English High Court Bans Publication of 0-Day Threat To Auto Immobilizers

An anonymous reader writes "The High Court — England's highest civil court — has temporarily banned the publication of a scientific paper that would reveal the details of a zero day vulnerability in vehicle immobilisers and, crucially, give details of how to crack the system. Motor manufacturers argued that revealing the details of the crack would allow criminals to steal cars. Could this presage the courts getting involved in what gets posted on your local Bugzilla? It certainly means that software giants who dislike security researchers publishing the full facts on vulnerabilities might want to consider a full legal route."

that settles it

[frovingslosh]

It sure is a good thing that England controls the entire Internet and that no one anywhere will be able to publish this information now.

Re:that settles it

[gmuslera]

And the manufacturers won't have to worry about fixing that vulnerability for long time (or do a fake, incomplete, not certifiable, or open to even more vulnerabilities fix)

Re:that settles it

[gagol]

Not only that, if I had a recent vehicle, I would want to get the exploit public so the car manufacturer have an incentive to ACTUALLY FIX the problem.

Re:that settles it

[mlts]

Even if the car maker can't/won't fix it, at least I know what it is so I can make a workaround, such as adding a relay to the circuit with the transponder antenna which would deny access to all keys, even valid ones, unless the switch is found.

Re:that settles it

If the court wants to order something hidden from public, they should ban such stupid shit from being installed in the first place. What you bet there are a lot of "hackers" out there watching and waiting automotive automation to "advance" far enough for them to get the chance to play GTA with other peoples cars? Don't forget, that will inherently be a much smaller number then the "crackers" who are waiting, watching, and drooling. And they get to play with the lights too! Guess when they done with them you can drill them full of holes, fill them full of concrete and dump them in the Mariana Trench. After all, that is as close as you can get their system to "secure" right?

Re:that settles it

[bill_mcgonigle]

It sure is a good thing that England controls the entire Internet

Not just the Internet - this action is curious because of jurisdiction. USENIX is in Washington, DC in a few weeks. Volkswagen is German. One of the authors is in the UK, but the other two are in the Netherlands.

So, the action must be specifically targeting this one author. Weird - it's an accepted paper and the other two authors were obviously planning to present. I guess they won't be going through Heathrow.

Re: that settles it

[Hamfist]

And I'm not even sure about that one...

Re:that settles it

[meerling]

I suspect the criminals don't want that. They probably want to keep the info under wraps for as long as possible so the manufacturer has little incentive to fix it while they continue to use it for their illicit advantage.

Ok, so it wouldn't be your local thug on the corner, but there are some criminal groups that pride themselves on using the 'slick' methods.

Re:that settles it

[hutsell]

Keeping in mind; temporarily banned. Synopsis from another article by the Guardian:

The University of Birmingham's Flavio Garcia, British computer scientist, cracked the security system by discovering the unique algorithm that allows the car (Porsches, Audis, Bentleys and Lamborghinis — leaves me out) to verify the identity of the ignition key.

Is this meant to be a temporary injunction until these auto companies resolve their problem, which seems to be the right thing to do? However, if it isn't temporary and turns out to be kind of permanent because they think these companies will save a lot of money by not having to deal with the problem, then they're deluding themselves. Someone into stealing cars already knows or now knows a solution exists and will soon know the algorithm in one way or another.

It would be nice if the method used to find the solution was eventually made public. Then someone might be able to create a defense to variations on the discovery and prevent this from being applied to other vehicles; a breach that may already exist, if not now, perhaps at a later time?

Re:that settles it

[EmperorArthur]

Now here's a thought.

Many conferences have you submit at least a rough draft of your slides/paper early in the process. So, it's already been distributed to at least a few people. I wonder what the ramifications would be for the other authors to present anyways. Or if the conference CDs will contain the slide regardless.

Re:that settles it

[gadget+junkie]

Keeping in mind; temporarily banned. Synopsis from another article by the Guardian:

The University of Birmingham's Flavio Garcia, British computer scientist, cracked the security system by discovering the unique algorithm that allows the car (Porsches, Audis, Bentleys and Lamborghinis — leaves me out) to verify the identity of the ignition key.

Is this meant to be a temporary injunction until these auto companies resolve their problem, which seems to be the right thing to do? However, if it isn't temporary and turns out to be kind of permanent because they think these companies will save a lot of money by not having to deal with the problem, then they're deluding themselves. Someone into stealing cars already knows or now knows a solution exists and will soon know the algorithm in one way or another.

It would be nice if the method used to find the solution was eventually made public. Then someone might be able to create a defense to variations on the discovery and prevent this from being applied to other vehicles; a breach that may already exist, if not now, perhaps at a later time?

It can only be temporary. Cat's out of the bag anyway, and while they are banned to publish the details, any "Yep. still there" six months of now would pit owners and insurance companied vs manufacturers, with manufacturers losing for having known, and not acted upon, a problem with their car.

Re:that settles it

The US income tax was a "temporary" measure. US copyrights are supposed to be "temporary".

In real life, the powers that be want the guy muzzled.

The lesson learned is to do one of three things if finding an exploit:

1: Release it far and wide anonymously. This puts people at risk, but when customers are being attacked, vendors will fix problems. However, this is a career killer, if one is found to do this, perhaps might run them afoul of the law in their area.

2: Release both a warning to the company anonymously, then release the exploit, both anonymously. Again, similar to #1, it can kill a career.

3: Have "escrow agents", and let the vendor know. If they attempt to shoo the problem under the rug, the "anonymous" posters from other countries will ensure it gets out even if the person who found the bug has disappeared.

Re:that settles it

[sabri]

It sure is a good thing that England controls the entire Internet and that no one anywhere will be able to publish this information now.

Yeah, next thing you know they'll be banning porn!

Re:that settles it

[Opportunist]

Not only that, but to have a claim against insurance when (not if) this blows.

It would certainly not be the first time that an insurance refuses a claim because "this can't happen". You have NO idea how long it took insurances to accept that certain locks can (despite any claims from manufacturers) be picked without damaging the lock. Manufacturer said it can't be, so people who made an insurance claim after being robbed actually had to face charges of insurance fraud.

It is VITAL that not only manufacturers but also insurances get this information!

Re:that settles it

[fustakrakich]

I guess they won't be going through Heathrow.

The US is hardly a safe haven.. I believe a place like Iceland would be the safest for these kinds of gatherings..

Re:that settles it

Tor masterminds R. Dingledine and J. Appelbaum lecture @ the Technical University of Munich about Tor, government surveillance, free software, and why Windows isn't suited for privacy software and shouldn't be used.

https://gnunet.org/tor2013tum-video

Re:that settles it

So they rolled their own encryption system I guess.
Knowing the algorithm shouldn't allow you to be verified.

Re:that settles it

[91degrees]

Where are the other people going to get the information from if the people who created it can't publish it?

Re: that settles it

The UK, Germany and the Netherlands are all in the EU.

Re:that settles it

[Chrisq]

It sure is a good thing that England controls the entire Internet and that no one anywhere will be able to publish this information now.

I think this is the real reason behind Cameron's porn block. He starts off talking about porn but then when discussing details its suddenly about "illegal content". I'm pretty sure this will include things that the courts (and government departments) decide we shouldn't here

Re:that settles it

find you local friendly radio ham put a carrier out on 432.920 kills all imobilisers instantly also makes for good fun in car parks squirt of carrier ( on a ham frequency) and the donkeys are wondering why their bollocks wagon or blackmans wheels or jercedes wont unlokck or lock ....

Re:that settles it

[Chrisq]

I guess they won't be going through Heathrow.

The US is hardly a safe haven.. I believe a place like Iceland would be the safest for these kinds of gatherings..

I understand there's also a nice hotel in the "flight side" of Moscow airport

Re: that settles it

[gl4ss]

The UK, Germany and the Netherlands are all in the EU.

so what? now, which country does censorship of trivial things like if some footballer had been fucking some girl/dude/whatever? the UK.

UK is of these countries one that pretends you can use courts to decide what people can speak about if they happen to know.

Re:that settles it

[SuricouRaven]

This is for the immobiliser, not the door locks, so you don't need to dabble in the delicate electronics of the engine control or fiddley RF line. Just put your relay in the cable that powers the solonoid coil for the starter (Do cars still use those, or have they gone solid-state now? Same idea) or power line to the ignition.

