English High Court Bans Publication of 0-Day Threat To Auto Immobilizers

← Back to Stories (view on slashdot.org)

English High Court Bans Publication of 0-Day Threat To Auto Immobilizers

Posted by timothy on Saturday July 27, 2013 @03:18PM from the driving-on-the-wrong-side-would-work-too dept.

An anonymous reader writes "The High Court — England's highest civil court — has temporarily banned the publication of a scientific paper that would reveal the details of a zero day vulnerability in vehicle immobilisers and, crucially, give details of how to crack the system. Motor manufacturers argued that revealing the details of the crack would allow criminals to steal cars. Could this presage the courts getting involved in what gets posted on your local Bugzilla? It certainly means that software giants who dislike security researchers publishing the full facts on vulnerabilities might want to consider a full legal route."

125 of 168 comments (clear)

Min score:

Reason:

Sort:

that settles it by frovingslosh · 2013-07-27 15:23 · Score: 5, Insightful

It sure is a good thing that England controls the entire Internet and that no one anywhere will be able to publish this information now.

--
I'm an American. I love this country and the freedoms that we used to have.
1. Re:that settles it by gmuslera · 2013-07-27 15:33 · Score: 1
  
  And the manufacturers won't have to worry about fixing that vulnerability for long time (or do a fake, incomplete, not certifiable, or open to even more vulnerabilities fix)
2. Re:that settles it by gagol · 2013-07-27 15:33 · Score: 5, Insightful
  
  Not only that, if I had a recent vehicle, I would want to get the exploit public so the car manufacturer have an incentive to ACTUALLY FIX the problem.
  
  --
  Tomorrow is another day...
3. Re:that settles it by bill_mcgonigle · 2013-07-27 15:50 · Score: 5, Insightful
  
  It sure is a good thing that England controls the entire Internet
  Not just the Internet - this action is curious because of jurisdiction. USENIX is in Washington, DC in a few weeks. Volkswagen is German. One of the authors is in the UK, but the other two are in the Netherlands.
  So, the action must be specifically targeting this one author. Weird - it's an accepted paper and the other two authors were obviously planning to present. I guess they won't be going through Heathrow.
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
4. Re: that settles it by Hamfist · 2013-07-27 15:53 · Score: 1
  
  And I'm not even sure about that one...
5. Re:that settles it by meerling · 2013-07-27 15:59 · Score: 5, Insightful
  
  I suspect the criminals don't want that. They probably want to keep the info under wraps for as long as possible so the manufacturer has little incentive to fix it while they continue to use it for their illicit advantage.
  
  Ok, so it wouldn't be your local thug on the corner, but there are some criminal groups that pride themselves on using the 'slick' methods.
6. Re:that settles it by hutsell · 2013-07-27 16:03 · Score: 5, Informative
  
  Keeping in mind; temporarily banned. Synopsis from another article by the Guardian:
  
  The University of Birmingham's Flavio Garcia, British computer scientist, cracked the security system by discovering the unique algorithm that allows the car (Porsches, Audis, Bentleys and Lamborghinis — leaves me out) to verify the identity of the ignition key.
  Is this meant to be a temporary injunction until these auto companies resolve their problem, which seems to be the right thing to do? However, if it isn't temporary and turns out to be kind of permanent because they think these companies will save a lot of money by not having to deal with the problem, then they're deluding themselves. Someone into stealing cars already knows or now knows a solution exists and will soon know the algorithm in one way or another.
  It would be nice if the method used to find the solution was eventually made public. Then someone might be able to create a defense to variations on the discovery and prevent this from being applied to other vehicles; a breach that may already exist, if not now, perhaps at a later time?
  
  --
  Yesterday's Weirdness is Tomorrow's Reason Why
7. Re:that settles it by EmperorArthur · 2013-07-27 16:21 · Score: 5, Interesting
  
  Now here's a thought.
  Many conferences have you submit at least a rough draft of your slides/paper early in the process. So, it's already been distributed to at least a few people. I wonder what the ramifications would be for the other authors to present anyways. Or if the conference CDs will contain the slide regardless.
  
  --
  So lets pretend that we've just completed writing this code, as opposed to having just completed sabotaging it -Altera
8. Re:that settles it by gadget+junkie · 2013-07-27 16:32 · Score: 1
  
  Keeping in mind; temporarily banned. Synopsis from another article by the Guardian:
  
  The University of Birmingham's Flavio Garcia, British computer scientist, cracked the security system by discovering the unique algorithm that allows the car (Porsches, Audis, Bentleys and Lamborghinis — leaves me out) to verify the identity of the ignition key.
  Is this meant to be a temporary injunction until these auto companies resolve their problem, which seems to be the right thing to do? However, if it isn't temporary and turns out to be kind of permanent because they think these companies will save a lot of money by not having to deal with the problem, then they're deluding themselves. Someone into stealing cars already knows or now knows a solution exists and will soon know the algorithm in one way or another.
  It would be nice if the method used to find the solution was eventually made public. Then someone might be able to create a defense to variations on the discovery and prevent this from being applied to other vehicles; a breach that may already exist, if not now, perhaps at a later time?
  It can only be temporary. Cat's out of the bag anyway, and while they are banned to publish the details, any "Yep. still there" six months of now would pit owners and insurance companied vs manufacturers, with manufacturers losing for having known, and not acted upon, a problem with their car.
  
  --
  "If a boss demands loyalty, give him integrity. But if he demands integrity, give him loyalty." (John Boyd, 1927-1997)
9. Re:that settles it by Anonymous Coward · 2013-07-27 16:59 · Score: 5, Informative
  
  The US income tax was a "temporary" measure. US copyrights are supposed to be "temporary".
  In real life, the powers that be want the guy muzzled.
  The lesson learned is to do one of three things if finding an exploit:
  1: Release it far and wide anonymously. This puts people at risk, but when customers are being attacked, vendors will fix problems. However, this is a career killer, if one is found to do this, perhaps might run them afoul of the law in their area.
  2: Release both a warning to the company anonymously, then release the exploit, both anonymously. Again, similar to #1, it can kill a career.
  3: Have "escrow agents", and let the vendor know. If they attempt to shoo the problem under the rug, the "anonymous" posters from other countries will ensure it gets out even if the person who found the bug has disappeared.
10. Re:that settles it by sabri · 2013-07-27 17:18 · Score: 2, Funny
  
  It sure is a good thing that England controls the entire Internet and that no one anywhere will be able to publish this information now.
  Yeah, next thing you know they'll be banning porn!
  
  --
  I'm not a complete idiot... Some parts are missing.
11. Re:that settles it by Opportunist · 2013-07-27 17:22 · Score: 5, Insightful
  
  Not only that, but to have a claim against insurance when (not if) this blows.
  It would certainly not be the first time that an insurance refuses a claim because "this can't happen". You have NO idea how long it took insurances to accept that certain locks can (despite any claims from manufacturers) be picked without damaging the lock. Manufacturer said it can't be, so people who made an insurance claim after being robbed actually had to face charges of insurance fraud.
  It is VITAL that not only manufacturers but also insurances get this information!
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
12. Re:that settles it by fustakrakich · 2013-07-27 17:40 · Score: 1
  
  I guess they won't be going through Heathrow.
  The US is hardly a safe haven.. I believe a place like Iceland would be the safest for these kinds of gatherings..
  
