UK court sides with Volkswagen on security concerns over key pairing

By V-Tech
in Back Page News

 Share

Recommended Posts

Grand Master

V-Tech

Posted
Posted

porsche-keys.jpg

 

Giovanni Ribisi had better hope he doesn't botch a job anytime soon. Flavio Garcia from the University of Birmingham cracked the security system that pairs an owner's key to their Porsche, Lamborghini or Audi, and Volkswagen's parent company wants that research to remain unpublished. The UK's high court sided with VW's owner and granted an injunction protecting the Megamos Crypto system. Afterward, Garcia was offered to print his findings, but without the all-important decryption codes. He refused, saying that the public has a right to see the holes in the systems it relies on and that this wasn't an attempt to give criminals a hand in boosting cars. While the court's logic is sound -- once revealed, all manner of "if this ever fell into the wrong hands" situations could arise -- it's unsettling to see government bend to corporate request. At least we know Eleanor can sit in the garage for just a little longer now.

 

 

http://www.engadget.com/2013/07/29/uk-court-volkswagen-megamos-crypto/

Grand Master

XerXis

Posted
Posted

1) government =/= justice system, in fact, they should be two completely different entities, so saying that the government bends to corporate request because of the decision of a Judge is kind of stupid

2) the decision is completely logical, I really don't see this as censoring just because a company wants to have something censored. Releasing those decryption codes would make it somewhat too easy for the criminals to make their own keys

Grand Master

Brian M. Veteran

Posted
  • Veteran
Posted

It's not a "corporate request" so to speak. If it got out, thousands of cars would be much more easily stolen, with potentially no way to patch them.

 

I agree with the court on this. It kinda annoys me how hackers these days call themselves "researchers" and then think that the public has a right to their "research".  No, you're a "hacker", and nobody has any right to see your "crack".

Grand Master

FloatingFatMan

Posted
Posted

Absolutely the right decision IMO. This "researcher" is clearly an ass who just wanted to make a name for himself.  It's absolutely irresponsible to release this information to the public; all it will do is facilitate car theft as VW have no practical way of updating the software in the cars.

 

He should have just contacted VW and tried to work with them on improving security, not wave his epeen at them.  The public does not need to know this information.

Enthusiast

Poof

Posted
Posted

Absolutely the right decision IMO. This "researcher" is clearly an ass who just wanted to make a name for himself.  It's absolutely irresponsible to release this information to the public; all it will do is facilitate car theft as VW have no practical way of updating the software in the cars.

 

He should have just contacted VW and tried to work with them on improving security, not wave his epeen at them.  The public does not need to know this information.

The researcher is in the right. With this court order you WON'T see a recall of the cars with this security system. If the information would actually be released then the car manufacturers would have to issue a recall to reprogram the systems.

 

If they can figure out how to do it then anybody can do it, it's not as if car thieves are all stupid, they have their own research teams.

Grand Master

FloatingFatMan

Posted
Posted

The researcher is in the right. With this court order you WON'T see a recall of the cars with this security system. If the information would actually be released then the car manufacturers would have to issue a recall to reprogram the systems.

 

If they can figure out how to do it then anybody can do it, it's not as if car thieves are all stupid, they have their own research teams.

 

Actually, no... they wouldn't have had to recall anything.  This "researcher" found a flaw which cannot be exploited remotely, so there would be no need to recall anything.  Also, car manufacturers only recall cars when there are actual design faults which affect safety; this doesn't come under that heading at all.

Grand Master

articuno1au

Posted
Posted

It's not a "corporate request" so to speak. If it got out, thousands of cars would be much more easily stolen, with potentially no way to patch them.

 

I agree with the court on this. It kinda annoys me how hackers these days call themselves "researchers" and then think that the public has a right to their "research".  No, you're a "hacker", and nobody has any right to see your "crack".

Except that the researchers are university researchers from the school of information security at the university. They do this professionally with ethical oversight and peer review (they'd already sought and achieved reviewed status).