Re:that settles it

[isorox]

In real life, the powers that be want the guy muzzled.

If the UK they use the courts to block the publication of the paper

In the US they use the CIA to murder the author

Re:that settles it

[jbolden]

The US income tax was a "temporary" measure. US copyrights are supposed to be "temporary".

US Const: I.8.8: To promote the Progress of Science and useful Arts, by securing for limited Times to Authors and Inventors the exclusive Right to their respective Writings and Discoveries.

US Const Am 16: The Congress shall have power to lay and collect taxes on incomes, from whatever source derived, without apportionment among the several States, and without regard to any census or enumeration.

The constitution is about as non-temporary as you can get.

Re:that settles it

[alexgieg]

US copyrights are supposed to be "temporary".

US Const: I.8.8: To promote the Progress of Science and useful Arts, by securing for limited Times (...)

The constitution is about as non-temporary as you can get.

Care to explain in which way "limited Times" would be synonymous to "non-temporary" rather than to "temporary"?

Re:that settles it

Probably because "Times" in the context isn't temporal (despite the US law and the international treaties having temporal limits).

Re:that settles it

[jbolden]

The existence of copyright law is meant to be permanent. Copyrights themselves on each particular iten are meant to be of limited duration.

Re:that settles it

Authors are in/from the UK, it's a UK injunction. Unless they take some sort of asylum claim in the US, they're going to be found in contempt of court when they get back - which is never something that ends well.

Actually even if they went it's likely the car makers would get a similar injunction *in* the US by presenting the UK one (there's fairly recent case history on this sort of stuff).

Then again asylum claims for doing stuff you knew up-front was illegal is the thing these days so I guess you never know, right? Just say it's aspergers or something.

Re:that settles it

How fucking dense can you get? Jesus, you're arguing something totally different from the discussion at hand. How the fuck could you even think that was germane to the issue under discussion?

Re:that settles it

[multimediavt]

The US income tax was a "temporary" measure. US copyrights are supposed to be "temporary".

In real life, the powers that be want the guy muzzled.

The lesson learned is to do one of three things if finding an exploit:

1: Release it far and wide anonymously. This puts people at risk, but when customers are being attacked, vendors will fix problems. However, this is a career killer, if one is found to do this, perhaps might run them afoul of the law in their area.

2: Release both a warning to the company anonymously, then release the exploit, both anonymously. Again, similar to #1, it can kill a career.

3: Have "escrow agents", and let the vendor know. If they attempt to shoo the problem under the rug, the "anonymous" posters from other countries will ensure it gets out even if the person who found the bug has disappeared.

You seem to use "anonymous" when referring to accessing the internet and publishing something damning as if it were the same magic spell that idiots use when invoking "encryption" with data protection. There are only a few sources that this info could come from (in most cases) to be seen as credible, and only a few places worthwhile to publish it and have effect. What makes you think the author would remain anonymous for very long? Certainly, not long enough for statues of limitation to run out on any legal offense made.

Re:that settles it

[morcego]

Keeping in mind; temporarily banned.(...)

It can only be temporary. (...)

Yeah, just like the copyright is temporary... What is it these days, 50 years AFTER the death of the creator? I stopped checking because, for all practical purposes, you can just consider it "forever" and it will work...

Re:that settles it

[bill_mcgonigle]

by securing for limited Times to Authors

Once it surpassed the author's death, the farce could no longer be denied. Fortunately for Congress, they're held to the Constitution in less than 1% of cases.

It's funny how some people still pretend it's the controlling law.

Re:that settles it

[hairyfeet]

I hate to say it but this kind of crap is why its stupid to be a white hat. you just watch the car manufacturers won't do a damned thing about this weakness and if he says shit, hell even if he doesn't they will probably sue him for "giving those black hats ideas" which of course they would NEVER have had if it weren't for this guy.

Too many times we have seen those that try to do the right thing in this field told to muzzle it or even having companies go for the classic shoot the messenger, from companies sitting on vulnerabilities long past any reasonable grace period to threats of lawsuits and have you seen ANY of the white hats thanked? Nope they are ALWAYS treated like a douchebag threatening to throw shit at their customers, you always have this "its really your fault you know" kind of vibe to any responses from the corps.

Meanwhile the black hats pay cash, last i heard for a good zero day they'll pay a LOT of cash, so given the choice of muzzling, being told to STFU and sit in a corner for..well whenever the corps get around to fixing it, if at all, and generally being treated like an unwelcome pest or getting paid? Yeah I'm sorry guys but until the bad attitudes and shoot the messenger vibe goes away I'd say you'd have to be nuts to be a white hat. As my grandfather used to say "You say welcome and they'll say mat and walk right over you".

Re:that settles it

[icebike]

From TFA:

the two other authors Roel Verdult and Baris Ege, both of Radboud University Nijmegen are not in or from the UK so it’s not clear to me how effective the injunction would be against them if they opted to defy it.

So it doesn't follow that just because the paper is released that the enjoined person released it. The injunction does not reach to Germany, nor does it reach to the peers in other countries that may have provided peer review.

The fact that the injunction was issued at all speaks to the judge's lack of knowledge as to who Barbra Streisand is, and why she is germane to this issue.

Re:that settles it

[icebike]

Sigh...

Why is it every report of a vulnerability of a system where any form of encryption is used always brings out some know-nothing speculation about rolling their own encryption? Are you sure you don't want to mention Faraday Cages and Gravity Wells while you are at it?

Immobilizers are in the end, a physical system, which can just as easily be bypassed physically, and probably far easier than breaking its encryption.

Re:that settles it

[icebike]

Immobilizers http://en.wikipedia.org/wiki/Immobiliser interrupt two different circuits, typically fuel pumps and low-voltage supply.

So two small jumper clips bypasses the entire system if you know where to put them, and have physical access to the vehicle.

Re:that settles it

[Dyolf+Knip]

Copyrights with a theoretical duration of nearly 2 centuries (max human lifespan plus 70 years) is kinda stretching the definition of the word "temporary".

Re:that settles it

[jbolden]

I agree with you. But GP was saying something about income tax as a temporary measure and that was the context on the copyright post.

Re:that settles it

[SuricouRaven]

These are car thieves we're dealing with. Even if they are knowledgeable enough, they wouldn't want to hang around too long with the bonnet up in case the owner returns. If your car is too hard to steal, they'll just move on to someone else's.

Re:that settles it

[ai4px]

...but it is a living document!

Re:that settles it

I suspect the criminals don't want that. They probably want to keep the info under wraps for as long as possible so the manufacturer has little incentive to fix it while they continue to use it for their illicit advantage.

Ok, so it wouldn't be your local thug on the corner, but there are some criminal groups that pride themselves on using the 'slick' methods.

The criminals don't want that. Because then they'd have to fix the mistake they made in manufacturing the vehicles...

Re:that settles it

[AdamWill]

Also worth noting the article's "England's highest civil court" probably misleads U.S. readers a bit. You could strictly say it's true, or at least that it's one of the three highest civil courts in England. But cases can usually be appealed from the High Court to the Court of Appeal, and then to the Supreme Court of the UK (formerly a committee of the House of Lords took that role), and then possibly to the EU (seems likely to be at least a possibility in this case). The implication that judgements the High Court makes are essentially final is misleading.

Re:that settles it

[AdamWill]

Because he's responding to someone else who brought up the completely irrelevant comparison in the first place.

Re:that settles it

that's what the AC said: 'US copyrights are supposed to be temporary'.

They haven't been since Disney.

Get moving people...

We know the exploit exists... Now we just need to find it! Again.

too bad we don't use these zero days to take down

too bad we don't use these zero days to take down the shitty system...

Security through obscurity?

[gagol]

I taught this one died 10 years ago...

Re:Security through obscurity?

Security through obscurity will never die, because it can always go hide somewhere and not tell anyone where it has gone.

Re:Security through obscurity?

[Pentium100]

Security through obscurity does work, not very effectively, but it does. Or at least, the obscure system is more secure than the same system that is open.

For example - let's say I keep a backup key to my house buried somewhere in the yard or in a flowerpot ( there are many flowerpots and I chose one at random). While this is not as secure as not having the backup key, it is more secure than placing a sign indicating where the key is.

Same thing here - while the system is not as as it would have been if the vulnerability did not exist, if the exploit was published, then everyone would know how to hack it, even those who would not be able to come up with the hack on their own.

