UK court sides with Volkswagen on security concerns over key pairing

By V-Tech
in Back Page News

 Share

Recommended Posts

Grand Master

V-Tech

Posted
Posted

porsche-keys.jpg

 

Giovanni Ribisi had better hope he doesn't botch a job anytime soon. Flavio Garcia from the University of Birmingham cracked the security system that pairs an owner's key to their Porsche, Lamborghini or Audi, and Volkswagen's parent company wants that research to remain unpublished. The UK's high court sided with VW's owner and granted an injunction protecting the Megamos Crypto system. Afterward, Garcia was offered to print his findings, but without the all-important decryption codes. He refused, saying that the public has a right to see the holes in the systems it relies on and that this wasn't an attempt to give criminals a hand in boosting cars. While the court's logic is sound -- once revealed, all manner of "if this ever fell into the wrong hands" situations could arise -- it's unsettling to see government bend to corporate request. At least we know Eleanor can sit in the garage for just a little longer now.

 

 

http://www.engadget.com/2013/07/29/uk-court-volkswagen-megamos-crypto/

Grand Master

XerXis

Posted
Posted

1) government =/= justice system, in fact, they should be two completely different entities, so saying that the government bends to corporate request because of the decision of a Judge is kind of stupid

2) the decision is completely logical, I really don't see this as censoring just because a company wants to have something censored. Releasing those decryption codes would make it somewhat too easy for the criminals to make their own keys

Grand Master

Brian M. Veteran

Posted
  • Veteran
Posted

It's not a "corporate request" so to speak. If it got out, thousands of cars would be much more easily stolen, with potentially no way to patch them.

 

I agree with the court on this. It kinda annoys me how hackers these days call themselves "researchers" and then think that the public has a right to their "research".  No, you're a "hacker", and nobody has any right to see your "crack".

Grand Master

FloatingFatMan

Posted
Posted

Absolutely the right decision IMO. This "researcher" is clearly an ass who just wanted to make a name for himself.  It's absolutely irresponsible to release this information to the public; all it will do is facilitate car theft as VW have no practical way of updating the software in the cars.

 

He should have just contacted VW and tried to work with them on improving security, not wave his epeen at them.  The public does not need to know this information.

Enthusiast

Poof

Posted
Posted

Absolutely the right decision IMO. This "researcher" is clearly an ass who just wanted to make a name for himself.  It's absolutely irresponsible to release this information to the public; all it will do is facilitate car theft as VW have no practical way of updating the software in the cars.

 

He should have just contacted VW and tried to work with them on improving security, not wave his epeen at them.  The public does not need to know this information.

The researcher is in the right. With this court order you WON'T see a recall of the cars with this security system. If the information would actually be released then the car manufacturers would have to issue a recall to reprogram the systems.

 

If they can figure out how to do it then anybody can do it, it's not as if car thieves are all stupid, they have their own research teams.

Grand Master

FloatingFatMan

Posted
Posted

The researcher is in the right. With this court order you WON'T see a recall of the cars with this security system. If the information would actually be released then the car manufacturers would have to issue a recall to reprogram the systems.

 

If they can figure out how to do it then anybody can do it, it's not as if car thieves are all stupid, they have their own research teams.

 

Actually, no... they wouldn't have had to recall anything.  This "researcher" found a flaw which cannot be exploited remotely, so there would be no need to recall anything.  Also, car manufacturers only recall cars when there are actual design faults which affect safety; this doesn't come under that heading at all.

Grand Master

articuno1au

Posted
Posted

It's not a "corporate request" so to speak. If it got out, thousands of cars would be much more easily stolen, with potentially no way to patch them.

 

I agree with the court on this. It kinda annoys me how hackers these days call themselves "researchers" and then think that the public has a right to their "research".  No, you're a "hacker", and nobody has any right to see your "crack".

Except that the researchers are university researchers from the school of information security at the university. They do this professionally with ethical oversight and peer review (they'd already sought and achieved reviewed status).

 

Absolutely the right decision IMO. This "researcher" is clearly an ass who just wanted to make a name for himself.  It's absolutely irresponsible to release this information to the public; all it will do is facilitate car theft as VW have no practical way of updating the software in the cars.

 

He should have just contacted VW and tried to work with them on improving security, not wave his epeen at them.  The public does not need to know this information.

Clearly haven't read into this properly. They contacted VW 9 months previously and gave them full details of the exploit.

 

On top of this, they asked for VW to ok the release of the work once they had a chance to fix it. VW chose not to respond but rather filed for an injunction.

 

This kind of research is important. Arm chair lawyers like you guys need to do more reading before making judgements like this.

 

EDIT::

It's also worth noting that the research they did was from a leaked copy of the software used to determine codes for the cars. That was already out there and remains on the internet.

Grand Master

FloatingFatMan

Posted
Posted

So? It's still not information which the public "needs to know", so attempting to release it into the wild, especially knowing full well that it's NOT fixed, is completely irresponsible.