 

Absolutely the right decision IMO. This "researcher" is clearly an ass who just wanted to make a name for himself.  It's absolutely irresponsible to release this information to the public; all it will do is facilitate car theft as VW have no practical way of updating the software in the cars.

 

He should have just contacted VW and tried to work with them on improving security, not wave his epeen at them.  The public does not need to know this information.

Clearly haven't read into this properly. They contacted VW 9 months previously and gave them full details of the exploit.

 

On top of this, they asked for VW to ok the release of the work once they had a chance to fix it. VW chose not to respond but rather filed for an injunction.

 

This kind of research is important. Arm chair lawyers like you guys need to do more reading before making judgements like this.

 

EDIT::

It's also worth noting that the research they did was from a leaked copy of the software used to determine codes for the cars. That was already out there and remains on the internet.

Grand Master

FloatingFatMan

Posted
Posted

So? It's still not information which the public "needs to know", so attempting to release it into the wild, especially knowing full well that it's NOT fixed, is completely irresponsible.

 

Would you like it if someone released information on how to hack YOUR car into the public?

Grand Master

Brian M. Veteran

Posted
  • Veteran
Posted

Except that the researchers are university researchers from the school of information security at the university. They do this professionally with ethical oversight and peer review (they'd already sought and achieved reviewed status).

 

Clearly haven't read into this properly. They contacted VW 9 months previously and gave them full details of the exploit.

 

On top of this, they asked for VW to ok the release of the work once they had a chance to fix it. VW chose not to respond but rather filed for an injunction.

 

This kind of research is important. Arm chair lawyers like you guys need to do more reading before making judgements like this.

 

EDIT::

It's also worth noting that the research they did was from a leaked copy of the software used to determine codes for the cars. That was already out there and remains on the internet.

 

 

Except that the researchers are university researchers from the school of information security at the university. They do this professionally with ethical oversight and peer review (they'd already sought and achieved reviewed status).

 

Clearly haven't read into this properly. They contacted VW 9 months previously and gave them full details of the exploit.

 

On top of this, they asked for VW to ok the release of the work once they had a chance to fix it. VW chose not to respond but rather filed for an injunction.

 

This kind of research is important. Arm chair lawyers like you guys need to do more reading before making judgements like this.

 

EDIT::

It's also worth noting that the research they did was from a leaked copy of the software used to determine codes for the cars. That was already out there and remains on the internet.

 

So what exactly would VW do if the exploit was made public? Recall EVERY single car? Even if they did - only a small percent of customers would do anything about it.

 

Genuine security researchers aren't in the business of making exploits which could harm members of the public, public. Just because they work for a university, doesn't mean they don't have any malicious ideas.

Grand Master

articuno1au

Posted
Posted

They offered to remove the segments that would allow the hack to be reproduced.

 

VW choosing not to pursue a fix is irresponsible. Obscurity doesn't provide security. If these gentlemen could generate the exploit, other people with lesser morals can.

 

Keeping the exploit secret doesn't protect people; releasing it would force VW to actually fix the issue (which is doable via a key recode).

 

Would I like it if it was my car? No. Do I think it's necessary despite it being a pain in the arse? Damn straight I do

Grand Master

articuno1au

Posted
Posted

So what exactly would VW do if the exploit was made public? Recall EVERY single car? Even if they did - only a small percent of customers would do anything about it.

 

Genuine security researchers aren't in the business of making exploits which could harm members of the public, public. Just because they work for a university, doesn't mean they don't have any malicious ideas.

On that basis any security researcher who identifies a bug and publishes the research is malicious.

 

The re-key can be done in about an hour during a regular service. That would cover the vast majority of people.

 

In the meantime, whilst this information is not out in the public, other manufacturers are not aware of how the system was defeated (and thus how to improve their systems or even whether their systems are still secured) and people aren't aware that their cars can be accessed illegally.

