UK court sides with Volkswagen on security concerns over key pairing

By V-Tech
in Back Page News

 Share

Recommended Posts

Grand Master

V-Tech

Posted
Posted

porsche-keys.jpg

 

Giovanni Ribisi had better hope he doesn't botch a job anytime soon. Flavio Garcia from the University of Birmingham cracked the security system that pairs an owner's key to their Porsche, Lamborghini or Audi, and Volkswagen's parent company wants that research to remain unpublished. The UK's high court sided with VW's owner and granted an injunction protecting the Megamos Crypto system. Afterward, Garcia was offered to print his findings, but without the all-important decryption codes. He refused, saying that the public has a right to see the holes in the systems it relies on and that this wasn't an attempt to give criminals a hand in boosting cars. While the court's logic is sound -- once revealed, all manner of "if this ever fell into the wrong hands" situations could arise -- it's unsettling to see government bend to corporate request. At least we know Eleanor can sit in the garage for just a little longer now.

 

 

http://www.engadget.com/2013/07/29/uk-court-volkswagen-megamos-crypto/

Grand Master

XerXis

Posted
Posted

1) government =/= justice system, in fact, they should be two completely different entities, so saying that the government bends to corporate request because of the decision of a Judge is kind of stupid

2) the decision is completely logical, I really don't see this as censoring just because a company wants to have something censored. Releasing those decryption codes would make it somewhat too easy for the criminals to make their own keys

Grand Master

Brian M. Veteran

Posted
  • Veteran
Posted

It's not a "corporate request" so to speak. If it got out, thousands of cars would be much more easily stolen, with potentially no way to patch them.

 

I agree with the court on this. It kinda annoys me how hackers these days call themselves "researchers" and then think that the public has a right to their "research".  No, you're a "hacker", and nobody has any right to see your "crack".

Grand Master

FloatingFatMan

Posted
Posted

Absolutely the right decision IMO. This "researcher" is clearly an ass who just wanted to make a name for himself.  It's absolutely irresponsible to release this information to the public; all it will do is facilitate car theft as VW have no practical way of updating the software in the cars.

 

He should have just contacted VW and tried to work with them on improving security, not wave his epeen at them.  The public does not need to know this information.

Enthusiast

Poof

Posted
Posted

Absolutely the right decision IMO. This "researcher" is clearly an ass who just wanted to make a name for himself.  It's absolutely irresponsible to release this information to the public; all it will do is facilitate car theft as VW have no practical way of updating the software in the cars.

 

He should have just contacted VW and tried to work with them on improving security, not wave his epeen at them.  The public does not need to know this information.

The researcher is in the right. With this court order you WON'T see a recall of the cars with this security system. If the information would actually be released then the car manufacturers would have to issue a recall to reprogram the systems.

 

If they can figure out how to do it then anybody can do it, it's not as if car thieves are all stupid, they have their own research teams.

Grand Master

FloatingFatMan

Posted
Posted

The researcher is in the right. With this court order you WON'T see a recall of the cars with this security system. If the information would actually be released then the car manufacturers would have to issue a recall to reprogram the systems.

 

If they can figure out how to do it then anybody can do it, it's not as if car thieves are all stupid, they have their own research teams.

 

Actually, no... they wouldn't have had to recall anything.  This "researcher" found a flaw which cannot be exploited remotely, so there would be no need to recall anything.  Also, car manufacturers only recall cars when there are actual design faults which affect safety; this doesn't come under that heading at all.

Grand Master

articuno1au

Posted
Posted

It's not a "corporate request" so to speak. If it got out, thousands of cars would be much more easily stolen, with potentially no way to patch them.

 

I agree with the court on this. It kinda annoys me how hackers these days call themselves "researchers" and then think that the public has a right to their "research".  No, you're a "hacker", and nobody has any right to see your "crack".

Except that the researchers are university researchers from the school of information security at the university. They do this professionally with ethical oversight and peer review (they'd already sought and achieved reviewed status).

 

Absolutely the right decision IMO. This "researcher" is clearly an ass who just wanted to make a name for himself.  It's absolutely irresponsible to release this information to the public; all it will do is facilitate car theft as VW have no practical way of updating the software in the cars.