 

Would you like it if someone released information on how to hack YOUR car into the public?

Grand Master

Brian M. Veteran

Posted
  • Veteran
Posted

Except that the researchers are university researchers from the school of information security at the university. They do this professionally with ethical oversight and peer review (they'd already sought and achieved reviewed status).

 

Clearly haven't read into this properly. They contacted VW 9 months previously and gave them full details of the exploit.

 

On top of this, they asked for VW to ok the release of the work once they had a chance to fix it. VW chose not to respond but rather filed for an injunction.

 

This kind of research is important. Arm chair lawyers like you guys need to do more reading before making judgements like this.

 

EDIT::

It's also worth noting that the research they did was from a leaked copy of the software used to determine codes for the cars. That was already out there and remains on the internet.

 

 

Except that the researchers are university researchers from the school of information security at the university. They do this professionally with ethical oversight and peer review (they'd already sought and achieved reviewed status).

 

Clearly haven't read into this properly. They contacted VW 9 months previously and gave them full details of the exploit.

 

On top of this, they asked for VW to ok the release of the work once they had a chance to fix it. VW chose not to respond but rather filed for an injunction.

 

This kind of research is important. Arm chair lawyers like you guys need to do more reading before making judgements like this.

 

EDIT::

It's also worth noting that the research they did was from a leaked copy of the software used to determine codes for the cars. That was already out there and remains on the internet.

 

So what exactly would VW do if the exploit was made public? Recall EVERY single car? Even if they did - only a small percent of customers would do anything about it.

 

Genuine security researchers aren't in the business of making exploits which could harm members of the public, public. Just because they work for a university, doesn't mean they don't have any malicious ideas.

Grand Master

articuno1au

Posted
Posted

They offered to remove the segments that would allow the hack to be reproduced.

 

VW choosing not to pursue a fix is irresponsible. Obscurity doesn't provide security. If these gentlemen could generate the exploit, other people with lesser morals can.

 

Keeping the exploit secret doesn't protect people; releasing it would force VW to actually fix the issue (which is doable via a key recode).

 

Would I like it if it was my car? No. Do I think it's necessary despite it being a pain in the arse? Damn straight I do

Grand Master

articuno1au

Posted
Posted

So what exactly would VW do if the exploit was made public? Recall EVERY single car? Even if they did - only a small percent of customers would do anything about it.

 

Genuine security researchers aren't in the business of making exploits which could harm members of the public, public. Just because they work for a university, doesn't mean they don't have any malicious ideas.

On that basis any security researcher who identifies a bug and publishes the research is malicious.

 

The re-key can be done in about an hour during a regular service. That would cover the vast majority of people.

 

In the meantime, whilst this information is not out in the public, other manufacturers are not aware of how the system was defeated (and thus how to improve their systems or even whether their systems are still secured) and people aren't aware that their cars can be accessed illegally.

 

There's a plethora of good reasons to release information that could be detrimental to the public. The balance that must be struck is whether keeping it private exposes people to greater risk. If VW didn't have a reason to change their key coding system, what do you reckon the chances that they would are?

 

For the record, the software is that was used to derive this attack is still online (as was noted in the court case). People are still vulnerable, only unknowingly so now.

Grand Master

Sir Topham Hatt

Posted
Posted

The problem is, no system will be completely un-hackable.

If you stare enough at the same data, you will make patterns out of it.  Just like hacking, the more you try to crack something, the shorter the time of the crack will be.

 

Why these companies don't take on the "hacker" to produce the next "secure" system, I don't know.

Grand Master

articuno1au

Posted
Posted

The problem is, no system will be completely un-hackable.

If you stare enough at the same data, you will make patterns out of it.  Just like hacking, the more you try to crack something, the shorter the time of the crack will be.

 

Why these companies don't take on the "hacker" to produce the next "secure" system, I don't know.

Indeed.

 

The answer to the latter is that creating secure systems is the exact opposite process of assessing them.

Grand Master

Brian M. Veteran

Posted
  • Veteran
Posted

On that basis any security researcher who identifies a bug and publishes the research is malicious.

 

The re-key can be done in about an hour during a regular service. That would cover the vast majority of people.

 

In the meantime, whilst this information is not out in the public, other manufacturers are not aware of how the system was defeated (and thus how to improve their systems or even whether their systems are still secured) and people aren't aware that their cars can be accessed illegally.

 

There's a plethora of good reasons to release information that could be detrimental to the public. The balance that must be struck is whether keeping it private exposes people to greater risk. If VW didn't have a reason to change their key coding system, what do you reckon the chances that they would are?

 

For the record, the software is that was used to derive this attack is still online (as was noted in the court case). People are still vulnerable, only unknowingly so now.

 

That's great - if you have your car serviced at a main dealer. What % of people do that? Considering the prices they charge, not many.

 

So - VW could send a mailshot. Cool. Except - what about people that bought the car used? How to they get contacted. He has contacted VW - they do know how it was defeated. And how do you know car manufacturers don't share security information (which it's in all of their interests to do)?