  --
  “He’s not deformed, he’s just drunk!”
13. Re:that settles it by 91degrees · 2013-07-27 18:50 · Score: 1
  
  Where are the other people going to get the information from if the people who created it can't publish it?
14. Re:that settles it by Chrisq · 2013-07-27 21:37 · Score: 2
  
  It sure is a good thing that England controls the entire Internet and that no one anywhere will be able to publish this information now.
  I think this is the real reason behind Cameron's porn block. He starts off talking about porn but then when discussing details its suddenly about "illegal content". I'm pretty sure this will include things that the courts (and government departments) decide we shouldn't here
15. Re:that settles it by Chrisq · 2013-07-27 21:39 · Score: 1
  
  I guess they won't be going through Heathrow.
  The US is hardly a safe haven.. I believe a place like Iceland would be the safest for these kinds of gatherings..
  I understand there's also a nice hotel in the "flight side" of Moscow airport
16. Re: that settles it by gl4ss · 2013-07-27 21:45 · Score: 1
  
  The UK, Germany and the Netherlands are all in the EU.
  so what? now, which country does censorship of trivial things like if some footballer had been fucking some girl/dude/whatever? the UK.
  UK is of these countries one that pretends you can use courts to decide what people can speak about if they happen to know.
  
  --
  world was created 5 seconds before this post as it is.
17. Re:that settles it by SuricouRaven · 2013-07-27 21:49 · Score: 1
  
  This is for the immobiliser, not the door locks, so you don't need to dabble in the delicate electronics of the engine control or fiddley RF line. Just put your relay in the cable that powers the solonoid coil for the starter (Do cars still use those, or have they gone solid-state now? Same idea) or power line to the ignition.
18. Re:that settles it by isorox · 2013-07-27 21:54 · Score: 2
  
  In real life, the powers that be want the guy muzzled.
  If the UK they use the courts to block the publication of the paper
  In the US they use the CIA to murder the author
19. Re:that settles it by jbolden · 2013-07-27 23:14 · Score: 1
  
  The US income tax was a "temporary" measure. US copyrights are supposed to be "temporary".
  
  US Const: I.8.8: To promote the Progress of Science and useful Arts, by securing for limited Times to Authors and Inventors the exclusive Right to their respective Writings and Discoveries.
  US Const Am 16: The Congress shall have power to lay and collect taxes on incomes, from whatever source derived, without apportionment among the several States, and without regard to any census or enumeration.
  The constitution is about as non-temporary as you can get.
20. Re:that settles it by alexgieg · 2013-07-28 00:36 · Score: 1
  
  US copyrights are supposed to be "temporary".
  US Const: I.8.8: To promote the Progress of Science and useful Arts, by securing for limited Times (...)
  The constitution is about as non-temporary as you can get.
  Care to explain in which way "limited Times" would be synonymous to "non-temporary" rather than to "temporary"?
  
  --
  Conservatism: (n.) love of the existing evils. Liberalism: (n.) desire to substitute new evils for the existing ones.
21. Re:that settles it by jbolden · 2013-07-28 01:35 · Score: 1
  
  The existence of copyright law is meant to be permanent. Copyrights themselves on each particular iten are meant to be of limited duration.
22. Re:that settles it by multimediavt · 2013-07-28 04:26 · Score: 1
  
  The US income tax was a "temporary" measure. US copyrights are supposed to be "temporary".
  In real life, the powers that be want the guy muzzled.
  The lesson learned is to do one of three things if finding an exploit:
  1: Release it far and wide anonymously. This puts people at risk, but when customers are being attacked, vendors will fix problems. However, this is a career killer, if one is found to do this, perhaps might run them afoul of the law in their area.
  2: Release both a warning to the company anonymously, then release the exploit, both anonymously. Again, similar to #1, it can kill a career.
  3: Have "escrow agents", and let the vendor know. If they attempt to shoo the problem under the rug, the "anonymous" posters from other countries will ensure it gets out even if the person who found the bug has disappeared.
  You seem to use "anonymous" when referring to accessing the internet and publishing something damning as if it were the same magic spell that idiots use when invoking "encryption" with data protection. There are only a few sources that this info could come from (in most cases) to be seen as credible, and only a few places worthwhile to publish it and have effect. What makes you think the author would remain anonymous for very long? Certainly, not long enough for statues of limitation to run out on any legal offense made.
23. Re:that settles it by morcego · 2013-07-28 04:50 · Score: 1
  
  Keeping in mind; temporarily banned.(...)
  It can only be temporary. (...)
  Yeah, just like the copyright is temporary... What is it these days, 50 years AFTER the death of the creator? I stopped checking because, for all practical purposes, you can just consider it "forever" and it will work...
  
  --
  morcego
24. Re:that settles it by bill_mcgonigle · 2013-07-28 05:26 · Score: 1
  
  by securing for limited Times to Authors
  Once it surpassed the author's death, the farce could no longer be denied. Fortunately for Congress, they're held to the Constitution in less than 1% of cases.
  It's funny how some people still pretend it's the controlling law.
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
25. Re:that settles it by hairyfeet · 2013-07-28 07:24 · Score: 1
  
  I hate to say it but this kind of crap is why its stupid to be a white hat. you just watch the car manufacturers won't do a damned thing about this weakness and if he says shit, hell even if he doesn't they will probably sue him for "giving those black hats ideas" which of course they would NEVER have had if it weren't for this guy.
  Too many times we have seen those that try to do the right thing in this field told to muzzle it or even having companies go for the classic shoot the messenger, from companies sitting on vulnerabilities long past any reasonable grace period to threats of lawsuits and have you seen ANY of the white hats thanked? Nope they are ALWAYS treated like a douchebag threatening to throw shit at their customers, you always have this "its really your fault you know" kind of vibe to any responses from the corps.
  Meanwhile the black hats pay cash, last i heard for a good zero day they'll pay a LOT of cash, so given the choice of muzzling, being told to STFU and sit in a corner for..well whenever the corps get around to fixing it, if at all, and generally being treated like an unwelcome pest or getting paid? Yeah I'm sorry guys but until the bad attitudes and shoot the messenger vibe goes away I'd say you'd have to be nuts to be a white hat. As my grandfather used to say "You say welcome and they'll say mat and walk right over you".
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
26. Re:that settles it by icebike · 2013-07-28 08:05 · Score: 1
  
  From TFA:
  
  the two other authors Roel Verdult and Baris Ege, both of Radboud University Nijmegen are not in or from the UK so it’s not clear to me how effective the injunction would be against them if they opted to defy it.
  So it doesn't follow that just because the paper is released that the enjoined person released it. The injunction does not reach to Germany, nor does it reach to the peers in other countries that may have provided peer review.
  The fact that the injunction was issued at all speaks to the judge's lack of knowledge as to who Barbra Streisand is, and why she is germane to this issue.
  
  --
  Sig Battery depleted. Reverting to safe mode.
27. Re:that settles it by icebike · 2013-07-28 08:14 · Score: 1
  
  Sigh...
  Why is it every report of a vulnerability of a system where any form of encryption is used always brings out some know-nothing speculation about rolling their own encryption? Are you sure you don't want to mention Faraday Cages and Gravity Wells while you are at it?
  Immobilizers are in the end, a physical system, which can just as easily be bypassed physically, and probably far easier than breaking its encryption.
  
  --
  Sig Battery depleted. Reverting to safe mode.
28. Re:that settles it by icebike · 2013-07-28 08:21 · Score: 1
  
  Immobilizers http://en.wikipedia.org/wiki/Immobiliser interrupt two different circuits, typically fuel pumps and low-voltage supply.
  So two small jumper clips bypasses the entire system if you know where to put them, and have physical access to the vehicle.
  
  --
  Sig Battery depleted. Reverting to safe mode.
29. Re:that settles it by Dyolf+Knip · 2013-07-28 09:18 · Score: 1
  
  Copyrights with a theoretical duration of nearly 2 centuries (max human lifespan plus 70 years) is kinda stretching the definition of the word "temporary".
  