 

He should have just contacted VW and tried to work with them on improving security, not wave his epeen at them.  The public does not need to know this information.

Clearly haven't read into this properly. They contacted VW 9 months previously and gave them full details of the exploit.

 

On top of this, they asked for VW to ok the release of the work once they had a chance to fix it. VW chose not to respond but rather filed for an injunction.

 

This kind of research is important. Arm chair lawyers like you guys need to do more reading before making judgements like this.

 

EDIT::

It's also worth noting that the research they did was from a leaked copy of the software used to determine codes for the cars. That was already out there and remains on the internet.

Grand Master

FloatingFatMan

Posted
Posted

So? It's still not information which the public "needs to know", so attempting to release it into the wild, especially knowing full well that it's NOT fixed, is completely irresponsible.

 

Would you like it if someone released information on how to hack YOUR car into the public?

Grand Master

Brian M. Veteran

Posted
  • Veteran
Posted

Except that the researchers are university researchers from the school of information security at the university. They do this professionally with ethical oversight and peer review (they'd already sought and achieved reviewed status).

 

Clearly haven't read into this properly. They contacted VW 9 months previously and gave them full details of the exploit.

 

On top of this, they asked for VW to ok the release of the work once they had a chance to fix it. VW chose not to respond but rather filed for an injunction.

 

This kind of research is important. Arm chair lawyers like you guys need to do more reading before making judgements like this.

 

EDIT::

It's also worth noting that the research they did was from a leaked copy of the software used to determine codes for the cars. That was already out there and remains on the internet.

 

 

Except that the researchers are university researchers from the school of information security at the university. They do this professionally with ethical oversight and peer review (they'd already sought and achieved reviewed status).

 

Clearly haven't read into this properly. They contacted VW 9 months previously and gave them full details of the exploit.

 

On top of this, they asked for VW to ok the release of the work once they had a chance to fix it. VW chose not to respond but rather filed for an injunction.

 

This kind of research is important. Arm chair lawyers like you guys need to do more reading before making judgements like this.

 

EDIT::

It's also worth noting that the research they did was from a leaked copy of the software used to determine codes for the cars. That was already out there and remains on the internet.

 

So what exactly would VW do if the exploit was made public? Recall EVERY single car? Even if they did - only a small percent of customers would do anything about it.

 

Genuine security researchers aren't in the business of making exploits which could harm members of the public, public. Just because they work for a university, doesn't mean they don't have any malicious ideas.

Grand Master

articuno1au

Posted
Posted

They offered to remove the segments that would allow the hack to be reproduced.

 

VW choosing not to pursue a fix is irresponsible. Obscurity doesn't provide security. If these gentlemen could generate the exploit, other people with lesser morals can.

 

Keeping the exploit secret doesn't protect people; releasing it would force VW to actually fix the issue (which is doable via a key recode).

 

Would I like it if it was my car? No. Do I think it's necessary despite it being a pain in the arse? Damn straight I do

Grand Master

articuno1au

Posted
Posted

So what exactly would VW do if the exploit was made public? Recall EVERY single car? Even if they did - only a small percent of customers would do anything about it.

 

Genuine security researchers aren't in the business of making exploits which could harm members of the public, public. Just because they work for a university, doesn't mean they don't have any malicious ideas.

On that basis any security researcher who identifies a bug and publishes the research is malicious.

 

The re-key can be done in about an hour during a regular service. That would cover the vast majority of people.

 

In the meantime, whilst this information is not out in the public, other manufacturers are not aware of how the system was defeated (and thus how to improve their systems or even whether their systems are still secured) and people aren't aware that their cars can be accessed illegally.

 

There's a plethora of good reasons to release information that could be detrimental to the public. The balance that must be struck is whether keeping it private exposes people to greater risk. If VW didn't have a reason to change their key coding system, what do you reckon the chances that they would are?

 

For the record, the software is that was used to derive this attack is still online (as was noted in the court case). People are still vulnerable, only unknowingly so now.

Grand Master

Sir Topham Hatt

Posted
Posted

The problem is, no system will be completely un-hackable.