My car is too old to have a computer in it, but I use an aftermarket security "system" - I have to push a button (the button is visible and usually has another function) before I try to start the engine or it would crank, but not start. Now this would not be a problem for a competent thief - he would figure out how to circumvent this, it's not that difficult. However, some drug addict or a drunk teenager may just conclude that the car is broken and steal some other car instead.

Re:Security through obscurity?

Please be more careful with your teachings.

Re:Security through obscurity?

[Opportunist]

It was a stillborn, but be honest, is that the first time people ride dead horses?

Re:Security through obscurity?

[subreality]

A false sense of security can be worse than just having the exploit exposed.

While obscurity will prevent widespread exploits for a while, there are other benefits: I want to be able to assess the risk myself, know how vulnerable my car is, and possibly upgrade the system if I decide it's inadequate.

Re:Security through obscurity?

[fuzzyfuzzyfungus]

I taught this one died 10 years ago...

For whatever reason (whether it be power/gate constraints or sheer laziness) the state of 'security' in low power RF security systems (automotive keyless entry, MIFARE and friends payment and access control fobs, etc.) is maybe 10 years behind the (atrocious) state of security in general purpose software. On a good day.

Re:Security through obscurity?

[gweihir]

I taught this one died 10 years ago...

It did a lot earlier than that...to anybody that is halfway competent in the area of IT security. These people have just exposed themselves as grossly incompetent and utterly greedy. Just like a lot of other manufacturing industries, they just want to go on selling their defective products for a few more years before they do anything about it which could cause them some reduction in profits.

Re:Security through obscurity?

[gweihir]

Security through obscurity does work, not very effectively, but it does. Or at least, the obscure system is more secure than the same system that is open.

I do not agree, and the whole crypto research community and secure software community does not agree either. What you forget is that this is not about physical goods, but software and algorithms. Once created, the product will be made into countless identical copies at basically zero cost per copy. Break one, and you have broken them all. The attack can be copied just as easily.

Your view has been discredited a long time ago. But there are a lot of idiots around that ignore history and established facts and come up with the same faulty view you have time and again. It just seems to be a widespread defect in the human mind.

Re:Security through obscurity?

[gweihir]

Indeed. A false sense of security increases the risk, as then people will implement less risk-mitigation measures.

Re:Security through obscurity?

[tlhIngan]

I taught this one died 10 years ago...

Only if it's the only means of security you have.

If you already have reasonable security measures adding a layer of obscurity can make life a lot simpler.

For example, let's say you have a web application that's properly secured and only for internal use, but available externally because people need access to it. Would you put it on port 80? Or if you can, put it on another port, say 8181? People who need to use it know about it, and even if it's found accidentally, it still is secure. Just you've eliminated 99% of random hacks and other crap that people are using and thus can deal with the actual legitimate hack attacks.

You've "obscured" the actual port, but have actual security behind it. The obscurity just makes it harder to find, but it isn't the sole means of security around.

Or to avoid filling up your SSH logs with invalid access attempts from script kiddies, you could put your secured SSH system on another port, then you can review your authentication logs without the noise of script attacks and see if someone is trying to hack in.

Re:Security through obscurity?

[Pentium100]

So, if the exploit was published, the cars would be more secure than now? I mean before the manufacturers could release a patch and all affected car owners install it.

Yes, if the car manufacturers published the details (schematics and source code) for the system when they created it, someone would have found this vulnerability sooner and (hopefully) would have informed the car manufacturers who then would be able to patch it hopefully before it was installed in a lot of cars.
Publishing the exploit would only help if there was a workaround that was easily done to prevent that exploit. If there is no way to secure the system without the (currently non-existant) patch, then releasing the exploit would make it worse as it would be available to more car thieves.

Or, for example, if Sony published the source code etc for PS3 DRM, would it have taken as long to hack it?

Re:Security through obscurity?

Great example! Or not. How on earth did you get votes? A sign saying where to find the key is not security to begin with.

Re:Security through obscurity?

[xenobyte]

Actually security through unique obscurity does work although not very efficiently on its own. This is actually used all the time in the form of hiding the internal structure of a local network for instance. This adds a level of difficulty to any attempt at penetrating as the attackers needs to find out the structure and the components and thus the possible attack vectors. If you for instance need a server to contact your evil server, messing with nameservers are a good idea, but then you need to either modify the configuration of the server (requires root) or poison the nameservers it uses. This requires that you find out how the internal network works - is it plain and simple or does it use a dedicated vlan on a secondary NIC or maybe some NAT remapping? - It might be that you cannot reach the nameserver at all except on port 53 tcp/udp, or that it simply listens for ssh on a completely different IP or network. Here the obscurity clearly helps in making the intruder work a lot harder to get what he/she wants, obviously making some simply give up and move on.

Re:Security through obscurity?

[mattpalmer1086]

Well, I can't say that I speak for the entire crypto and security community, but I do work in the field and I have thought about this a bit.

"No security by obscurity" isn't meant to inform how we approach the entire process of vulnerability disclosure. It just makes the point that relying on obscurity for security will give you no real security. This is what we need people owning, building and maintaining things with security requirements to understand.

When thousands or millions of fielded products are already out there with a vulnerability, then giving the manufacturers time to fix the issue is just responsible disclosure.

Disclosing after some reasonable period of time is also responsible, as an incentive to actually fix it. We take obscurity away after some time, so they can't argue that the obscurity is all their customers need. We don't start with revealing everything when there isn't yet a fix. That makes no one more secure.

Re:Security through obscurity?

[mattpalmer1086]

Sorry, replying to my own post, but I forgot to make the point I wanted to!

Obscurity definitely doesn't give you real security. But if all you have is obscurity, then it is better to have that than nothing.

It might confer no actual security, but taking the obscurity away straight away will definitely make no-one safer. The possibility exists that some people will be protected by the obscurity, at least in the short term. It just can't be relied upon.

Re:Security through obscurity?

While true I'd argue obscurity does provide a level of security, say your the military and you want to route communications across the globe. If you have a dozen short life satellites in the air, each satellite uses a different communicates technology, frequency range, encryption technology and you switch between satellites at random intervals.

Your adversary now has to have the capability to track all of your satellites (or at least find a few), they then have to work out what frequency range it is working on without you realising and then either listen in on all of your satellites or wait for you to use one they have managed to compromise.
 
Either case you has drastically reduced the number of nations capable of listening in on your communications. Same with this, be delaying the release of the data you has restricted thefts to criminal gangs who had the technological know how to exploit it. That in itself buys time for the car companies to resolve the issue and begin a recall to fix it. Of course if they had properly tested the system in the first place this wouldn't have been an issue.

Re:Security through obscurity?

[gweihir]

It goes the other way round: If the exploit is not published, the security level will eventually sink very low for a very long time. If it is publishes, it is very low for a short time. But that is not the main effect. If the vulnerability is published, future car designs will be made more secure and manufacturers will actually listen to people finding vulnerabilities and be able and willing to do something about the problems.

Looking as a single incident and then at an isolated part of its future is _not_ a valid model of what is going on here. It is one that appeals to people that do not bother to find out how thing work though.

Re:Security through obscurity?

[gweihir]

You model is flawed. True, if that were a single, not important network and the structure were significantly different from other such networks, a temporary positive effect would be observable. But that is not the case. What happens instead is that the attackers adapt and build network mapper tools. They are quire advanced by now, just have a look into the literature. And then things get worse as they would have been without the obscurity: Attackers can easily get all the information they want, while people that do not get it believe their network is still secure as it is supposed to be obscure and hence other security measures are not implemented.

No, security by obscurity does not work. No, really, it does not. Look at the scientific literature. This is _very_ well established, but o takes more than a short-term view to see and that is why most people do not get it.

Re:Security through obscurity?

[gweihir]

If the manufacturers are rational, you are certainly right, and the whole "responsible disclosure" school of thought agrees. The problem is that many people practicing responsible disclosure run into manufacturers that do absolutely nothing in their grace period except preparing to suppress the information. After having been subjected to that or having observed it, it becomes obvious that responsible disclosure does not work with a large part of the industry. As a result, people that want to disclose observe very carefully who welcomes responsible disclosure and who does not. For those that do not, waiting for them to deal with the vulnerability before disclosure becomes impossible or would take far to long, and full disclosure before they are prepared becomes the only option, as they will not prepare at all otherwise. With full disclosure, they at least have to do something instead of hoping the problem will go away...