  --
  Dyolf Knip
30. Re:that settles it by jbolden · 2013-07-28 10:25 · Score: 1
  
  I agree with you. But GP was saying something about income tax as a temporary measure and that was the context on the copyright post.
31. Re:that settles it by SuricouRaven · 2013-07-28 17:29 · Score: 1
  
  These are car thieves we're dealing with. Even if they are knowledgeable enough, they wouldn't want to hang around too long with the bonnet up in case the owner returns. If your car is too hard to steal, they'll just move on to someone else's.
32. Re:that settles it by ai4px · 2013-07-29 04:27 · Score: 1
  
  ...but it is a living document!
33. Re:that settles it by AdamWill · 2013-07-29 07:02 · Score: 1
  
  Also worth noting the article's "England's highest civil court" probably misleads U.S. readers a bit. You could strictly say it's true, or at least that it's one of the three highest civil courts in England. But cases can usually be appealed from the High Court to the Court of Appeal, and then to the Supreme Court of the UK (formerly a committee of the House of Lords took that role), and then possibly to the EU (seems likely to be at least a possibility in this case). The implication that judgements the High Court makes are essentially final is misleading.
34. Re:that settles it by AdamWill · 2013-07-29 07:03 · Score: 1
  
  Because he's responding to someone else who brought up the completely irrelevant comparison in the first place.
Security through obscurity? by gagol · 2013-07-27 15:34 · Score: 2

I taught this one died 10 years ago...

--
Tomorrow is another day...
1. Re:Security through obscurity? by Pentium100 · 2013-07-27 16:36 · Score: 4, Insightful
  
  Security through obscurity does work, not very effectively, but it does. Or at least, the obscure system is more secure than the same system that is open.
  For example - let's say I keep a backup key to my house buried somewhere in the yard or in a flowerpot ( there are many flowerpots and I chose one at random). While this is not as secure as not having the backup key, it is more secure than placing a sign indicating where the key is.
  Same thing here - while the system is not as as it would have been if the vulnerability did not exist, if the exploit was published, then everyone would know how to hack it, even those who would not be able to come up with the hack on their own.
  My car is too old to have a computer in it, but I use an aftermarket security "system" - I have to push a button (the button is visible and usually has another function) before I try to start the engine or it would crank, but not start. Now this would not be a problem for a competent thief - he would figure out how to circumvent this, it's not that difficult. However, some drug addict or a drunk teenager may just conclude that the car is broken and steal some other car instead.
2. Re:Security through obscurity? by Opportunist · 2013-07-27 17:25 · Score: 1
  
  It was a stillborn, but be honest, is that the first time people ride dead horses?
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
3. Re:Security through obscurity? by subreality · 2013-07-27 17:33 · Score: 1
  
  A false sense of security can be worse than just having the exploit exposed.
  While obscurity will prevent widespread exploits for a while, there are other benefits: I want to be able to assess the risk myself, know how vulnerable my car is, and possibly upgrade the system if I decide it's inadequate.
4. Re:Security through obscurity? by fuzzyfuzzyfungus · 2013-07-27 17:44 · Score: 2
  
  I taught this one died 10 years ago...
  For whatever reason (whether it be power/gate constraints or sheer laziness) the state of 'security' in low power RF security systems (automotive keyless entry, MIFARE and friends payment and access control fobs, etc.) is maybe 10 years behind the (atrocious) state of security in general purpose software. On a good day.
5. Re:Security through obscurity? by gweihir · 2013-07-27 18:13 · Score: 1
  
  I taught this one died 10 years ago...
  It did a lot earlier than that...to anybody that is halfway competent in the area of IT security. These people have just exposed themselves as grossly incompetent and utterly greedy. Just like a lot of other manufacturing industries, they just want to go on selling their defective products for a few more years before they do anything about it which could cause them some reduction in profits.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
6. Re:Security through obscurity? by gweihir · 2013-07-27 18:20 · Score: 1
  
  Security through obscurity does work, not very effectively, but it does. Or at least, the obscure system is more secure than the same system that is open.
  I do not agree, and the whole crypto research community and secure software community does not agree either. What you forget is that this is not about physical goods, but software and algorithms. Once created, the product will be made into countless identical copies at basically zero cost per copy. Break one, and you have broken them all. The attack can be copied just as easily.
  Your view has been discredited a long time ago. But there are a lot of idiots around that ignore history and established facts and come up with the same faulty view you have time and again. It just seems to be a widespread defect in the human mind.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
7. Re:Security through obscurity? by gweihir · 2013-07-27 18:20 · Score: 1
  
  Indeed. A false sense of security increases the risk, as then people will implement less risk-mitigation measures.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
8. Re:Security through obscurity? by tlhIngan · 2013-07-27 18:42 · Score: 1
  
  I taught this one died 10 years ago...
  Only if it's the only means of security you have.
  If you already have reasonable security measures adding a layer of obscurity can make life a lot simpler.
  For example, let's say you have a web application that's properly secured and only for internal use, but available externally because people need access to it. Would you put it on port 80? Or if you can, put it on another port, say 8181? People who need to use it know about it, and even if it's found accidentally, it still is secure. Just you've eliminated 99% of random hacks and other crap that people are using and thus can deal with the actual legitimate hack attacks.
  You've "obscured" the actual port, but have actual security behind it. The obscurity just makes it harder to find, but it isn't the sole means of security around.
  Or to avoid filling up your SSH logs with invalid access attempts from script kiddies, you could put your secured SSH system on another port, then you can review your authentication logs without the noise of script attacks and see if someone is trying to hack in.
9. Re:Security through obscurity? by Pentium100 · 2013-07-27 19:12 · Score: 1
  
  So, if the exploit was published, the cars would be more secure than now? I mean before the manufacturers could release a patch and all affected car owners install it.
  Yes, if the car manufacturers published the details (schematics and source code) for the system when they created it, someone would have found this vulnerability sooner and (hopefully) would have informed the car manufacturers who then would be able to patch it hopefully before it was installed in a lot of cars.
  Publishing the exploit would only help if there was a workaround that was easily done to prevent that exploit. If there is no way to secure the system without the (currently non-existant) patch, then releasing the exploit would make it worse as it would be available to more car thieves.
  Or, for example, if Sony published the source code etc for PS3 DRM, would it have taken as long to hack it?
10. Re:Security through obscurity? by xenobyte · 2013-07-27 21:49 · Score: 1
  
  Actually security through unique obscurity does work although not very efficiently on its own. This is actually used all the time in the form of hiding the internal structure of a local network for instance. This adds a level of difficulty to any attempt at penetrating as the attackers needs to find out the structure and the components and thus the possible attack vectors. If you for instance need a server to contact your evil server, messing with nameservers are a good idea, but then you need to either modify the configuration of the server (requires root) or poison the nameservers it uses. This requires that you find out how the internal network works - is it plain and simple or does it use a dedicated vlan on a secondary NIC or maybe some NAT remapping? - It might be that you cannot reach the nameserver at all except on port 53 tcp/udp, or that it simply listens for ssh on a completely different IP or network. Here the obscurity clearly helps in making the intruder work a lot harder to get what he/she wants, obviously making some simply give up and move on.
  
