Slashdot Mirror

← Back to Stories (view on slashdot.org)

English High Court Bans Publication of 0-Day Threat To Auto Immobilizers

Posted by timothy on from the driving-on-the-wrong-side-would-work-too dept.

An anonymous reader writes "The High Court — England's highest civil court — has temporarily banned the publication of a scientific paper that would reveal the details of a zero day vulnerability in vehicle immobilisers and, crucially, give details of how to crack the system. Motor manufacturers argued that revealing the details of the crack would allow criminals to steal cars. Could this presage the courts getting involved in what gets posted on your local Bugzilla? It certainly means that software giants who dislike security researchers publishing the full facts on vulnerabilities might want to consider a full legal route."

4 of 168 comments (clear)

  1. Re:that settles it by hutsell · · Score: 5, Informative

    Keeping in mind; temporarily banned. Synopsis from another article by the Guardian:

    The University of Birmingham's Flavio Garcia, British computer scientist, cracked the security system by discovering the unique algorithm that allows the car (Porsches, Audis, Bentleys and Lamborghinis — leaves me out) to verify the identity of the ignition key.

    Is this meant to be a temporary injunction until these auto companies resolve their problem, which seems to be the right thing to do? However, if it isn't temporary and turns out to be kind of permanent because they think these companies will save a lot of money by not having to deal with the problem, then they're deluding themselves. Someone into stealing cars already knows or now knows a solution exists and will soon know the algorithm in one way or another.

    It would be nice if the method used to find the solution was eventually made public. Then someone might be able to create a defense to variations on the discovery and prevent this from being applied to other vehicles; a breach that may already exist, if not now, perhaps at a later time?

    --
    Yesterday's Weirdness is Tomorrow's Reason Why
  2. Re:that settles it by Anonymous Coward · · Score: 5, Informative

    The US income tax was a "temporary" measure. US copyrights are supposed to be "temporary".

    In real life, the powers that be want the guy muzzled.

    The lesson learned is to do one of three things if finding an exploit:

    1: Release it far and wide anonymously. This puts people at risk, but when customers are being attacked, vendors will fix problems. However, this is a career killer, if one is found to do this, perhaps might run them afoul of the law in their area.

    2: Release both a warning to the company anonymously, then release the exploit, both anonymously. Again, similar to #1, it can kill a career.

    3: Have "escrow agents", and let the vendor know. If they attempt to shoo the problem under the rug, the "anonymous" posters from other countries will ensure it gets out even if the person who found the bug has disappeared.

  3. Re:They never fixed it so far by Cederic · · Score: 4, Informative

    erm. BMW did fix this, and upgraded the software in my car for free with the fix.

  4. Re:They never fixed it so far by nosferatu1001 · · Score: 3, Informative

    Misinformation abounds...

    This. Problem. WAS. fixed. Through a recall, and an update during routine service.

    Disclosure: I work for BMW UK. The storm we had following watchdog didnt help.