Re:Security through obscurity?

[gweihir]

Obscurity definitely doesn't give you real security. But if all you have is obscurity, then it is better to have that than nothing.

I strongly disagree. The problem is that incompetent people (management) routinely misunderstands this and expect that obscurity does give them real and strong security, and hence neglect to implement measures that actually work as they are "not needed" and the expenses can be saved (and funneled into bonuses, for example, or better "performance" numbers). Hence security by obscurity makes you significantly less secure in a very real sense in the typical case. The other thing is that obscurity is _very_ easy to attack, reverse-engineering, spying, bribes, extortion, "venus traps", disgruntled insiders, etc. all work very well and have been perfected over millennia.

So if all you have is obscurity, you better realize the seriousness of your problem and make sure you get something real to protect you asap and make very sure you never end up in this stupid and vulnerable a position again.

Re:Security through obscurity?

[mattpalmer1086]

I think we're actually in violent agreement. I completely agree that obscurity doesn't give you any real security, and yes people need to understand this.

But in the specific situation where something in widespread use turns out to have a security flaw, then disclosing the vulnerability until there has been a reasonable amount of time for a fix to be prepared doesn't make anyone safer.

If you agree with that, then you are also acknowleging that the obscurity may be providing very temporary security for some people. If you don't agree with that, then you seem to be saying that revealing vulnerablities immediately before a fix can be prepared does not weaken anyone's security...?

Re:Security through obscurity?

[pakar]

It does work and does help out quite a bit...

If you take 2 products that does the same thing. The product-lifetime is ~3 years and new firmware is required every 3 months for it to continue working.
Product 1 have security features X,Y,Z and use obfuscation to make it extremely hard to actually do reverse-engineering on.
Product 2 have security features X,Y,Z.
(X,Y,Z is the same code implemented on both products)

What product do you think will be first to be attacked? If you make the reverse-engineering for the product hard enough so it will take at least 6 month's it will effectively make the product non-interesting for most attackers... Also adding things that make attacks non-scalable or requires soldering and other physical modifications of the product removes quite a bit of incentive too...

There is a big difference in security and security..... Consumer-products do usually require much less security and instead require mitigation of successful attacks, and if the attack is non-scalable to more than a few devices it is usually accepted as secure enough...

1. Remotely attack a car and disable the brakes.
2. While in the car in the car disable the brakes.
3. While in the car required to unscrew a panel to disable the brakes.
4. Before starting the car open the hood and connect a cable to the computer and then when driving disable the brakes..

The only really bad one here is probably nr 1...

Re:Security through obscurity?

all security is through obscurity

Re:Security through obscurity?

[gweihir]

But in the specific situation where something in widespread use turns out to have a security flaw, then disclosing the vulnerability until there has been a reasonable amount of time for a fix to be prepared doesn't make anyone safer.

If you agree with that, then you are also acknowleging that the obscurity may be providing very temporary security for some people. If you don't agree with that, then you seem to be saying that revealing vulnerablities immediately before a fix can be prepared does not weaken anyone's security...?

The problem here is the "reasonable mount of time". Many industry players take that to mean "forever" or "until the next major release or the one after that", and that is just not acceptable in most cases. The thing is that using unsuitable values for "reasonable amount of time" does establish precedent, and any time somebody goes along with such an unsuitable value makes _everything_ that is subject to security flaws less secure. This is about setting standards.

That said, if a vendor truly has problems fixing something fast, they need to explain this very carefully to the people that have found the flaw and present them with a reasonable plan how this is going to be fixed and how their customers will be protected in the meantime. They also need to acknowledge that not publishing such work for a longer time costs the researcher reputation and, for example, involve the researcher in the fix by means of acknowledgement of his/her accomplishment. (No, not "buying them off", recognition is something far more subtle and not a moral problem.) Doing all these things, almost no security researcher would publish prematurely and many will give good input on how to fix the issue and on how to avoid a repetition.

But swinging the big club, characterizing the research as the problem instead of their own screwup is going to accomplish exactly the opposite and deservedly so. Quite often the reasons for this stupid approach will be an internal problem were some manager made the wrong call (often despite evidence that suggests it was the wrong on) and tries to sweep this under the rug.

So yes, temporary obscurity can help if it actually is used to fix the problem in a determined and competent manner. The "determined" and "competent" has to be verifiable for the one that found the flaw. It also helps for a time if the fixing is not done that way, but then it makes the whole culture and practice surrounding this type of issue worse to a degree that the local gain from the specific issue if vastly offset by the global loss.

And yes, I know people that have tried to report vulnerabilities and I have tried doing so myself, only to run into denial, accusations, threats and all the stupid reactions you can imagine, typically because some people wanted to obscure that they messed up. This is the "obscure forever" reaction, no fixing of the problem to be done. And yes, some of these were really critical things. Critical as in if a competent attacker looks, it will be low-effort to find and exploit and the potential damage will be huge. I can very well understand that quite a few security researchers are fed up with this management BS perpetrated by people that do not understand that power comes with responsible and that said researchers are unwilling to continue to go along with it.

Re:Security through obscurity?

Combining real security with obscurity does give you better security.. This is done via making it much harder, or almost impossible, to actually analyze.

Think of encryption.. All it is is basically obfuscation where making the key (or amount of obfuscation) larger and there by making it harder to actually crack it...

Think of these scenarios with an embedded device.
The device has a CPU and starts loading a bootloader at offset 0 of a flash-memory. The CPU is old and only supports a simple md5 checksum check for the bootloader (md5 checksum written to a OTP area in the CPU at the factory). This bootloader in turn loads an image from the flash that it validates via X.509 certificate and then decrypts it with a key stored in the bootloader.

So here we have a few starting points where to attack the device..
- Modify the bootloader and find a md5 collision and you can start loading whatever images you want... Ie system broken...
- Analyze the bootloader and find a flaw in the code that reads the image or that does the signature check...

Now lets take into consideration of what can be done on the device.
The device have a very basic security-system that is not considerd to be secure today. What can be done to improve the security with the limitations we have.

- We came make the bootloader to be several internal stages.
1. stage1 decrypts/unpacks stage2
2. stage2 decrypts/unpacks stage3 (different encryption/obfuscation/packer than stage 1)
3. stage3 checks signature of application images with X509 cert. If all is ok then decrypt/unpack stage 4
4. stage4 decrypts application image with key that was generated during step 1,2,3.
5. stage5, that comes from the application image, does a check of the system (checksums etc of things in ram)
6. stage5 decrypts/unpacks stage 6 from the application image and runs it. (Linux kernel/vxworks etc)

Into this you can throw things like doing a md5 sum's over areas in ram and compare that to values that you checked via a debugger. And if you combine these things so the key's/md5 sums and maybe actual runtime-variables are all used together to find out decryption-keys etc at all the different stages it can be hell to try figure out what is going on...

- The application images can be encrypted with a per CPU unique key when flashed. This can make it very hard to actually get the running code out of the device.
- Doing analyses of the software becomes very hard with multiple stages that more or less generate code into ram and jumps to it, and since things are dependent on checkums of different areas for decrypt-key-generation etc it will be problematic to modify the code-flow while keeping the full system working.

Doing things like this does give you very real security for the system. It buys time, and added time to break into something is also part of security.

Of course, when doing it this way you will have to accept that an attack could be scaled to the whole product-population. But when you have a cost-difference between sticking with the CPU capable of only the md5 checksum and some real security implementation that is too high then you will have to make due with what you have..
And usually if a device will take one man-year or more to crack in a scalable way nobody will actually look at it... Unless some shady people can make money out of it or people can get hurt from the device..

Security cannot be classified in just 2 ways... ( Listing them one by one... I'm not making a statement of what i like or dislike... just listing the ones i think of)
1. Data security - Encryption that can be guaranteed to be secure. Decryption-key is something else...
2. Subscription based security - Ensure that nobody can get access to content without paying you. Mitigate any attacks so if one manages to get it it will not scale to everyone.
3. Office security - Try and make sure it will cost more to

Re:Security through obscurity?

[Miamicanes]

The fundamental problem is that cars are kind of like American Android phones... consumers are mostly powerless to do *anything* to fix vulnerabilities, and carriers won't do anything they aren't forced to do by law. And the law itself is only slightly less castrated and toothless than consumers.