  --
  "For every complex problem, there is a solution that is simple, neat, and wrong." -- H.L. Mencken (1880-1956) --
11. Re:Security through obscurity? by mattpalmer1086 · 2013-07-27 22:01 · Score: 1
  
  Well, I can't say that I speak for the entire crypto and security community, but I do work in the field and I have thought about this a bit.
  "No security by obscurity" isn't meant to inform how we approach the entire process of vulnerability disclosure. It just makes the point that relying on obscurity for security will give you no real security. This is what we need people owning, building and maintaining things with security requirements to understand.
  When thousands or millions of fielded products are already out there with a vulnerability, then giving the manufacturers time to fix the issue is just responsible disclosure.
  Disclosing after some reasonable period of time is also responsible, as an incentive to actually fix it. We take obscurity away after some time, so they can't argue that the obscurity is all their customers need. We don't start with revealing everything when there isn't yet a fix. That makes no one more secure.
12. Re:Security through obscurity? by mattpalmer1086 · 2013-07-27 22:24 · Score: 1
  
  Sorry, replying to my own post, but I forgot to make the point I wanted to!
  Obscurity definitely doesn't give you real security. But if all you have is obscurity, then it is better to have that than nothing.
  It might confer no actual security, but taking the obscurity away straight away will definitely make no-one safer. The possibility exists that some people will be protected by the obscurity, at least in the short term. It just can't be relied upon.
13. Re:Security through obscurity? by gweihir · 2013-07-27 23:49 · Score: 1
  
  It goes the other way round: If the exploit is not published, the security level will eventually sink very low for a very long time. If it is publishes, it is very low for a short time. But that is not the main effect. If the vulnerability is published, future car designs will be made more secure and manufacturers will actually listen to people finding vulnerabilities and be able and willing to do something about the problems.
  Looking as a single incident and then at an isolated part of its future is _not_ a valid model of what is going on here. It is one that appeals to people that do not bother to find out how thing work though.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
14. Re:Security through obscurity? by gweihir · 2013-07-27 23:54 · Score: 1
  
  You model is flawed. True, if that were a single, not important network and the structure were significantly different from other such networks, a temporary positive effect would be observable. But that is not the case. What happens instead is that the attackers adapt and build network mapper tools. They are quire advanced by now, just have a look into the literature. And then things get worse as they would have been without the obscurity: Attackers can easily get all the information they want, while people that do not get it believe their network is still secure as it is supposed to be obscure and hence other security measures are not implemented.
  No, security by obscurity does not work. No, really, it does not. Look at the scientific literature. This is _very_ well established, but o takes more than a short-term view to see and that is why most people do not get it.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
15. Re:Security through obscurity? by gweihir · 2013-07-28 00:00 · Score: 1
  
  If the manufacturers are rational, you are certainly right, and the whole "responsible disclosure" school of thought agrees. The problem is that many people practicing responsible disclosure run into manufacturers that do absolutely nothing in their grace period except preparing to suppress the information. After having been subjected to that or having observed it, it becomes obvious that responsible disclosure does not work with a large part of the industry. As a result, people that want to disclose observe very carefully who welcomes responsible disclosure and who does not. For those that do not, waiting for them to deal with the vulnerability before disclosure becomes impossible or would take far to long, and full disclosure before they are prepared becomes the only option, as they will not prepare at all otherwise. With full disclosure, they at least have to do something instead of hoping the problem will go away...
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
16. Re:Security through obscurity? by gweihir · 2013-07-28 00:10 · Score: 1
  
  Obscurity definitely doesn't give you real security. But if all you have is obscurity, then it is better to have that than nothing.
  I strongly disagree. The problem is that incompetent people (management) routinely misunderstands this and expect that obscurity does give them real and strong security, and hence neglect to implement measures that actually work as they are "not needed" and the expenses can be saved (and funneled into bonuses, for example, or better "performance" numbers). Hence security by obscurity makes you significantly less secure in a very real sense in the typical case. The other thing is that obscurity is _very_ easy to attack, reverse-engineering, spying, bribes, extortion, "venus traps", disgruntled insiders, etc. all work very well and have been perfected over millennia.
  So if all you have is obscurity, you better realize the seriousness of your problem and make sure you get something real to protect you asap and make very sure you never end up in this stupid and vulnerable a position again.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
17. Re:Security through obscurity? by mattpalmer1086 · 2013-07-28 00:46 · Score: 1
  
  I think we're actually in violent agreement. I completely agree that obscurity doesn't give you any real security, and yes people need to understand this.
  But in the specific situation where something in widespread use turns out to have a security flaw, then disclosing the vulnerability until there has been a reasonable amount of time for a fix to be prepared doesn't make anyone safer.
  If you agree with that, then you are also acknowleging that the obscurity may be providing very temporary security for some people. If you don't agree with that, then you seem to be saying that revealing vulnerablities immediately before a fix can be prepared does not weaken anyone's security...?
18. Re:Security through obscurity? by pakar · 2013-07-28 01:54 · Score: 1
  
  It does work and does help out quite a bit...
  If you take 2 products that does the same thing. The product-lifetime is ~3 years and new firmware is required every 3 months for it to continue working.
  Product 1 have security features X,Y,Z and use obfuscation to make it extremely hard to actually do reverse-engineering on.
  Product 2 have security features X,Y,Z.
  (X,Y,Z is the same code implemented on both products)
  What product do you think will be first to be attacked? If you make the reverse-engineering for the product hard enough so it will take at least 6 month's it will effectively make the product non-interesting for most attackers... Also adding things that make attacks non-scalable or requires soldering and other physical modifications of the product removes quite a bit of incentive too...
  There is a big difference in security and security..... Consumer-products do usually require much less security and instead require mitigation of successful attacks, and if the attack is non-scalable to more than a few devices it is usually accepted as secure enough...
  1. Remotely attack a car and disable the brakes.
  2. While in the car in the car disable the brakes.
  3. While in the car required to unscrew a panel to disable the brakes.
  4. Before starting the car open the hood and connect a cable to the computer and then when driving disable the brakes..
  The only really bad one here is probably nr 1...
19. Re:Security through obscurity? by gweihir · 2013-07-28 02:07 · Score: 1
  
  But in the specific situation where something in widespread use turns out to have a security flaw, then disclosing the vulnerability until there has been a reasonable amount of time for a fix to be prepared doesn't make anyone safer.
  If you agree with that, then you are also acknowleging that the obscurity may be providing very temporary security for some people. If you don't agree with that, then you seem to be saying that revealing vulnerablities immediately before a fix can be prepared does not weaken anyone's security...?
  The problem here is the "reasonable mount of time". Many industry players take that to mean "forever" or "until the next major release or the one after that", and that is just not acceptable in most cases. The thing is that using unsuitable values for "reasonable amount of time" does establish precedent, and any time somebody goes along with such an unsuitable value makes _everything_ that is subject to security flaws less secure. This is about setting standards.
  That said, if a vendor truly has problems fixing something fast, they need to explain this very carefully to the people that have found the flaw and present them with a reasonable plan how this is going to be fixed and how their customers will be protected in the meantime. They also need to acknowledge that not publishing such work for a longer time costs the researcher reputation and, for example, involve the researcher in the fix by means of acknowledgement of his/her accomplishment. (No, not "buying them off", recognition is something far more subtle and not a moral problem.) Doing all these things, almost no security researcher would publish prematurely and many will give good input on how to fix the issue and on how to avoid a repetition.
  But swinging the big club, characterizing the research as the problem instead of their own screwup is going to accomplish exactly the opposite and deservedly so. Quite often the reasons for this stupid approach will be an internal problem were some manager made the wrong call (often despite evidence that suggests it was the wrong on) and tries to sweep this under the rug.
  So yes, temporary obscurity can help if it actually is used to fix the problem in a determined and competent manner. The "determined" and "competent" has to be verifiable for the one that found the flaw. It also helps for a time if the fixing is not done that way, but then it makes the whole culture and practice surrounding this type of issue worse to a degree that the local gain from the specific issue if vastly offset by the global loss.
  And yes, I know people that have tried to report vulnerabilities and I have tried doing so myself, only to run into denial, accusations, threats and all the stupid reactions you can imagine, typically because some people wanted to obscure that they messed up. This is the "obscure forever" reaction, no fixing of the problem to be done. And yes, some of these were really critical things. Critical as in if a competent attacker looks, it will be low-effort to find and exploit and the potential damage will be huge. I can very well understand that quite a few security researchers are fed up with this management BS perpetrated by people that do not understand that power comes with responsible and that said researchers are unwilling to continue to go along with it.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
20. Re:Security through obscurity? by Miamicanes · 2013-07-28 06:27 · Score: 1
  