 

There's a plethora of good reasons to release information that could be detrimental to the public. The balance that must be struck is whether keeping it private exposes people to greater risk. If VW didn't have a reason to change their key coding system, what do you reckon the chances that they would are?

 

For the record, the software is that was used to derive this attack is still online (as was noted in the court case). People are still vulnerable, only unknowingly so now.

Grand Master

Sir Topham Hatt

Posted
Posted

The problem is, no system will be completely un-hackable.

If you stare enough at the same data, you will make patterns out of it.  Just like hacking, the more you try to crack something, the shorter the time of the crack will be.

 

Why these companies don't take on the "hacker" to produce the next "secure" system, I don't know.

Grand Master

articuno1au

Posted
Posted

The problem is, no system will be completely un-hackable.

If you stare enough at the same data, you will make patterns out of it.  Just like hacking, the more you try to crack something, the shorter the time of the crack will be.

 

Why these companies don't take on the "hacker" to produce the next "secure" system, I don't know.

Indeed.

 

The answer to the latter is that creating secure systems is the exact opposite process of assessing them.

Grand Master

Brian M. Veteran

Posted
  • Veteran
Posted

On that basis any security researcher who identifies a bug and publishes the research is malicious.

 

The re-key can be done in about an hour during a regular service. That would cover the vast majority of people.

 

In the meantime, whilst this information is not out in the public, other manufacturers are not aware of how the system was defeated (and thus how to improve their systems or even whether their systems are still secured) and people aren't aware that their cars can be accessed illegally.

 

There's a plethora of good reasons to release information that could be detrimental to the public. The balance that must be struck is whether keeping it private exposes people to greater risk. If VW didn't have a reason to change their key coding system, what do you reckon the chances that they would are?

 

For the record, the software is that was used to derive this attack is still online (as was noted in the court case). People are still vulnerable, only unknowingly so now.

 

That's great - if you have your car serviced at a main dealer. What % of people do that? Considering the prices they charge, not many.

 

So - VW could send a mailshot. Cool. Except - what about people that bought the car used? How to they get contacted. He has contacted VW - they do know how it was defeated. And how do you know car manufacturers don't share security information (which it's in all of their interests to do)?

Grand Master

articuno1au

Posted
Posted

Everyone, because it's a manufacturer fault. It will be covered by VW.

 

Your position on this plays into my stance. My point is that you must publish the information publicly, otherwise people who have a second hand car have no chance of finding out about the issue. You can publish without details of how to exploit the issue and people can get their cars looked into. This is what VW has chosen to block. If you read into this, you will the researchers offered to publish without including the key codes or details about the exploits execution. VW filed for an injunction regardless.

 

To answer your final point: given VW is approaching this as security through obscurity, I'd suggest that they aren't sharing.. Not very obscure if you share how you do it.

 

The basic principles of cryptography are well known. Something VW is doing isn't in line with best practices, that's how it got cracked.

 

Even if you want to suggest VW isn't doing the wrong thing; your original stance that this is hackers claiming to be researchers is completely untenable.

Grand Master

exotoxic

Posted
Posted

They should be recalling cars NOW and fitting a new version. We now know its possible to crack so someone somewhere is working on it right now and they WILL release it in to the wild, when they do thousands of cars will be vulnerable. By releasing the exploit now VW would be forced in to fixing it, but they choose to cover it up and leave people vulnerable just so they don't lose money. I'm sure VW will already be planing Excuses and T&C modifications to cover themselves.

Grand Master

Arachno 1D

Posted
Posted

One could say the same in regard to publishing nefarious information about lots of hardware just browse you-tube for lock picking or getting into a hotel safe or through their card lock doors and you get the drift.Just because you make a lock system doesn't I think ,make it right that the security behind the device cannot be publicly posted.