If a car suddenly becomes something you can't safely use (or at least leave unattended in a non-secure location), there's no meaningful immediate recourse for consumers, and that's a real problem with real consequences for real people.

The solution isn't to contact the automakers and keep it a secret... the solution is to quietly meet with representatives from Allstate, Progressive, and State Farm (among others), and demonstrate it to THEM. They're better at getting the attention of Congress and the auto industry, and you can BET they'd be on the ball if they thought there was a vulnerability could leave them on the hook for billions of dollars worth of insurance claims.

Re:Security through obscurity?

[phorm]

Security through obscurity is basically a form of delaying the inevitable. It doesn't prevent a compromise, but it may delay it. STO is best used in conjunction with other, more effective security methods.

Bottle - Genie?

[CoolGopher]

So how is anyone, courts included, meant to unpublish something? Unless a security researcher is saying "in X days I'll release the details on vulnerability Y" how would you even know to get a court injunction against said person? Once the cat is out of the bag, that's it.

Of course, I can then see the "logical" progression that all vulnerability disclosure must be outlawed - think of the children!

Re:Bottle - Genie?

[Trax3001BBS]

So how is anyone, courts included, meant to unpublish something?

It's happened already.

Today I had a chance to read about zero day vulnerability in vehicles but passed on the article cause I've read it already. or similiar (BlueTooth). A link from a site that has handles current headline news. It's been removed from that site and the sites history.

Google has this but it links to a 404,

Full Hacker News - Svay
svay.com/projects/FullHackerNews/?l=linux-kernel&m...q=raw?
18 hours ago - You can't manage this competition while sipping margaritas all day from your ..... of a single address,
followed by zero or more delimiter and single address pairs. ...... The cars are protected by a system called
Megamos Crypto, an algorithm ... Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobiliser – without the ...

If you follow the phrase "Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobiliser" you get:

London, July 27 : A British computer scientist, who cracked security system of cars including Porsches, Audis, Bentleys and Lamborghinis, has been banned from publishing an academic paper revealing the secret codes as it could lead to the theft of millions of vehicles. - See more at: http://www.newkerala.com/news/story/47249/scientist-banned-from-publishing-research-containing-luxury-car-security-codes.html#sthash.fJvoQSgv.dpuf

That link I didn't post, it comes with the copy and paste kinda neat, kinda freaky. A self writing copy and paste so I don't get it wrong.

Re:Bottle - Genie?

[Trax3001BBS]

If you follow the phrase "Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobiliser" you get:

That link I didn't post, it comes with the copy and paste kinda neat, kinda freaky. A self writing copy and paste so I don't get it wrong.

Enamored so by the self writing javascript I posted the wrong address
https://www.usenix.org/conference/usenixsecurity13/session/attacks and what this ruling blocks.

Re:Bottle - Genie?

[gweihir]

Simple: "The law" has only a remote connection to reality, but it does ignore that fact consistently.They are doing significant damage here, as in the future, things like this will just get published anonymously.

ridiculous

[Xicor]

i would much prefer that they can be released to the public and subsequently FIXED than have a researcher sell it to criminals or use it himself to steal cars.

Re:ridiculous

[Z00L00K]

What is now going public has been a known method for a while by criminals. There are already vehicle thefts going on of vehicles in the luxury segment in central/western Europe, and the vehicles finds their way to eastern Europe.

What immobilizers do are to deter joyriders and crackheads from stealing cars. The professionals already know how.

And knowing it can be done will just trigger the demand for cheap cracking devices for the mid group of thieves that steals cars for parting out.

Great Idea!

[FuzzNugget]

The vulnerability will surely never be exploited now, because it's simply not possible that anyone else is smart enough to figure it out. Even if they do, no thief would ever use it to steal a car right?

Seriously, how do people this stupid become judges?

Re:Great Idea!

[meerling]

Actually, knowing it exists reduces the required resources by 90% or so.
Yeah, that's just a percentage I made up, but it has definitely been shown that as long as someone knows it's possible, because someone else did it, it will be repeated, and often in only a fraction of the time and other resources it took for the first one to achieve it, even if the details are kept top secret.

Re:Great Idea!

[lxs]

Now that post is straying dangerously close to the concept of morphic resonance.

Re:Great Idea!

Seriously, how do people this stupid become judges?

Seriously, how do people this stupid manage to find their way to /. to post a reply on a matter of which they have no understanding.

The Court imposed a temporary injunction presumably to either allow Volkswagen to address the security issue or allow Volkswagen to present its case for a permanent injunction or more likely to request sufficient time to correct the issue before the research paper is published. The judges acted in accordance with UK jurisprudence.

Re:Great Idea!

[gweihir]

Seriously, how do people this stupid become judges?

That is by design. Judges are people tasked to interpret the law like it would apply to reality. It quite obviously does not in most instances, and hence judges have to be inherently stupid. Those that are not become lawyers (what they do is stupid, but at least they get rich), or never go into the study of law in the first place.

Re:Great Idea!

[Dunbal]

I think you missed the sarcastic tone of OP's post. Still you are also correct. What I find hilarious is the persistent belief by the courts that their jurisdiction covers the entire globe. Thanks to the internet, anyone can publish anything globally within hours. The internet cannot be censored even though it seems that governments are trying really really hard nowadays. I expect to be able to buy t-shirts with the exploit printed on them very soon.

How long have they known?

[gman003]

It's standard practice, when publishing about security flaws, to alert the producer of the products affected before doing so openly, only publishing when a) the hole is patched, or b) if they are ignoring the issue and refusing (or at least taking too long) to fix it.

If they have not given the manufacturer a reasonable amount of time to fix the problem, I can understand why they're being censored - it's unnecessarily dangerous. However, if this is simply the manufacturer trying even harder to pretend the problem doesn't exist, I would of course object strenuously, and support publishing the hole because that will not only force them to get a fix out ASAP, but will punish them for taking so long.

And, while TFA doesn't say either way on the issue, I would expect the latter, not the former.

Re:How long have they known?

I wouldn't be surprised if the first thing the producer of the flawed product does is immediately hit their lawyers and try to get some type of gag order before a security flaw goes public. It is a lot easier to tie up a person with litigation (or even have them arrested) than it is to actually bother fixing things.

The only real protection against this is having someone in another country have the information. If a gag order is placed, that person will reveal the details from their place. Perhaps multiple people.

Re:How long have they known?

[MikeBabcock]

Its not standard practice, its a commonly requested nicety.

An awful lot of zero day exploits are so bad that people should know about them just as soon as manufacturers in order to defend themselves.

What's sick is that so many people in our day and age consider their cars, computers and everything else black boxes that should be managed from the outside instead of taking responsibility for them. I don't want auto manufacturers to fix the problem and distribute it slowly to people, I want people to realize how much of a problem this is so they can take their manufacturer to task. Auto manufacturers for all we know played fast and loose with designing these systems -- yet another reason to push for more not less openness.

Re:How long have they known?

[eth1]

Actually, I would think the courts taking this route would simply encourage researchers to publish first, ask questions later, rather than risk being gagged.

It's standard practice, when publishing about security flaws, to alert the producer of the products affected before doing so openly, only publishing when a) the hole is patched, or b) if they are ignoring the issue and refusing (or at least taking too long) to fix it.

If they have not given the manufacturer a reasonable amount of time to fix the problem, I can understand why they're being censored - it's unnecessarily dangerous. However, if this is simply the manufacturer trying even harder to pretend the problem doesn't exist, I would of course object strenuously, and support publishing the hole because that will not only force them to get a fix out ASAP, but will punish them for taking so long.

And, while TFA doesn't say either way on the issue, I would expect the latter, not the former.

Re:How long have they known?

Let up to the auto makers, I wouldn't be surprised if they would use news of the exploit as a method of getting people to buy new vehicles that have it fixed.

I've worked with software companies like that. Product had security issues, and they refused to fix them in one version, telling customers to pay for an upgrade or deal, as the EULA/TOS states the software vendor isn't responsible, nor has to even bother with fixes.

Re:How long have they known?

[RandomFactor]

I don't want auto manufacturers to fix the problem and distribute it slowly to people, I want people to realize how much of a problem this is so they can take their manufacturer to task.

This is a false dichotomy. The better answer is both.