  The fundamental problem is that cars are kind of like American Android phones... consumers are mostly powerless to do *anything* to fix vulnerabilities, and carriers won't do anything they aren't forced to do by law. And the law itself is only slightly less castrated and toothless than consumers.
  If a car suddenly becomes something you can't safely use (or at least leave unattended in a non-secure location), there's no meaningful immediate recourse for consumers, and that's a real problem with real consequences for real people.
  The solution isn't to contact the automakers and keep it a secret... the solution is to quietly meet with representatives from Allstate, Progressive, and State Farm (among others), and demonstrate it to THEM. They're better at getting the attention of Congress and the auto industry, and you can BET they'd be on the ball if they thought there was a vulnerability could leave them on the hook for billions of dollars worth of insurance claims.
21. Re:Security through obscurity? by phorm · 2013-07-29 04:21 · Score: 1
  
  Security through obscurity is basically a form of delaying the inevitable. It doesn't prevent a compromise, but it may delay it. STO is best used in conjunction with other, more effective security methods.
Bottle - Genie? by CoolGopher · 2013-07-27 15:42 · Score: 1

So how is anyone, courts included, meant to unpublish something? Unless a security researcher is saying "in X days I'll release the details on vulnerability Y" how would you even know to get a court injunction against said person? Once the cat is out of the bag, that's it.
Of course, I can then see the "logical" progression that all vulnerability disclosure must be outlawed - think of the children!
1. Re:Bottle - Genie? by Trax3001BBS · 2013-07-27 16:23 · Score: 1
  
  So how is anyone, courts included, meant to unpublish something?
  It's happened already.
  Today I had a chance to read about zero day vulnerability in vehicles but passed on the article cause I've read it already. or similiar (BlueTooth). A link from a site that has handles current headline news. It's been removed from that site and the sites history.
  Google has this but it links to a 404,
  Full Hacker News - Svay
  svay.com/projects/FullHackerNews/?l=linux-kernel&m...q=raw?
  18 hours ago - You can't manage this competition while sipping margaritas all day from your ..... of a single address,
  followed by zero or more delimiter and single address pairs. ...... The cars are protected by a system called
  Megamos Crypto, an algorithm ... Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobiliser – without the ...
  If you follow the phrase "Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobiliser" you get:
  London, July 27 : A British computer scientist, who cracked security system of cars including Porsches, Audis, Bentleys and Lamborghinis, has been banned from publishing an academic paper revealing the secret codes as it could lead to the theft of millions of vehicles. - See more at: http://www.newkerala.com/news/story/47249/scientist-banned-from-publishing-research-containing-luxury-car-security-codes.html#sthash.fJvoQSgv.dpuf
  That link I didn't post, it comes with the copy and paste kinda neat, kinda freaky. A self writing copy and paste so I don't get it wrong.
2. Re:Bottle - Genie? by Trax3001BBS · 2013-07-27 16:41 · Score: 2
  
  If you follow the phrase "Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobiliser" you get:
  That link I didn't post, it comes with the copy and paste kinda neat, kinda freaky. A self writing copy and paste so I don't get it wrong.
  Enamored so by the self writing javascript I posted the wrong address
  https://www.usenix.org/conference/usenixsecurity13/session/attacks and what this ruling blocks.
3. Re:Bottle - Genie? by gweihir · 2013-07-27 18:25 · Score: 1
  
  Simple: "The law" has only a remote connection to reality, but it does ignore that fact consistently.They are doing significant damage here, as in the future, things like this will just get published anonymously.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
ridiculous by Xicor · 2013-07-27 15:43 · Score: 1

i would much prefer that they can be released to the public and subsequently FIXED than have a researcher sell it to criminals or use it himself to steal cars.
1. Re:ridiculous by Z00L00K · 2013-07-27 19:17 · Score: 2
  
  What is now going public has been a known method for a while by criminals. There are already vehicle thefts going on of vehicles in the luxury segment in central/western Europe, and the vehicles finds their way to eastern Europe.
  What immobilizers do are to deter joyriders and crackheads from stealing cars. The professionals already know how.
  And knowing it can be done will just trigger the demand for cheap cracking devices for the mid group of thieves that steals cars for parting out.
  
  --
  If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
How long have they known? by gman003 · 2013-07-27 15:55 · Score: 5, Interesting

It's standard practice, when publishing about security flaws, to alert the producer of the products affected before doing so openly, only publishing when a) the hole is patched, or b) if they are ignoring the issue and refusing (or at least taking too long) to fix it.
If they have not given the manufacturer a reasonable amount of time to fix the problem, I can understand why they're being censored - it's unnecessarily dangerous. However, if this is simply the manufacturer trying even harder to pretend the problem doesn't exist, I would of course object strenuously, and support publishing the hole because that will not only force them to get a fix out ASAP, but will punish them for taking so long.
And, while TFA doesn't say either way on the issue, I would expect the latter, not the former.
1. Re:How long have they known? by Anonymous Coward · 2013-07-27 16:11 · Score: 1
  
  I wouldn't be surprised if the first thing the producer of the flawed product does is immediately hit their lawyers and try to get some type of gag order before a security flaw goes public. It is a lot easier to tie up a person with litigation (or even have them arrested) than it is to actually bother fixing things.
  The only real protection against this is having someone in another country have the information. If a gag order is placed, that person will reveal the details from their place. Perhaps multiple people.
2. Re:How long have they known? by MikeBabcock · 2013-07-27 16:32 · Score: 1
  
  Its not standard practice, its a commonly requested nicety.
  An awful lot of zero day exploits are so bad that people should know about them just as soon as manufacturers in order to defend themselves.
  What's sick is that so many people in our day and age consider their cars, computers and everything else black boxes that should be managed from the outside instead of taking responsibility for them. I don't want auto manufacturers to fix the problem and distribute it slowly to people, I want people to realize how much of a problem this is so they can take their manufacturer to task. Auto manufacturers for all we know played fast and loose with designing these systems -- yet another reason to push for more not less openness.
  
  --
  - Michael T. Babcock (Yes, I blog)
3. Re:How long have they known? by eth1 · 2013-07-27 17:01 · Score: 2
  
  Actually, I would think the courts taking this route would simply encourage researchers to publish first, ask questions later, rather than risk being gagged.
  
  It's standard practice, when publishing about security flaws, to alert the producer of the products affected before doing so openly, only publishing when a) the hole is patched, or b) if they are ignoring the issue and refusing (or at least taking too long) to fix it.
  If they have not given the manufacturer a reasonable amount of time to fix the problem, I can understand why they're being censored - it's unnecessarily dangerous. However, if this is simply the manufacturer trying even harder to pretend the problem doesn't exist, I would of course object strenuously, and support publishing the hole because that will not only force them to get a fix out ASAP, but will punish them for taking so long.
  And, while TFA doesn't say either way on the issue, I would expect the latter, not the former.
4. Re:How long have they known? by RandomFactor · 2013-07-27 18:05 · Score: 3, Interesting
  
  I don't want auto manufacturers to fix the problem and distribute it slowly to people, I want people to realize how much of a problem this is so they can take their manufacturer to task.
  
  This is a false dichotomy. The better answer is both.
  
  I would prefer the manufacturer both distribute a fix and that vulnerability and mitigation information be made available openly and quickly to those who can benefit from it.
  
  --
  --- Mercutio was right.
5. Re:How long have they known? by Tom · 2013-07-27 18:42 · Score: 1
  
  If the car industry is anything like the IT industry, it will be a ton of work to even reach someone who understands what the problem is.
  These days, IT has finally learnt, but I still remember times where researchers had a hard time getting their 0-days to the attention of the manufacturer because corporations have a strong tendency to make it very, very hard to identify and contact anyone on the inside who's not in sales.
  
  --
  Assorted stuff I do sometimes: Lemuria.org
6. Re:How long have they known? by Z00L00K · 2013-07-27 19:23 · Score: 1
  
  The big fish already knows how to get around the immobilizers, and the crackheads and joyriders won't care since they aren't willing to put money and effort into getting a device. The mid sector of criminals will now know that it's possible and there will be a demand on ready to use devices - provided by the big guys.
  