Grand Master

articuno1au

Posted
Posted

Everyone, because it's a manufacturer fault. It will be covered by VW.

 

Your position on this plays into my stance. My point is that you must publish the information publicly, otherwise people who have a second hand car have no chance of finding out about the issue. You can publish without details of how to exploit the issue and people can get their cars looked into. This is what VW has chosen to block. If you read into this, you will the researchers offered to publish without including the key codes or details about the exploits execution. VW filed for an injunction regardless.

 

To answer your final point: given VW is approaching this as security through obscurity, I'd suggest that they aren't sharing.. Not very obscure if you share how you do it.

 

The basic principles of cryptography are well known. Something VW is doing isn't in line with best practices, that's how it got cracked.

 

Even if you want to suggest VW isn't doing the wrong thing; your original stance that this is hackers claiming to be researchers is completely untenable.

Grand Master

exotoxic

Posted
Posted

They should be recalling cars NOW and fitting a new version. We now know its possible to crack so someone somewhere is working on it right now and they WILL release it in to the wild, when they do thousands of cars will be vulnerable. By releasing the exploit now VW would be forced in to fixing it, but they choose to cover it up and leave people vulnerable just so they don't lose money. I'm sure VW will already be planing Excuses and T&C modifications to cover themselves.

Grand Master

Arachno 1D

Posted
Posted

One could say the same in regard to publishing nefarious information about lots of hardware just browse you-tube for lock picking or getting into a hotel safe or through their card lock doors and you get the drift.Just because you make a lock system doesn't I think ,make it right that the security behind the device cannot be publicly posted.

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • The official Funny Pictures thread

      By Steven P. · Posted

    • Celebrating Windows XP's 25th anniversary this year

      By carols23 · Posted

      If I could, I would commemorate it the best way possible: Replacing old machines that are still running Windows XP with something more modern, stable and better.     Noone and nothing should be running Windows XP in 2026.
    • Google's new hand-wave reCAPTCHA can be bypassed with a stock photo

      By Ivan Jenic · Posted

      Google's new hand-wave reCAPTCHA can be bypassed with a stock photo by Ivan Jenic Image: Screenshot Google is testing a new reCAPTCHA method that asks you to wave at your camera to prove you're human. So, besides solving puzzles and reading distorted text, you can now use your computer’s camera to pass the verification test. When the hand gesture verification is triggered, your browser asks for camera access and prompts you to perform a simple gesture, like a wave or an open palm. Google says it records a short video of the movement and uses AI to extract 21 hand-knuckle coordinates to complete the verification process. The video is then immediately deleted, and Google swears it doesn't keep it. The process alone can be uncomfortable for people who wouldn’t want their biometric data, which hand scans technically qualify as, recorded. But it gets even more nuanced, as early testers discovered that the new hand-waving reCAPTCHA can be passed with a simple stock image. A user on X tested the new challenge using a stock image of a hand fed through OBS Virtual Camera, and it passed. I wanted to verify it, so I tried the same thing. It took me a few tries and a few stock images, but in the end, I was also able to pass the test. I simply had to readjust the stock image of a generic person waving inside OBS, and Google’s mechanism registered it as a legitimate hand gesture. Once again, it didn’t even have to be a video or an AI-generated hand animation. Given the simplicity of the process, the entire action can be automated in minutes. All it takes is a simple Python script to render the new reCAPTCHA method obsolete. And it doesn’t even have to be an AI bot, which is usually used for solving puzzles and other verification methods. The new reCAPTCHA method is still in its early phase, and Google will, hopefully, update its AI to at least reject still images. However, this incident, combined with users’ initial skepticism about Google’s practices regarding user data, likely won’t make too many people wave at the camera anytime soon.
    • Why it's almost impossible to produce a smartphone in the United States

      By monterxz · Posted

      🤣🤣🤣🤣🤣 "to fund healthcare and tuition" 🤣🤣🤣🤣 Who do you think you are talking about, some COMMUNIST? We are better than them, doG bless Murica!!! p.s. I'm from a country where government does exactly that, i.e. not form US.
    • Microsoft Edge gets tons of security features, including AI model that can see your screen

      By ad47uk · Posted

      Apparently not. I know it is on Edge for business at the moment, but how long will it be before it become on the home version of Edge?

  • Recent Achievements

    • First Post
      carols23 earned a badge
      First Post
    • One Month Later
      Tom Willson earned a badge
      One Month Later
    • Apprentice
      Asgardi went up a rank
      Apprentice
    • One Month Later
      sunrisea2milk earned a badge
      One Month Later
    • Week One Done
      sunrisea2milk earned a badge
      Week One Done

  • Popular Contributors

    1. 1
      +primortal
      495
    2. 2
      +Edouard
      262
    3. 3
      PsYcHoKiLLa
      151
    4. 4
      Steven P.
      92
    5. 5
      macoman
      67
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!