I would prefer the manufacturer both distribute a fix and that vulnerability and mitigation information be made available openly and quickly to those who can benefit from it.

Re:How long have they known?

[Tom]

If the car industry is anything like the IT industry, it will be a ton of work to even reach someone who understands what the problem is.

These days, IT has finally learnt, but I still remember times where researchers had a hard time getting their 0-days to the attention of the manufacturer because corporations have a strong tendency to make it very, very hard to identify and contact anyone on the inside who's not in sales.

Re:How long have they known?

[Z00L00K]

The big fish already knows how to get around the immobilizers, and the crackheads and joyriders won't care since they aren't willing to put money and effort into getting a device. The mid sector of criminals will now know that it's possible and there will be a demand on ready to use devices - provided by the big guys.

wait... but... logic...

Banning hackers from releasing information.
This has ALWAYS worked!

ATTENTION BEAN SPILLERS !!

Do not announce !! SPiLL !! SPiLL !! SPiLL !!

Muw haha haha !!

Re:ATTENTION BEAN SPILLERS !!

[EmperorArthur]

Do not announce !! SPiLL !! SPiLL !! SPiLL !!

Muw haha haha !!

It sounds harsh, but this whole injunction and others like it are why so many people are against responsible disclosure. If you put it on the internet, then by the time someone could issue an injunction it's too late.

Expect to see this leaked/rediscovered, and then the court to blame the researcher.

Re:ATTENTION BEAN SPILLERS !!

This. Instead of punishing people for disclosing problems in other peoples products, they should fine those other people for any damages caused by bugs in their product.

But am I vulnerable?

[bobstreo]

My car doesn't have power windows, or keyless entry or even remote start.

They may be able to impact my cassette player?

How will I know if I can't read the article?

Re:But am I vulnerable?

[sinij]

Relax, you are not vulnerable to automotive theft by virtue of driving rusted Grand Caravan.

Re:But am I vulnerable?

[iggymanz]

Guess again, just checked 2012 list of 10 most stolen cars in America (excludes SUV and trucks), 2000 Caravan is #5

Re:But am I vulnerable?

[flyingfsck]

"cassette player" I heard that 8 track players are in demand again with the over 70s nostalgia crowd...

Wouldn't it be better...

to ban auto companies from not fixing bugs/vulnerabilities that are made public?

Re:The queen still in charge ?

It must be the doings of that damn bastard tripartite commission !!

We are the Trilateral Commission, and we caution you
not to get our name wrong again.

That's nothing compared to Black Hat

[Animats]

Take a look at this year's Black Hat presentations. These are just the ones on vulnerabilities in embedded systems.

• Compromising Industrial Facilities From 40 Miles Away
• Energy Fraud and Orchestrated Blackouts: Issues with Wireless Metering Protocols (wM-Bus)
• Exploiting Network Surveillance Cameras Like a Hollywood Hacker
• Fact and Fiction: Defending your Medical Devices
• Hacking, Surveilling, and Deceiving victims on Smart TV
• Home Invasion v2.0 - Attacking Network-Controlled Hardware
• Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
• Implantable Medical Devices: Hacking Humans
• Let's get physical: Breaking home security systems and bypassing buildings controls
• Out of Control: Demonstrating SCADA device exploitation
• The SCADA That Didn't Cry Wolf- Who's Really Attacking Your ICS Devices- Part Deux!

D'oh

[SigmaTao]

Even *if* they could suppress the details of how it's done across britain, do they not understand that the idea that it is possible, is enough for smart people to figure it out independently of this research?
Why don't they order it to be fixed rather than trying to prevent the information about it to be suppressed "somehow"?
Why don't they take it to another level and have a system implemented for identifying and solving problems like this - something like the air safety board when they investigate accidents? An automakers software / hardware safety council?

Black hat

[t8z5h3]

This is because of black hat, this changes nothing and if anything makes the really bad hackers the ones with out a sol move faster to put a exploit in the wild who of us thinks there will be a story next week about cars being stollen and driven into water as a call to action by anomaus or lolsec?

not even until fix, until a full hearing

[raymorris]

Generally temporary injunctions like this are just until there is a full hearing. Volkswagen will probably have a fix in place by then, but the main purpose is to avoid doing irreversible damage until there can be a full hearing on the facts.

A temporary injunction is common in many types of cases and in no way indicates the court's opinion on the substantive issues. It's simply a recognition that they can't unpublish the information, so they need to wait until a decision is made before they publish. The same is often done with property disputes such as divorces. A temporary injunction orders both parties not to sell or otherwise dispose of the property until a decision is made as to ownership.

Ps - I don't care for the injunction. I would have preferred that the court hint at whether they think the case has merit, then let the researcher decide whether to release the information immediately, risking a successful suit for damages. The injunction, as a prior restraint on speech, is censorship. Still, it's best not to exaggerate the effect of the or intent of the injunction.

Re:not even until fix, until a full hearing

[Tom]

A temporary injunction is common in many types of cases and in no way indicates the court's opinion on the substantive issues.

Wrong. I was deeply involved in corporate legal stuff for a couple years and I have been in court cases like this. A temporary injunction does not mean the court will decide the same way in the full hearing, true. However, a temporary injunction is only granted if the court believes that the party seeking it has at least a reasonable chance to persist in the full hearing. As such, it does indicate the courts opinion, to some extent. If the court thought you're full of shit, it wouldn't grant the temporary injunction.

Re:not even until fix, until a full hearing

I was deeply involved in corporate legal stuff

Well, corporate legal stuff. You're still the wrong one. If the court thought the plaintiff was full of shit, that would be an opinion on the matter. Having two people come to you and telling them to put something on hold until you sort it out is not an opinion on which person is right.

Re:not even until fix, until a full hearing

[SuricouRaven]

How do they fix this? They can put a new firmware in cars easily enough, but the many already on the road have no auto-update capability, and the typical driver isn't even aware their car has firmware. Assuming it's something that can be updated - I wouldn't be surprised if this is handled by a chip that needs to be physically replaced by a garage.

Re:not even until fix, until a full hearing

[Tom]

You seem to think the world freezes in place while the court goes through the full hearing. That isn't the case and courts know that. Before issuing a temporary injunction, they will consider a) if the plaintiff has a chance to prevail and b) if he will take irreparable harm if he doesn't get the injunction. Those are the legal standards for a temporary injunction. And yes, they include an opinion. That is why many plaintiffs who get a temporary injunction rejected will also drop the full case.

Re: not even until fix, until a full hearing

[jesseck]

that's Easy, Just Tell The Owners That Their floormats Cause The Problem, And Fix It While Those Are Being Replaced.

Re:not even until fix, until a full hearing

[icebike]

Its most likely firmware, and as for the auto update capability, any car new enough to have this feature will have an update capability, because almost every car gets software updates.

Not all are applied, especially after the car is out of warranty, or resold, but most people have these updates applied at their next service. Very few people buy a new car and then never visit the dealership again.

Re:not even until fix, until a full hearing

[DickBreath]

There is nothing so permanent as:
1. A temporary injunction to prevent publication of an embarrassing and/or expensive security vulnerability
2. A temporary hack to be fixed later so we can ship the product now

Both are designed to protect profit from having to do the right thing.

"Reasonable time"

[flyingfsck]

Under English law 'a reasonable time' is usually 14 days. So unless the court put a date on it, the injunction will expire quite soon.

Ban publication?

[fustakrakich]

All that does is raise the price of the exploit on the market. Oh by the way, is this 'exploit' the same thing as the repo man's kill switch?

this should be standard

[bob_jenkins]

It should be standard that you notify the company before releasing the flaw publicly, and it should also be standard that after some waiting period the bug should go public. Well, standard per product ... different products have different release cycles, I could see some wanting 2 months while others want 1 year. But it should be public information, that product X you should notify them first then you're allowed to report the bug publicly after n months. That waiting period should be part of the product specs.

Re:this should be standard

[mark-t]

Why?

While it's certainly true that publishing an exploit does increase awareness among criminals on how to go about breaking the law, it also increases awareness among people who might be better in a position to try to mitigate how the exploit will affect them.

It also damn well puts a fire under the asses of people who need to get a fix out as quickly as possible... letting them dilly-dally around while they figure out just how high priority they need to treat the situation just leaves a lot of people vulnerable for a far longer period to criminals who *DON'T* rely on publicly published media for their information.