If you stare enough at the same data, you will make patterns out of it.  Just like hacking, the more you try to crack something, the shorter the time of the crack will be.

 

Why these companies don't take on the "hacker" to produce the next "secure" system, I don't know.

Grand Master

articuno1au

Posted
Posted

The problem is, no system will be completely un-hackable.

If you stare enough at the same data, you will make patterns out of it.  Just like hacking, the more you try to crack something, the shorter the time of the crack will be.

 

Why these companies don't take on the "hacker" to produce the next "secure" system, I don't know.

Indeed.

 

The answer to the latter is that creating secure systems is the exact opposite process of assessing them.

Grand Master

Brian M. Veteran

Posted
  • Veteran
Posted

On that basis any security researcher who identifies a bug and publishes the research is malicious.

 

The re-key can be done in about an hour during a regular service. That would cover the vast majority of people.

 

In the meantime, whilst this information is not out in the public, other manufacturers are not aware of how the system was defeated (and thus how to improve their systems or even whether their systems are still secured) and people aren't aware that their cars can be accessed illegally.

 

There's a plethora of good reasons to release information that could be detrimental to the public. The balance that must be struck is whether keeping it private exposes people to greater risk. If VW didn't have a reason to change their key coding system, what do you reckon the chances that they would are?

 

For the record, the software is that was used to derive this attack is still online (as was noted in the court case). People are still vulnerable, only unknowingly so now.

 

That's great - if you have your car serviced at a main dealer. What % of people do that? Considering the prices they charge, not many.

 

So - VW could send a mailshot. Cool. Except - what about people that bought the car used? How to they get contacted. He has contacted VW - they do know how it was defeated. And how do you know car manufacturers don't share security information (which it's in all of their interests to do)?

Grand Master

articuno1au

Posted
Posted

Everyone, because it's a manufacturer fault. It will be covered by VW.

 

Your position on this plays into my stance. My point is that you must publish the information publicly, otherwise people who have a second hand car have no chance of finding out about the issue. You can publish without details of how to exploit the issue and people can get their cars looked into. This is what VW has chosen to block. If you read into this, you will the researchers offered to publish without including the key codes or details about the exploits execution. VW filed for an injunction regardless.

 

To answer your final point: given VW is approaching this as security through obscurity, I'd suggest that they aren't sharing.. Not very obscure if you share how you do it.

 

The basic principles of cryptography are well known. Something VW is doing isn't in line with best practices, that's how it got cracked.

 

Even if you want to suggest VW isn't doing the wrong thing; your original stance that this is hackers claiming to be researchers is completely untenable.

Grand Master

exotoxic

Posted
Posted

They should be recalling cars NOW and fitting a new version. We now know its possible to crack so someone somewhere is working on it right now and they WILL release it in to the wild, when they do thousands of cars will be vulnerable. By releasing the exploit now VW would be forced in to fixing it, but they choose to cover it up and leave people vulnerable just so they don't lose money. I'm sure VW will already be planing Excuses and T&C modifications to cover themselves.

Grand Master

Arachno 1D

Posted
Posted

One could say the same in regard to publishing nefarious information about lots of hardware just browse you-tube for lock picking or getting into a hotel safe or through their card lock doors and you get the drift.Just because you make a lock system doesn't I think ,make it right that the security behind the device cannot be publicly posted.

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • Game I've been Working On

      By Circaflex · Posted

      This looks awesome, I will request access via Steam later this afternoon!
    • How do you future-proof a home or small office network?

      By Circaflex · Posted

      Personally, I’ve found that it’s usually worth investing in the infrastructure you don’t want to replace later, especially cabling. Running Cat6A (or better, depending on your needs) during an upgrade is relatively inexpensive compared to having to re-cable a few years down the road. For switches I try to balance current specs with realistic growth. If my budget allows it Ill choose switches with higher uplink speeds which leaves room for expanding later on, but I don’t necessarily overspend on access ports if the endpoints won’t benefit from them anytime soon. One lesson I’ve learned is that planning for scalability pays off. It’s much easier to add devices, VLANs, or higher-bandwidth workloads when your network infrastructure already supports it than to replace hardware later.  What is your budget like?
    • How do you future-proof a home or small office network?

