Court blocks scientists from revealing hack for millions of car keys

[Hum]

A group of scientists based in Britain and the Netherlands has cracked the algorithms used in keys to start Porsches, Audis, Bentleys and Lamborghinis. The scientists had planned on revealing their findings in an academic paper, but a British high court banned them from doing so for now, citing the danger of gifting such information to car hackers and thieves.

Flavio Garcia is a lecturer in computer science at the University of Birmingham, and, along with his colleagues Baris Ege and Roel Verdult from the Stichting Katholieke University in the Netherlands, dissected the codes that the keys transmit to the vehicle for unlocking and starting. The cars in question all belong to the Volkswagen, and it was VW that pleaded with the courts to block the planned unveiling of the findings at a seminar in Washington, D.C., in August.

The scientists say they aim to improve safety for everyone, uncovering existing weaknesses and sharing them with the public in an effort to drive more secure systems. The Guardian reports that during proceedings in court, it emerged that the software behind the code has been available online since 2009.

more

[FloatingFatMan]

Tut tut, Hum. You know about searching first! :p

 

https://www.neowin.net/forum/topic/1167421-uk-court-sides-with-volkswagen-on-security-concerns-over-key-pairing/

[Gary2MBz]

Anything for the F10 BMW 5 series? They also had a guy somewhere on Forbes manipulating a Prius using a MacBook Pro and they had a video of it all! :p

 

Edit: Here is that video!

 

[Phouchg]

UK is getting worse and worse... 

 

 

Garcia's treatment is in stark contrast to the laurels being heaped on America's Charlie Miller and Chris Valasek ahead of the upcoming DefCon conference in Las Vegas. Their demonstration of how to interfere with on-board computers was accepted at the Vegas con.

Miller and Valasek connect a laptop to the diagnostic ports of a Prius and a Ford Escape, and from there, show that the laptop can issue instructions to the vehicles' ECU (electronic control unit), including steering, acceleration, braking and the horn.

As part of the leadup to DefCon, snippets of their work are getting previewed left right and centre, without a lawsuit in sight.

Even though the pair promise to release their source code after DefCon, they have a key advantage over Garcia: America's First Amendment. The fact that their work was funded by DARPA doesn't hurt, especially since Miller told the BBC the work involved destroying a few cars.

 

More (El Reg)

[Growled Member]

Why would you even want to make something like this known?

[Defiantly]

"Scientists"  LOL.

[Yusuf M. Veteran]

"Scientists"  LOL.

They're the ones that cracked it. What would you prefer to call them?

[Defiantly]

They're the ones that cracked it. What would you prefer to call them?

I dunno, but the words "Science" and "Scientist" are thrown around awful lightly these days.

[Phouchg]

Why would you even want to make something like this known?

 

Because it's shoddily implemented. I quote:

"to improve safety for everyone, uncovering existing weaknesses and sharing them with the public in an effort to drive more secure systems"

 

Yes, these are actual scientists at work. Computer security is science that requires chess grandmaster thinking, command of applied mathematics, electronics, physics and generally actually know how a modern computer works. And additionally, it's an art form. Most snobby-yuppie programmistas these days don't have a clue of any of these.

[Growled Member]

Because it's shoddily implemented. I quote:

"to improve safety for everyone, uncovering existing weaknesses and sharing them with the public in an effort to drive more secure systems"

 

May be, but it seems criminal to me to release such information. 

[LaP]

So those companies prefered to give money to lawyers instead of paying those guys to keep the secret?

[Phouchg]

You reap what you sow. It's way beyond time for computer software companies to get acquainted with the long lost principle called responsibility. If you build a house and it collapses or burns down killing people or destroying property, builders are blamed, architect is blamed, building company is sued out of pants, forensics examine proper use of materials and practices. With computer security mishaps there's no such thing whatsoever. It has gone out of hand. It's always at best an open beta, but (unlike network connected PCs, consoles, phones) car systems cannot even get updates (and dog save us from fully Internet capable and connected systems, I suspect some of them already are, but I wouldn't know).

 

NIST actually endorses cracking AES and SHA, which are used... well, everywhere, it's a standard. Nobody has succeeded despite the whole world's best attempts. The problem with VW is likely that funny guys invented their own cheap algos, didn't let anybody test them, because, you see, who'll notice, right? Wrong.

[Noir Angel]

I support this move. Within a few seconds of the video hitting youtube you'd get thousands of pikeys trying to do it. Responsible disclosure of vulnerabilities is important IMO