  --
  If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
But am I vulnerable? by bobstreo · 2013-07-27 16:00 · Score: 1

My car doesn't have power windows, or keyless entry or even remote start.
They may be able to impact my cassette player?
How will I know if I can't read the article?
1. Re:But am I vulnerable? by sinij · 2013-07-27 16:09 · Score: 1
  
  Relax, you are not vulnerable to automotive theft by virtue of driving rusted Grand Caravan.
2. Re:But am I vulnerable? by iggymanz · 2013-07-27 16:21 · Score: 1
  
  Guess again, just checked 2012 list of 10 most stolen cars in America (excludes SUV and trucks), 2000 Caravan is #5
3. Re:But am I vulnerable? by flyingfsck · 2013-07-27 17:21 · Score: 2
  
  "cassette player" I heard that 8 track players are in demand again with the over 70s nostalgia crowd...
  
  --
  Excuse me, but please get off my Pennisetum Clandestinum, eh!
Re:Great Idea! by meerling · 2013-07-27 16:05 · Score: 1

Actually, knowing it exists reduces the required resources by 90% or so.
Yeah, that's just a percentage I made up, but it has definitely been shown that as long as someone knows it's possible, because someone else did it, it will be repeated, and often in only a fraction of the time and other resources it took for the first one to achieve it, even if the details are kept top secret.
Re:ATTENTION BEAN SPILLERS !! by EmperorArthur · 2013-07-27 16:26 · Score: 2

Do not announce !! SPiLL !! SPiLL !! SPiLL !!
Muw haha haha !!
It sounds harsh, but this whole injunction and others like it are why so many people are against responsible disclosure. If you put it on the internet, then by the time someone could issue an injunction it's too late.
Expect to see this leaked/rediscovered, and then the court to blame the researcher.

--
So lets pretend that we've just completed writing this code, as opposed to having just completed sabotaging it -Altera
That's nothing compared to Black Hat by Animats · 2013-07-27 16:31 · Score: 5, Interesting
Take a look at this year's Black Hat presentations. These are just the ones on vulnerabilities in embedded systems.
- Compromising Industrial Facilities From 40 Miles Away
- Energy Fraud and Orchestrated Blackouts: Issues with Wireless Metering Protocols (wM-Bus)
- Exploiting Network Surveillance Cameras Like a Hollywood Hacker
- Fact and Fiction: Defending your Medical Devices
- Hacking, Surveilling, and Deceiving victims on Smart TV
- Home Invasion v2.0 - Attacking Network-Controlled Hardware
- Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
- Implantable Medical Devices: Hacking Humans
- Let's get physical: Breaking home security systems and bypassing buildings controls
- Out of Control: Demonstrating SCADA device exploitation
- The SCADA That Didn't Cry Wolf- Who's Really Attacking Your ICS Devices- Part Deux!
D'oh by SigmaTao · 2013-07-27 16:36 · Score: 1

Even *if* they could suppress the details of how it's done across britain, do they not understand that the idea that it is possible, is enough for smart people to figure it out independently of this research?
Why don't they order it to be fixed rather than trying to prevent the information about it to be suppressed "somehow"?
Why don't they take it to another level and have a system implemented for identifying and solving problems like this - something like the air safety board when they investigate accidents? An automakers software / hardware safety council?
Black hat by t8z5h3 · 2013-07-27 16:49 · Score: 1

This is because of black hat, this changes nothing and if anything makes the really bad hackers the ones with out a sol move faster to put a exploit in the wild who of us thinks there will be a story next week about cars being stollen and driven into water as a call to action by anomaus or lolsec?
not even until fix, until a full hearing by raymorris · 2013-07-27 16:57 · Score: 5, Insightful

Generally temporary injunctions like this are just until there is a full hearing. Volkswagen will probably have a fix in place by then, but the main purpose is to avoid doing irreversible damage until there can be a full hearing on the facts.

A temporary injunction is common in many types of cases and in no way indicates the court's opinion on the substantive issues. It's simply a recognition that they can't unpublish the information, so they need to wait until a decision is made before they publish. The same is often done with property disputes such as divorces. A temporary injunction orders both parties not to sell or otherwise dispose of the property until a decision is made as to ownership.

Ps - I don't care for the injunction. I would have preferred that the court hint at whether they think the case has merit, then let the researcher decide whether to release the information immediately, risking a successful suit for damages. The injunction, as a prior restraint on speech, is censorship. Still, it's best not to exaggerate the effect of the or intent of the injunction.
1. Re:not even until fix, until a full hearing by Tom · 2013-07-27 18:46 · Score: 2
  
  A temporary injunction is common in many types of cases and in no way indicates the court's opinion on the substantive issues.
  Wrong. I was deeply involved in corporate legal stuff for a couple years and I have been in court cases like this. A temporary injunction does not mean the court will decide the same way in the full hearing, true. However, a temporary injunction is only granted if the court believes that the party seeking it has at least a reasonable chance to persist in the full hearing. As such, it does indicate the courts opinion, to some extent. If the court thought you're full of shit, it wouldn't grant the temporary injunction.
  
  --
  Assorted stuff I do sometimes: Lemuria.org
2. Re:not even until fix, until a full hearing by Anonymous Coward · 2013-07-27 20:19 · Score: 1
  
  I was deeply involved in corporate legal stuff
  Well, corporate legal stuff. You're still the wrong one. If the court thought the plaintiff was full of shit, that would be an opinion on the matter. Having two people come to you and telling them to put something on hold until you sort it out is not an opinion on which person is right.
3. Re:not even until fix, until a full hearing by SuricouRaven · 2013-07-27 21:44 · Score: 1
  
  How do they fix this? They can put a new firmware in cars easily enough, but the many already on the road have no auto-update capability, and the typical driver isn't even aware their car has firmware. Assuming it's something that can be updated - I wouldn't be surprised if this is handled by a chip that needs to be physically replaced by a garage.
4. Re:not even until fix, until a full hearing by Tom · 2013-07-28 01:38 · Score: 1
  
  You seem to think the world freezes in place while the court goes through the full hearing. That isn't the case and courts know that. Before issuing a temporary injunction, they will consider a) if the plaintiff has a chance to prevail and b) if he will take irreparable harm if he doesn't get the injunction. Those are the legal standards for a temporary injunction. And yes, they include an opinion. That is why many plaintiffs who get a temporary injunction rejected will also drop the full case.
  
  --
  Assorted stuff I do sometimes: Lemuria.org
5. Re: not even until fix, until a full hearing by jesseck · 2013-07-28 03:15 · Score: 1
  
  that's Easy, Just Tell The Owners That Their floormats Cause The Problem, And Fix It While Those Are Being Replaced.
6. Re:not even until fix, until a full hearing by icebike · 2013-07-28 07:51 · Score: 1
  
  Its most likely firmware, and as for the auto update capability, any car new enough to have this feature will have an update capability, because almost every car gets software updates.
  Not all are applied, especially after the car is out of warranty, or resold, but most people have these updates applied at their next service. Very few people buy a new car and then never visit the dealership again.
  
  --
  Sig Battery depleted. Reverting to safe mode.
7. Re:not even until fix, until a full hearing by DickBreath · 2013-07-29 05:29 · Score: 1
  
  There is nothing so permanent as:
  1. A temporary injunction to prevent publication of an embarrassing and/or expensive security vulnerability
  2. A temporary hack to be fixed later so we can ship the product now
  
  Both are designed to protect profit from having to do the right thing.
  
  --
  
  I'll see your senator, and I'll raise you two judges.
"Reasonable time" by flyingfsck · 2013-07-27 17:17 · Score: 1

Under English law 'a reasonable time' is usually 14 days. So unless the court put a date on it, the injunction will expire quite soon.