      By Nick H. · Posted

      I hate the term, "future-proof." We saw it back in the 90's / 2000's, if not before. You cannot future-proof anything, since there is no definition of how far into the future you plan on prepping for. Best idea is to tell us what you currently have and what its use is at the moment, and we can then offer ideas about some areas that might need an upgrade and other areas that can be left alone.
    • Celebrating Windows XP's 25th anniversary this year

      By Nick H. · Posted

      I can agree that it is being used in a small capacity. I worked for a company where their engineers still used XP, and when asked why it was because their sensor software wasn't compatible with newer operating systems and the software was discontinued so they couldn't upgrade the software. Given that the sensors were still in use by companies, they had to continue using XP to support the sensor, otherwise the price to the company would have gone into the millions or billions. Our response was simple: Ok, you can keep the XP machine. But we're removing it from the network. "But then it can't access the Internet or folder shares!" Yup, kinda the point. If someone wants to continue using an unsecure OS they can do, I have no problem with that. But it should be isolated. Simple. I had a fight with a guy in the engineering department for weeks before he finally relented. But we digress.   What do I plan on doing to commemorate the anniversary? Nothing. I have fond memories of the OS, but at the end of the day it's just an OS. If I had some time I might see if I could install it on my Raspberry Pi for a laugh. But my reflex memory with today's OS ideas would probably get me frustrated and I'd uninstall it after 5 mins.
    • Shutter Encoder 20.2

      By Copernic · Posted

      Shutter Encoder 20.2 by Razvan Serea Shutter Encoder is one of the best video converter software and image, audio available today. It has been designed by video editors in order to be as accessible and efficient as possible. It is one of the few free professional tools. Based on FFmpeg, it has the largest codec library available. You can thus convert your files into many different formats. Complete settings for the most advanced Shutter Encoder has a panel containing a large number of settings, in order to define your own choices based on your files and perfect your video or audio output. Well-thought-out settings, with parameters predefined to create files quickly and easily. List of functions Without conversion: Cut without re-encoding, Replace audio, Rewrap, Conform, Merge, Extract, Subtitling, Video inserts Sound conversions: WAV, AIFF, FLAC, MP3, AAC, AC3, OPUS, OGG Editing codecs: DNxHD, DNxHR, Apple ProRes, QT Animation, GoPro CineForm, Uncompressed YUV Output codecs: H.264, H.265, VP9, AV1, OGV Broadcast codecs XDCAM HD422, AVC-Intra 100, XAVC, HAP....and much more. Shutter Encoder 20.2 changelog: Added "Intel Quick Sync" hardware acceleration for Linux Added 'Identify speakers' option for "Audio transcription" function Improved installer package Improved video player performance Improved timecode display with drop-frame videos Improved naming convention for surround audio files Fixed splash screen freeze Fixed bug with file hanging Fixed bugs with presets loading Fixed bugs with video player's buffer Fixed bug with 'Total length of file' option Fixed bugs with 'Record screen/device' option Fixed bug with "XAVC" & "XAVC Long GOP" functions Rollback to XPDF tool for PDF conversion Removed unused binary architecture for Mac Various corrections Various improvements Download: Shutter Encoder 20.2 | 166.0 MB (Open Source) Download: Shutter Encoder Portable | 185.0 MB Links: Shutter Encoder Home Page | FAQ / Tips | macOS | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware

  • Recent Achievements

    • Reacting Well
      NovaEdgeX earned a badge
      Reacting Well
    • Week One Done
      NovaEdgeX earned a badge
      Week One Done
    • One Year In
      BA the Curmudgeon earned a badge
      One Year In
    • Conversation Starter
      rosiecharles earned a badge
      Conversation Starter
    • First Post
      KMilenkoski1202 earned a badge
      First Post

  • Popular Contributors

    1. 1
      +primortal
      534
    2. 2
      +Edouard
      265
    3. 3
      PsYcHoKiLLa
      152
    4. 4
      Steven P.
      99
    5. 5
      macoman
      66
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!