UK court sides with Volkswagen on security concerns over key pairing


Recommended Posts

porsche-keys.jpg

 

Giovanni Ribisi had better hope he doesn't botch a job anytime soon. Flavio Garcia from the University of Birmingham cracked the security system that pairs an owner's key to their Porsche, Lamborghini or Audi, and Volkswagen's parent company wants that research to remain unpublished. The UK's high court sided with VW's owner and granted an injunction protecting the Megamos Crypto system. Afterward, Garcia was offered to print his findings, but without the all-important decryption codes. He refused, saying that the public has a right to see the holes in the systems it relies on and that this wasn't an attempt to give criminals a hand in boosting cars. While the court's logic is sound -- once revealed, all manner of "if this ever fell into the wrong hands" situations could arise -- it's unsettling to see government bend to corporate request. At least we know Eleanor can sit in the garage for just a little longer now.

 

 

http://www.engadget.com/2013/07/29/uk-court-volkswagen-megamos-crypto/

Link to comment
Share on other sites

1) government =/= justice system, in fact, they should be two completely different entities, so saying that the government bends to corporate request because of the decision of a Judge is kind of stupid

2) the decision is completely logical, I really don't see this as censoring just because a company wants to have something censored. Releasing those decryption codes would make it somewhat too easy for the criminals to make their own keys

Link to comment
Share on other sites

It's not a "corporate request" so to speak. If it got out, thousands of cars would be much more easily stolen, with potentially no way to patch them.

 

I agree with the court on this. It kinda annoys me how hackers these days call themselves "researchers" and then think that the public has a right to their "research".  No, you're a "hacker", and nobody has any right to see your "crack".

Link to comment
Share on other sites

Absolutely the right decision IMO. This "researcher" is clearly an ass who just wanted to make a name for himself.  It's absolutely irresponsible to release this information to the public; all it will do is facilitate car theft as VW have no practical way of updating the software in the cars.

 

He should have just contacted VW and tried to work with them on improving security, not wave his epeen at them.  The public does not need to know this information.

Link to comment
Share on other sites

Absolutely the right decision IMO. This "researcher" is clearly an ass who just wanted to make a name for himself.  It's absolutely irresponsible to release this information to the public; all it will do is facilitate car theft as VW have no practical way of updating the software in the cars.

 

He should have just contacted VW and tried to work with them on improving security, not wave his epeen at them.  The public does not need to know this information.

The researcher is in the right. With this court order you WON'T see a recall of the cars with this security system. If the information would actually be released then the car manufacturers would have to issue a recall to reprogram the systems.

 

If they can figure out how to do it then anybody can do it, it's not as if car thieves are all stupid, they have their own research teams.

Link to comment
Share on other sites

The researcher is in the right. With this court order you WON'T see a recall of the cars with this security system. If the information would actually be released then the car manufacturers would have to issue a recall to reprogram the systems.

 

If they can figure out how to do it then anybody can do it, it's not as if car thieves are all stupid, they have their own research teams.

 

Actually, no... they wouldn't have had to recall anything.  This "researcher" found a flaw which cannot be exploited remotely, so there would be no need to recall anything.  Also, car manufacturers only recall cars when there are actual design faults which affect safety; this doesn't come under that heading at all.

Link to comment
Share on other sites

It's not a "corporate request" so to speak. If it got out, thousands of cars would be much more easily stolen, with potentially no way to patch them.

 

I agree with the court on this. It kinda annoys me how hackers these days call themselves "researchers" and then think that the public has a right to their "research".  No, you're a "hacker", and nobody has any right to see your "crack".

Except that the researchers are university researchers from the school of information security at the university. They do this professionally with ethical oversight and peer review (they'd already sought and achieved reviewed status).

 

Absolutely the right decision IMO. This "researcher" is clearly an ass who just wanted to make a name for himself.  It's absolutely irresponsible to release this information to the public; all it will do is facilitate car theft as VW have no practical way of updating the software in the cars.

 

He should have just contacted VW and tried to work with them on improving security, not wave his epeen at them.  The public does not need to know this information.

Clearly haven't read into this properly. They contacted VW 9 months previously and gave them full details of the exploit.

 

On top of this, they asked for VW to ok the release of the work once they had a chance to fix it. VW chose not to respond but rather filed for an injunction.

 

This kind of research is important. Arm chair lawyers like you guys need to do more reading before making judgements like this.

 

EDIT::

It's also worth noting that the research they did was from a leaked copy of the software used to determine codes for the cars. That was already out there and remains on the internet.

Link to comment
Share on other sites

So? It's still not information which the public "needs to know", so attempting to release it into the wild, especially knowing full well that it's NOT fixed, is completely irresponsible.

 

Would you like it if someone released information on how to hack YOUR car into the public?

Link to comment
Share on other sites

Except that the researchers are university researchers from the school of information security at the university. They do this professionally with ethical oversight and peer review (they'd already sought and achieved reviewed status).

 

Clearly haven't read into this properly. They contacted VW 9 months previously and gave them full details of the exploit.

 

On top of this, they asked for VW to ok the release of the work once they had a chance to fix it. VW chose not to respond but rather filed for an injunction.

 

This kind of research is important. Arm chair lawyers like you guys need to do more reading before making judgements like this.

 

EDIT::

It's also worth noting that the research they did was from a leaked copy of the software used to determine codes for the cars. That was already out there and remains on the internet.

 

 

Except that the researchers are university researchers from the school of information security at the university. They do this professionally with ethical oversight and peer review (they'd already sought and achieved reviewed status).