This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • Linux 7.2's first release candidate gets off to a good start

      By zikalify · Posted

      Linux 7.2's first release candidate gets off to a good start by Paul Hill Credit: Larry Ewing It has been a few weeks since the release of Linux 7.1, and in that time, the Linux 7.2 merge window has been open, where developers can submit their features and patches ready for the upcoming release. That window is now shut, and the release candidate phase has begun so that new features can be tested and further fixes applied. According to the founder of Linux, Linus Torvalds, this week’s release candidate looks “reasonably normal”. Although we are super early in the release candidates, this is a good sign as it makes it more likely that an eighth release candidate will not be needed. Torvalds even mentioned that the update’s stats are only larger than they really are because there was another AMD header drop with a third of the patch just being AMD GPU register definitions, which aren’t big changes but make the code contributed look larger overall. In addition to this, he noted that just over half the patch is drivers, even when excluding the AMD register dump. The rest of the changes are spread out over architecture updates, tooling, documentation, and core kernel updates. In the next week, Torvalds says that he will be chilling out, taking the week “mostly off”. Despite this, he will be reading emails and keeping up with things, so if he is slow responding, now you know why. He said he is hoping for a calm week, but we will just have to see if the second release candidate is actually like that. We should expect seven or eight release candidates before Linux 7.2 is released, so expect it around the end of August. If you missed it a few weeks ago, be sure to check out our coverage of Linux 7.1's release.
    • Why it's almost impossible to produce a smartphone in the United States

      By Asgardi · Posted

      Ridiculous claim that the labor cost difference of $6000 annually would increase cost per phone by $200. The employees produce 3 phones per month or what?
    • Sparkle 2.20.1

      By Copernic · Posted

      Sparkle 2.20.1 by Razvan Serea Sparkle is a free, open-source Windows optimization tool designed to make your PC faster, cleaner, and more private. With Sparkle, you can easily debloat Windows by removing unnecessary apps and services, disable Microsoft tracking to enhance privacy, and apply performance tweaks to boost speed. Its cleaner removes junk and temporary files, while every change is safe and fully reversible. Sparkle also features a modern, user-friendly interface with automatic updates, making system maintenance simple. Explore over 39 tweaks, from disabling telemetry and hibernation to optimizing network and game settings, all aimed at customizing and enhancing your Windows experience. Sparkle supports Windows 10 and 11. Sparkle 2.20.1 changelog: You can now change the Animation Direction from Up, Left, or Off. Added configurable animation direction (Up, Left, Off) for improved accessibility Added TTL caching to the system info backend Refactored tweak application flow to await NvidiaProfileInspector Improved IPC listener cleanup to correctly remove specific listeners Fixed online status not updating after successful network requests Updated system info tests to support backend caching Removed electron-toolkit utils dependency in favor of internal is.dev helper Fixed unwanted files and folders being included in application bundles Download: Sparkle 2.20.1 | Portable | ~100.0 MB (Open Source) Links: Sparkle Website | Github | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • The best controller for XBOX and PC is down to the lowest price

      By Figure 8 Dash · Posted

      Never used the G7 Pro, but I've never had a good experience with that style of d-pad and fighting games.
    • Sihoo Doro C300 Pro V2 Ergonomic Office Chair review: The Ikea of chairs

      By Figure 8 Dash · Posted

      And I just bought a seat cushion for my mesh chair. The chair feels nice but the first time I sat in it with boxers, I realized I don't like the feel of mesh on my legs. 😂

  • Recent Achievements

    • One Month Later
      JKR earned a badge
      One Month Later
    • Dedicated
      Asgardi earned a badge
      Dedicated
    • Conversation Starter
      jessse3334 earned a badge
      Conversation Starter
    • Reacting Well
      JuvenileDelinquent earned a badge
      Reacting Well
    • One Month Later
      Excellence2025 earned a badge
      One Month Later

  • Popular Contributors

    1. 1
      +primortal
      496
    2. 2
      +Edouard
      247
    3. 3
      PsYcHoKiLLa
      154
    4. 4
      Steven P.
      86
    5. 5
      macoman
      65
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!