And you know that stealing cars is already illegal, right? And that it's not exactly something that is always just as easy to get away with as, say, remotely hacking into somebody's computer. Especially in cities that have instituted bait car programs.

Re:this should be standard

[frovingslosh]

On the other hand, as these researchers learned, if you notify the company, they can get a court order against you. If you let the cat out of the bag without notifying them them, they can't really stop you. And if you figured it out, there is a good chance that the company knows about it already anyway. They simply don't have any incentive to correct it unless they know that the general public knows about it too.

Re:this should be standard

[bob_jenkins]

Yes, exactly. This is a mechanism for motivating companies to correct it ... if there was a default 6-month waiting period, and some products had a 2 month one and others a 1 year one, and some refused to have any, that's information prospective customers can take into account.

okay...

[slashmydots]

So tell the auto makers then wait 24 hours then tell everyone. Then it's one day.

So, we don't need Knight Rider's KITT microlock?

[kriston]

So, we don't need Knight Rider's KITT microlock brakes anymore? Cool. Those were pretty cumbersome 1980s technology to deal with, anyway.

stupidity won again

[Tom]

Yepp, the court fell for the oldest and most blatantely false argument of the full disclosure opponent.

The court assumes that bad guys don't already have this knowledge. From decades of experience in IT security we can conclude with near certainty that they do. What this provides is limited, short-term protection against those would-be thieves who don't, yet. Also, a false sense of security.

What would've happened if this had been published: The public would know, car manufacturers would (have to) scramble for a fix.

What will happen now: Nothing. The next model will be fixed, your current one will maybe get an update at the next maintainance cycle, but don't count on it.

The next years will be a great time to be a car thief.

Re:stupidity won again

It is a temporary injunction. At the full hearing, I would hope they check if in this case criminals likely do already know about this or not. And I would hope that even if criminals don't already know about this, they won't give VW more than a reasonable amount of time to develop a fix before allowing publication anyway. I don't think it is unreasonable to have a temporary injunction before the court actually looks at the case properly, and I don't think it unreasonable to play it safe and assume that the criminals don't have this information at this stage unless it can be trivially proven that they do.

Re:stupidity won again

The court assumes that bad guys don't already have this knowledge. From decades of experience in IT security we can conclude with near certainty that they do. What this provides is limited, short-term protection against those would-be thieves who don't, yet.

And if there are no thieves that have the information now, the court's injunction gives them the most crucial piece of the puzzle: knowledge that the system on these cars can be defeated through a clever attack.

Re:stupidity won again

[IamTheRealMike]

The court assumes that bad guys don't already have this knowledge. From decades of experience in IT security we can conclude with near certainty that they do.

Erm, no you can't. Your experience is obviously wrong if you conclude that.

Immobilisers are mandatory in the EU since 1998 because they had an absolutely massive effect on car theft. From el wiki:

Statistics in Australia show that 3 out of 4 vehicle thefts are older cars stolen for joyriding, transport or to commit another crime. Immobilisers are fitted to around 45% of all cars in Australia, but account for only 7% of those cars that are stolen. In many instances where a vehicle fitted with an immobiliser has been stolen, the thief had access to the original key. Only around 1 in 4 stolen vehicles are stolen by professional thieves. The majority of vehicles are stolen by opportunistic thieves relying on finding older vehicles that have ineffective security or none at all.

From this paper

Application of the security device reduced the rate of car theft by an estimated 70 percent in the Netherlands and 80 percent in England and Wales, within ten years
after the regulation went into eect. Based on micro-data on time to recovery of stolen cars for the Netherlands, we nd that the device had a greater impact on theft
for joyriding and temporary transportation than on theft for resale and car parts. The costs per prevented theft equal some 250 Euro for England and Wales and 1,000 Euro for the Netherlands; a fraction of the social benets of a prevented car theft

Obviously, in that timeframe not all immobilisers were secure, as we're now learning that some have exploits (also see the BMW recall). Yet car theft dropped a lot anyway. The only explanation is that "bad guys" (who come in all shapes and sizes) did not have that knowledge, the skills needed to be a car thief not often overlapping with the skills needed to break complex security electronics.

How about, no.

You're free to sell or otherwise not own overly complex gear you have no ability to properly secure or operate.

Re. Black Hat

Hi, I already ran into such a problem, some cars have those infrared immobiliser "keys" and to hack those is something any 3 year old with a learning remote control and some time can do.
A similar unit with 433 MHz mod could be used so this has been public knowledge from a long time.

Did you know that under UK law, possession of a universal remote thus modified is actually classed as "going equipped" outside of a private residence. I think there have been like 4 prosecutions but none of them made the papers because it wasn't deemed interesting enough to publish.

Beware he who would deny you access to information

[Damouze]

For in his mind, he dreams himself your master.

They never fixed it so far

[dutchwhizzman]

Have a recent BMW? There is a known vulnerability where you can copy an actual key inside the car, using the data in the car's computer and the car's own transponder. BMW has not fixed this and won't fix it. The vulnerability is that BMW relied on being the only source of blank, programmable keys and having all the programming equipment in house. Once someone reversed the key system (the car itself contains unprotected, unencrypted key strings), they found out what electronics to put in the key and made blank keys and software to program them using the keys found in the car's computer. This is a massive problem that was out for probably at least a year before there was enough public attention to the enormous theft of BMWs with that system. I think that the number of BMWs stolen had quadrupled in that period. Right now, since BMW won't fix it, getting a BMW that suffers from this vulnerability is prohibitively expensive to insure, making their second hand value very low. It may be that insurers now require 3rd party alarm systems to be installed or something, I don't know, but the vendor didn't fix it and basically left their customers without a solution.

Right now, there's no indication that VW can and will fix this problem once it gets out. I highly doubt they will recall all vehicles and replace the parts that are vulnerable with a system that has the flaw removed. For all we know, that could cost thousands per vehicle and apply to all VAG cars from the last 10 years. That could be over 100M cars, worst case. Then again, if it'd only apply to a certain model and year and it is an affordable fix, they may actually do it, but I wouldn't count on them fixing anything.

Re:They never fixed it so far

Simple solution... Don't buy a BMW...

They will learn in the long term that if they ignore security issues, people will think with their wallets and avoid buying their stuff...

Re:They never fixed it so far

[drinkypoo]

I solved this problem by buying a 1982 Mercedes. Nobody wants to steal it.

Re:They never fixed it so far

[Cederic]

erm. BMW did fix this, and upgraded the software in my car for free with the fix.

Re:They never fixed it so far

[Goaway]

I am sure that loss of one sale will hurt them really bad.

Re:They never fixed it so far

[mpe]

Have a recent BMW? There is a known vulnerability where you can copy an actual key inside the car, using the data in the car's computer and the car's own transponder. BMW has not fixed this and won't fix it. The vulnerability is that BMW relied on being the only source of blank, programmable keys and having all the programming equipment in house.

Note that "in house" actually ment "at every BMW dealership" rather than "only at BMW HQ in Munich". They may well have not made any of the parts of the system themselves.

Once someone reversed the key system (the car itself contains unprotected, unencrypted key strings), they found out what electronics to put in the key and made blank keys and software to program them using the keys found in the car's computer. This is a massive problem that was out for probably at least a year before there was enough public attention to the enormous theft of BMWs with that system. I think that the number of BMWs stolen had quadrupled in that period. Right now, since BMW won't fix it, getting a BMW that suffers from this vulnerability is prohibitively expensive to insure, making their second hand value very low.

It isn't uncommon for car makers to refuse to fix faults unless force to by a regulator. Since this fault does not affect safety it may well be outside the remit of any regulator in Europe.

Right now, there's no indication that VW can and will fix this problem once it gets out.

It may already be "out" so far as car thieves are concerned. Wonder how many parts suppliers VW and BMW have in common.

Re:They never fixed it so far

[nazsco]

Moron. It's a feature. Bmw is the only that you can get a blank from the dealer from less than $30 and program it following instructions from the users manual.

Re:They never fixed it so far

[nosferatu1001]

Misinformation abounds...

This. Problem. WAS. fixed. Through a recall, and an update during routine service.

Disclosure: I work for BMW UK. The storm we had following watchdog didnt help.