--
Excuse me, but please get off my Pennisetum Clandestinum, eh!
Ban publication? by fustakrakich · 2013-07-27 17:30 · Score: 1

All that does is raise the price of the exploit on the market. Oh by the way, is this 'exploit' the same thing as the repo man's kill switch?

--
“He’s not deformed, he’s just drunk!”
this should be standard by bob_jenkins · 2013-07-27 17:43 · Score: 1

It should be standard that you notify the company before releasing the flaw publicly, and it should also be standard that after some waiting period the bug should go public. Well, standard per product ... different products have different release cycles, I could see some wanting 2 months while others want 1 year. But it should be public information, that product X you should notify them first then you're allowed to report the bug publicly after n months. That waiting period should be part of the product specs.
1. Re:this should be standard by mark-t · 2013-07-27 18:08 · Score: 2
  
  Why?
  While it's certainly true that publishing an exploit does increase awareness among criminals on how to go about breaking the law, it also increases awareness among people who might be better in a position to try to mitigate how the exploit will affect them.
  It also damn well puts a fire under the asses of people who need to get a fix out as quickly as possible... letting them dilly-dally around while they figure out just how high priority they need to treat the situation just leaves a lot of people vulnerable for a far longer period to criminals who *DON'T* rely on publicly published media for their information.
  And you know that stealing cars is already illegal, right? And that it's not exactly something that is always just as easy to get away with as, say, remotely hacking into somebody's computer. Especially in cities that have instituted bait car programs.
  
  --
  File under 'M' for 'Manic ranting'
2. Re:this should be standard by frovingslosh · 2013-07-27 18:10 · Score: 5, Insightful
  
  On the other hand, as these researchers learned, if you notify the company, they can get a court order against you. If you let the cat out of the bag without notifying them them, they can't really stop you. And if you figured it out, there is a good chance that the company knows about it already anyway. They simply don't have any incentive to correct it unless they know that the general public knows about it too.
  
  --
  I'm an American. I love this country and the freedoms that we used to have.
3. Re:this should be standard by bob_jenkins · 2013-07-29 16:55 · Score: 1
  
  Yes, exactly. This is a mechanism for motivating companies to correct it ... if there was a default 6-month waiting period, and some products had a 2 month one and others a 1 year one, and some refused to have any, that's information prospective customers can take into account.
Re:Great Idea! by lxs · 2013-07-27 18:00 · Score: 1

Now that post is straying dangerously close to the concept of morphic resonance.
okay... by slashmydots · 2013-07-27 18:01 · Score: 1

So tell the auto makers then wait 24 hours then tell everyone. Then it's one day.
So, we don't need Knight Rider's KITT microlock? by kriston · 2013-07-27 18:02 · Score: 1

So, we don't need Knight Rider's KITT microlock brakes anymore? Cool. Those were pretty cumbersome 1980s technology to deal with, anyway.

--
Kriston
Re:Great Idea! by Anonymous Coward · 2013-07-27 18:11 · Score: 2, Insightful

Seriously, how do people this stupid become judges?
Seriously, how do people this stupid manage to find their way to /. to post a reply on a matter of which they have no understanding.
The Court imposed a temporary injunction presumably to either allow Volkswagen to address the security issue or allow Volkswagen to present its case for a permanent injunction or more likely to request sufficient time to correct the issue before the research paper is published. The judges acted in accordance with UK jurisprudence.
Re:Great Idea! by gweihir · 2013-07-27 18:29 · Score: 1

Seriously, how do people this stupid become judges?
That is by design. Judges are people tasked to interpret the law like it would apply to reality. It quite obviously does not in most instances, and hence judges have to be inherently stupid. Those that are not become lawyers (what they do is stupid, but at least they get rich), or never go into the study of law in the first place.

--
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
stupidity won again by Tom · 2013-07-27 18:33 · Score: 4, Insightful

Yepp, the court fell for the oldest and most blatantely false argument of the full disclosure opponent.
The court assumes that bad guys don't already have this knowledge. From decades of experience in IT security we can conclude with near certainty that they do. What this provides is limited, short-term protection against those would-be thieves who don't, yet. Also, a false sense of security.
What would've happened if this had been published: The public would know, car manufacturers would (have to) scramble for a fix.
What will happen now: Nothing. The next model will be fixed, your current one will maybe get an update at the next maintainance cycle, but don't count on it.
The next years will be a great time to be a car thief.

--
Assorted stuff I do sometimes: Lemuria.org
1. Re:stupidity won again by IamTheRealMike · 2013-07-29 01:48 · Score: 1
  
  The court assumes that bad guys don't already have this knowledge. From decades of experience in IT security we can conclude with near certainty that they do.
  Erm, no you can't. Your experience is obviously wrong if you conclude that.
  Immobilisers are mandatory in the EU since 1998 because they had an absolutely massive effect on car theft. From el wiki:
  
  Statistics in Australia show that 3 out of 4 vehicle thefts are older cars stolen for joyriding, transport or to commit another crime. Immobilisers are fitted to around 45% of all cars in Australia, but account for only 7% of those cars that are stolen. In many instances where a vehicle fitted with an immobiliser has been stolen, the thief had access to the original key. Only around 1 in 4 stolen vehicles are stolen by professional thieves. The majority of vehicles are stolen by opportunistic thieves relying on finding older vehicles that have ineffective security or none at all.
  From this paper
  
  Application of the security device reduced the rate of car theft by an estimated 70 percent in the Netherlands and 80 percent in England and Wales, within ten years
  after the regulation went into eect. Based on micro-data on time to recovery of stolen cars for the Netherlands, we nd that the device had a greater impact on theft
  for joyriding and temporary transportation than on theft for resale and car parts. The costs per prevented theft equal some 250 Euro for England and Wales and 1,000 Euro for the Netherlands; a fraction of the social benets of a prevented car theft
  Obviously, in that timeframe not all immobilisers were secure, as we're now learning that some have exploits (also see the BMW recall). Yet car theft dropped a lot anyway. The only explanation is that "bad guys" (who come in all shapes and sizes) did not have that knowledge, the skills needed to be a car thief not often overlapping with the skills needed to break complex security electronics.
They never fixed it so far by dutchwhizzman · 2013-07-27 19:54 · Score: 4, Interesting

Have a recent BMW? There is a known vulnerability where you can copy an actual key inside the car, using the data in the car's computer and the car's own transponder. BMW has not fixed this and won't fix it. The vulnerability is that BMW relied on being the only source of blank, programmable keys and having all the programming equipment in house. Once someone reversed the key system (the car itself contains unprotected, unencrypted key strings), they found out what electronics to put in the key and made blank keys and software to program them using the keys found in the car's computer. This is a massive problem that was out for probably at least a year before there was enough public attention to the enormous theft of BMWs with that system. I think that the number of BMWs stolen had quadrupled in that period. Right now, since BMW won't fix it, getting a BMW that suffers from this vulnerability is prohibitively expensive to insure, making their second hand value very low. It may be that insurers now require 3rd party alarm systems to be installed or something, I don't know, but the vendor didn't fix it and basically left their customers without a solution.
Right now, there's no indication that VW can and will fix this problem once it gets out. I highly doubt they will recall all vehicles and replace the parts that are vulnerable with a system that has the flaw removed. For all we know, that could cost thousands per vehicle and apply to all VAG cars from the last 10 years. That could be over 100M cars, worst case. Then again, if it'd only apply to a certain model and year and it is an affordable fix, they may actually do it, but I wouldn't count on them fixing anything.