 

Clearly haven't read into this properly. They contacted VW 9 months previously and gave them full details of the exploit.

 

On top of this, they asked for VW to ok the release of the work once they had a chance to fix it. VW chose not to respond but rather filed for an injunction.

 

This kind of research is important. Arm chair lawyers like you guys need to do more reading before making judgements like this.

 

EDIT::

It's also worth noting that the research they did was from a leaked copy of the software used to determine codes for the cars. That was already out there and remains on the internet.

 

So what exactly would VW do if the exploit was made public? Recall EVERY single car? Even if they did - only a small percent of customers would do anything about it.

 

Genuine security researchers aren't in the business of making exploits which could harm members of the public, public. Just because they work for a university, doesn't mean they don't have any malicious ideas.

Link to comment
Share on other sites

They offered to remove the segments that would allow the hack to be reproduced.

 

VW choosing not to pursue a fix is irresponsible. Obscurity doesn't provide security. If these gentlemen could generate the exploit, other people with lesser morals can.

 

Keeping the exploit secret doesn't protect people; releasing it would force VW to actually fix the issue (which is doable via a key recode).

 

Would I like it if it was my car? No. Do I think it's necessary despite it being a pain in the arse? Damn straight I do

Link to comment
Share on other sites

So what exactly would VW do if the exploit was made public? Recall EVERY single car? Even if they did - only a small percent of customers would do anything about it.

 

Genuine security researchers aren't in the business of making exploits which could harm members of the public, public. Just because they work for a university, doesn't mean they don't have any malicious ideas.

On that basis any security researcher who identifies a bug and publishes the research is malicious.

 

The re-key can be done in about an hour during a regular service. That would cover the vast majority of people.

 

In the meantime, whilst this information is not out in the public, other manufacturers are not aware of how the system was defeated (and thus how to improve their systems or even whether their systems are still secured) and people aren't aware that their cars can be accessed illegally.

 

There's a plethora of good reasons to release information that could be detrimental to the public. The balance that must be struck is whether keeping it private exposes people to greater risk. If VW didn't have a reason to change their key coding system, what do you reckon the chances that they would are?

 

For the record, the software is that was used to derive this attack is still online (as was noted in the court case). People are still vulnerable, only unknowingly so now.

Link to comment
Share on other sites

The problem is, no system will be completely un-hackable.

If you stare enough at the same data, you will make patterns out of it.  Just like hacking, the more you try to crack something, the shorter the time of the crack will be.

 

Why these companies don't take on the "hacker" to produce the next "secure" system, I don't know.

Link to comment
Share on other sites

The problem is, no system will be completely un-hackable.

If you stare enough at the same data, you will make patterns out of it.  Just like hacking, the more you try to crack something, the shorter the time of the crack will be.

 

Why these companies don't take on the "hacker" to produce the next "secure" system, I don't know.

Indeed.

 

The answer to the latter is that creating secure systems is the exact opposite process of assessing them.

Link to comment
Share on other sites

On that basis any security researcher who identifies a bug and publishes the research is malicious.

 

The re-key can be done in about an hour during a regular service. That would cover the vast majority of people.

 

In the meantime, whilst this information is not out in the public, other manufacturers are not aware of how the system was defeated (and thus how to improve their systems or even whether their systems are still secured) and people aren't aware that their cars can be accessed illegally.

 

There's a plethora of good reasons to release information that could be detrimental to the public. The balance that must be struck is whether keeping it private exposes people to greater risk. If VW didn't have a reason to change their key coding system, what do you reckon the chances that they would are?

 

For the record, the software is that was used to derive this attack is still online (as was noted in the court case). People are still vulnerable, only unknowingly so now.

 

That's great - if you have your car serviced at a main dealer. What % of people do that? Considering the prices they charge, not many.

 

So - VW could send a mailshot. Cool. Except - what about people that bought the car used? How to they get contacted. He has contacted VW - they do know how it was defeated. And how do you know car manufacturers don't share security information (which it's in all of their interests to do)?

Link to comment
Share on other sites

Everyone, because it's a manufacturer fault. It will be covered by VW.

 

Your position on this plays into my stance. My point is that you must publish the information publicly, otherwise people who have a second hand car have no chance of finding out about the issue. You can publish without details of how to exploit the issue and people can get their cars looked into. This is what VW has chosen to block. If you read into this, you will the researchers offered to publish without including the key codes or details about the exploits execution. VW filed for an injunction regardless.

 

To answer your final point: given VW is approaching this as security through obscurity, I'd suggest that they aren't sharing.. Not very obscure if you share how you do it.

 

The basic principles of cryptography are well known. Something VW is doing isn't in line with best practices, that's how it got cracked.

 

Even if you want to suggest VW isn't doing the wrong thing; your original stance that this is hackers claiming to be researchers is completely untenable.

Link to comment
Share on other sites

They should be recalling cars NOW and fitting a new version. We now know its possible to crack so someone somewhere is working on it right now and they WILL release it in to the wild, when they do thousands of cars will be vulnerable. By releasing the exploit now VW would be forced in to fixing it, but they choose to cover it up and leave people vulnerable just so they don't lose money. I'm sure VW will already be planing Excuses and T&C modifications to cover themselves.

Link to comment
Share on other sites

One could say the same in regard to publishing nefarious information about lots of hardware just browse you-tube for lock picking or getting into a hotel safe or through their card lock doors and you get the drift.Just because you make a lock system doesn't I think ,make it right that the security behind the device cannot be publicly posted.

Link to comment
Share on other sites

This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.