thing; your original stance that this is hackers claiming to be researchers is completely untenable.





Click here to login or here to register to remove this ad, it's free!