Re:They never fixed it so far

The BMW exploit is old news and requires access to the OBD plug. Theoretically a valet or unscrupulous mechanic could duplicate the key, however, there is no evidence that this is a problem. Repo guys with the door key have been doing this for years now with a laptop and OBD adapter. Note that it still takes about ten minutes to run the algorithm and get a valid key set. BMWs still have one of the lowest theft rates of any car, and those with BMW Assist (OnStar) can be tracked.

Re:They never fixed it so far

[zipn00b]

To my knowledge that's a known FEATURE of many systems - not just BMW. However many vehicles will only accept a total of like 3 or 4 keys. But it allows a quick way to replace a lost key whether done by the dealership or by the owner. It DOES require a functioning key with the systems I'm familiar with (can't afford a BMW) so in like a valet parking situation there's a risk but valet parking is always a risk. Anytime somebody besides you has access to the car and the key there's a risk. I've also seen "blanks" for a variety of models of vehicles on the internet often at considerable savings over going to the dealer. I think one vehicle the dealer wanted like $250 for a lost key and I got a "blank" for $40 and programmed it in just a few minutes - well worth the difference........

Re:They never fixed it so far

[zipn00b]

Is it a diesel? Those things last nearly forever!

Re:They never fixed it so far

[zipn00b]

I must have misread the posting then. I know that if you have a working key most vehicles have a sequence in the manual that let you program a replacement key fairly quickly. Making one by pulling the key code over the OBD plug though would be interesting but not necessarily something your average car thief would be doing but there are definitely some parts "sourcers" that might do something like that as they make enough off a vehicle to be worth the time and trouble......

Re:They never fixed it so far

[drinkypoo]

Yes, it is powered by the venerable OM617.951 and it only has about a quarter-million miles on it, so it should be good to go for a while yet. I rebuilt the turbo not long ago... It looks a little crappy, but it goes like stink. Most amazing three liter ever, unless you count that one from Toyota which is in a much less reliable class to say the least

Megamos RFID cracked

[dutchwhizzman]

Any car that uses the megamos RFID chip to identify the key, will be vulnerable. To fix this, the manufacturer will have to replace all keys and the receiver and reprogram all computers in the cars infected. VAG here has a problem with most recent Volkswagens, Audis, SEATs, Skodas, Bentleys, Lamborghini's and Porsches. Other manufacturers that rely on this system are probably affected too. Chances that VAG will proactively call back all these vehicles are extremely slim. A temporary injunction serves no purpose, unless VAG can prove without a doubt that they can and will fix this within a very short time frame. Mind you, designing a new system, testing it for security, mass producing it and recalling all cars will probably take well over a year before they can even start recalling and cost tens of billions to implement for VAG.

Re:Megamos RFID cracked

or they can just pay for stolen cars. Probably cheaper.

Re:Megamos RFID cracked

The 'assholes' should have foreseen it being cracked - physical access = game over . BMW and Oyster cards - cracked. Car speedos - cracked. Even Xboxes and playstations went under.. But they lusted over monopoly profits for lost keys.
At least mobile phones have invisible SMS reprogramming - since donkeys ago. The court is a fool, and hopefully they will see it for what it is : a design flaw - and tell em they are on their own.

Why Would Anyone Buy A New Car?

New cars come with immobilizers, exploits, remote death controls (at least in the Mercedes C250 Coupe), OnStar surveillance, and black boxes to testify against you - why the fuck would anyone buy a car made after the mid-90s? You can get a totally tricked-out and rebuilt early-90s Honda Civic that gets awesome gas mileage for way less than a new car. You can get a mind-blowing totally tricked-out and rebuilt early-90s Toyota or Nissan truck for.. well, not a whole lot less than a new one (but that's just because most of them still have 100K left on them). I'm sticking with cars that aren't my enemy, thanks.

Re:Why Would Anyone Buy A New Car?

[JockTroll]

why the fuck would anyone buy a car made after the mid-90s?

Soon, it will be illegal to even *own* a car without those features. You don't want to drive them, don't buy them. Boycott. Sabotage. Find out who the designers are and assassinate them. Can't make a "safe-for-teh-children" car when you have no head anymore and are buried in pieces in a shallow grave, can you?

Of course the real solution is to publish first.

Then such censorship cannot be done.

Which law?

[Meneth]

What kind of law would allow a court to do this? I can't find any mention in TFA.

Also, can we get a copy of the court's decision document?

Re:Which law?

[Kijori]

I suspect that there won't be an interesting judgment to read. This, from the sound of things, is a temporary injunction before the actual hearing. The companies are presumably claiming that there is some reason for which they are entitled to prevent publication (perhaps they are claiming that the scientists obtained confidential information - we don't know). Whether they win or lose, they are entitled to a hearing; and it would defeat the point of the hearing if the scientists could release the information now and therefore be injunction-proof. The court therefore issues an injunction temporarily to preserve the status quo. If the scientists now go on to win, the injunction will have an impact on the costs that they can recover from the car companies.

Hopefully the judge will also have ordered a speedy trial (which might mean a hearing within 6 weeks), so that the injunction doesn't need to last long.

They have not choice but to go the legal route

This is not something they can just simply patch because the crypto is inside the car key's hardware which is not updatable.
Also it should be noted that not only VW is affected, but all car manufacturers which use the Megamos transponder.

However, they must at least put up a legal fight or they will later become liable for not trying to protect their customers. They might not be able to stop the publication, but they have to at least try (despite the negative publicity) to prevent further lawsuits.

By the way, whoever suggested that the researchers should just release their findings without contacting the affected parties first: That is a surefire way to get sued with reasonable chances of success for actively aiding in the theft of vehicles.

Ineptitude as well

[PigleT]

This is the same VW that have failed to diagnose my faulty immobilizer 3 times now, is it? If I knew the exploit then at least I could disable the blasted thing myself and get moving again when it plays up!

Or maybe I'm being hacked remotely and don't know it...

Re:too bad we don't use these zero days to take do

[Dunbal]

Because most people are generally honest, law abiding citizens. The heat has to be turned up quite a bit more before your average Joe becomes a homicidal maniac bent on revenge against a tyrannical establishment. Of course once that happens, it's irreversible.

Re:Beware he who would deny you access to informat

[xarragon]

The best quote from Alpha Centauri (old video game).

It will never work...

If you force someone to NOT-PUBLISH something, because they announced, and you are not happy with it, what will happen is...

Next time they will publish it un-announced...

Have a nice day.

wtf? dhgate has had car key code cloners for somet

uh... this is much ado about nothing... I can pick up universal cloners/programmers for the immobiliser for about 100.00 on dhgate that do megamos crypto as well as texas 4C and others, reversing one of these devices firmware will quickly yield the necessary algorithms needed to break car immobilizers depending on the above crypto. As the chinese ALREADY have this algorithms(needed to build such a device) EVERYONE has this info now... I dont see what the big deal is about a simple student paper revealing a rather mundane mistake the manufacturers of goods that use crypto commonly make.. ie they trust that they can do it securely with in house talent, NOT!

              what rubes to complain now that some student reveal their dirty britches...
       

FreeNet

[nurb432]

Just publish there, or other anonymous ways that cant be taken down.

Laws and judgments like this should not be followed as they are anti-freedom.

Anti theft device

[PPH]

My car has an ingenious anti-theft device. I'm sure most thieves will not be able to overcome it in order to start my car.

Its a knob labeled "Choke" on the dashboard.

add this to their censorship filters

First the UK "adult" content filters were put in place. What they should do now is ban security sites, subversive anti-government sites, news sites that tell the full story, etc.

Streisand Keys

[MajVariola]

VW doesn't get the Streisand effect, eh? When engineering fails use the (violence implied by the) law? Reverse engineering is not only protected, but essential to survival. Security by obscurity is a comedy plot not an assurance policy.

Re:Streisand Keys

[MajVariola]

PS When can I get a T-shirt with the key and algorithm on it? My DeCSS shirt is getting worn.

Re:Streisand Keys

[Stan92057]

You think the US is the only country on the planet? "Reverse engineering is not only protected, but essential to survival." That statement is for the USA only, other country's dont have the same laws or protections.

Temporary injunction.

[phorm]

Well, an injunction that's only good for X days might be a good incentive to fix the issue before X days is up...

i get it

[KingBenny]

that means criminals are idiots and would never resort to doing research so just keep everyone stupid on all subjects and no holes need to be plugged. Every time i open my eyes and it's only 6am i smell doom at the horizon.