--
I was promised a flying car. Where is my flying car?
1. Re:They never fixed it so far by drinkypoo · 2013-07-28 01:28 · Score: 1
  
  I solved this problem by buying a 1982 Mercedes. Nobody wants to steal it.
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
2. Re:They never fixed it so far by Cederic · 2013-07-28 02:00 · Score: 4, Informative
  
  erm. BMW did fix this, and upgraded the software in my car for free with the fix.
3. Re:They never fixed it so far by Goaway · 2013-07-28 02:37 · Score: 1
  
  I am sure that loss of one sale will hurt them really bad.
4. Re:They never fixed it so far by mpe · 2013-07-28 03:59 · Score: 1
  
  Have a recent BMW? There is a known vulnerability where you can copy an actual key inside the car, using the data in the car's computer and the car's own transponder. BMW has not fixed this and won't fix it. The vulnerability is that BMW relied on being the only source of blank, programmable keys and having all the programming equipment in house.
  
  Note that "in house" actually ment "at every BMW dealership" rather than "only at BMW HQ in Munich". They may well have not made any of the parts of the system themselves.
  
  Once someone reversed the key system (the car itself contains unprotected, unencrypted key strings), they found out what electronics to put in the key and made blank keys and software to program them using the keys found in the car's computer. This is a massive problem that was out for probably at least a year before there was enough public attention to the enormous theft of BMWs with that system. I think that the number of BMWs stolen had quadrupled in that period. Right now, since BMW won't fix it, getting a BMW that suffers from this vulnerability is prohibitively expensive to insure, making their second hand value very low.
  
  It isn't uncommon for car makers to refuse to fix faults unless force to by a regulator. Since this fault does not affect safety it may well be outside the remit of any regulator in Europe.
  
  Right now, there's no indication that VW can and will fix this problem once it gets out.
  
  It may already be "out" so far as car thieves are concerned. Wonder how many parts suppliers VW and BMW have in common.
5. Re:They never fixed it so far by nazsco · 2013-07-28 04:31 · Score: 1
  
  Moron. It's a feature. Bmw is the only that you can get a blank from the dealer from less than $30 and program it following instructions from the users manual.
6. Re:They never fixed it so far by nosferatu1001 · 2013-07-28 05:07 · Score: 3, Informative
  
  Misinformation abounds...
  This. Problem. WAS. fixed. Through a recall, and an update during routine service.
  Disclosure: I work for BMW UK. The storm we had following watchdog didnt help.
7. Re:They never fixed it so far by zipn00b · 2013-07-29 08:52 · Score: 1
  
  To my knowledge that's a known FEATURE of many systems - not just BMW. However many vehicles will only accept a total of like 3 or 4 keys. But it allows a quick way to replace a lost key whether done by the dealership or by the owner. It DOES require a functioning key with the systems I'm familiar with (can't afford a BMW) so in like a valet parking situation there's a risk but valet parking is always a risk. Anytime somebody besides you has access to the car and the key there's a risk. I've also seen "blanks" for a variety of models of vehicles on the internet often at considerable savings over going to the dealer. I think one vehicle the dealer wanted like $250 for a lost key and I got a "blank" for $40 and programmed it in just a few minutes - well worth the difference........
8. Re:They never fixed it so far by zipn00b · 2013-07-29 08:55 · Score: 1
  
  Is it a diesel? Those things last nearly forever!
9. Re:They never fixed it so far by zipn00b · 2013-07-29 08:59 · Score: 1
  
  I must have misread the posting then. I know that if you have a working key most vehicles have a sequence in the manual that let you program a replacement key fairly quickly. Making one by pulling the key code over the OBD plug though would be interesting but not necessarily something your average car thief would be doing but there are definitely some parts "sourcers" that might do something like that as they make enough off a vehicle to be worth the time and trouble......
10. Re:They never fixed it so far by drinkypoo · 2013-07-30 05:42 · Score: 1
  
  Yes, it is powered by the venerable OM617.951 and it only has about a quarter-million miles on it, so it should be good to go for a while yet. I rebuilt the turbo not long ago... It looks a little crappy, but it goes like stink. Most amazing three liter ever, unless you count that one from Toyota which is in a much less reliable class to say the least
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Megamos RFID cracked by dutchwhizzman · 2013-07-27 20:05 · Score: 2

Any car that uses the megamos RFID chip to identify the key, will be vulnerable. To fix this, the manufacturer will have to replace all keys and the receiver and reprogram all computers in the cars infected. VAG here has a problem with most recent Volkswagens, Audis, SEATs, Skodas, Bentleys, Lamborghini's and Porsches. Other manufacturers that rely on this system are probably affected too. Chances that VAG will proactively call back all these vehicles are extremely slim. A temporary injunction serves no purpose, unless VAG can prove without a doubt that they can and will fix this within a very short time frame. Mind you, designing a new system, testing it for security, mass producing it and recalling all cars will probably take well over a year before they can even start recalling and cost tens of billions to implement for VAG.

--
I was promised a flying car. Where is my flying car?
Which law? by Meneth · 2013-07-27 21:26 · Score: 1

What kind of law would allow a court to do this? I can't find any mention in TFA.
Also, can we get a copy of the court's decision document?
1. Re:Which law? by Kijori · 2013-07-28 04:23 · Score: 1
  
  I suspect that there won't be an interesting judgment to read. This, from the sound of things, is a temporary injunction before the actual hearing. The companies are presumably claiming that there is some reason for which they are entitled to prevent publication (perhaps they are claiming that the scientists obtained confidential information - we don't know). Whether they win or lose, they are entitled to a hearing; and it would defeat the point of the hearing if the scientists could release the information now and therefore be injunction-proof. The court therefore issues an injunction temporarily to preserve the status quo. If the scientists now go on to win, the injunction will have an impact on the costs that they can recover from the car companies.
  Hopefully the judge will also have ordered a speedy trial (which might mean a hearing within 6 weeks), so that the injunction doesn't need to last long.
Re:Great Idea! by Dunbal · 2013-07-27 23:50 · Score: 1

I think you missed the sarcastic tone of OP's post. Still you are also correct. What I find hilarious is the persistent belief by the courts that their jurisdiction covers the entire globe. Thanks to the internet, anyone can publish anything globally within hours. The internet cannot be censored even though it seems that governments are trying really really hard nowadays. I expect to be able to buy t-shirts with the exploit printed on them very soon.

--
Seven puppies were harmed during the making of this post.
Ineptitude as well by PigleT · 2013-07-27 23:51 · Score: 1

This is the same VW that have failed to diagnose my faulty immobilizer 3 times now, is it? If I knew the exploit then at least I could disable the blasted thing myself and get moving again when it plays up!
Or maybe I'm being hacked remotely and don't know it...

--
~Tim
--
.|` Clouds cross the black moonlight,
Rushing on down to the circle of the turn
Re:too bad we don't use these zero days to take do by Dunbal · 2013-07-27 23:55 · Score: 1

Because most people are generally honest, law abiding citizens. The heat has to be turned up quite a bit more before your average Joe becomes a homicidal maniac bent on revenge against a tyrannical establishment. Of course once that happens, it's irreversible.

--
Seven puppies were harmed during the making of this post.
Re:Beware he who would deny you access to informat by xarragon · 2013-07-28 00:31 · Score: 1

The best quote from Alpha Centauri (old video game).
FreeNet by nurb432 · 2013-07-28 01:57 · Score: 1

Just publish there, or other anonymous ways that cant be taken down.
Laws and judgments like this should not be followed as they are anti-freedom.

--
---- Booth was a patriot ----
Anti theft device by PPH · 2013-07-28 04:11 · Score: 1

My car has an ingenious anti-theft device. I'm sure most thieves will not be able to overcome it in order to start my car.
Its a knob labeled "Choke" on the dashboard.

--
Have gnu, will travel.
Streisand Keys by MajVariola · 2013-07-28 07:52 · Score: 1

VW doesn't get the Streisand effect, eh? When engineering fails use the (violence implied by the) law? Reverse engineering is not only protected, but essential to survival. Security by obscurity is a comedy plot not an assurance policy.
1. Re:Streisand Keys by MajVariola · 2013-07-28 07:53 · Score: 1
  
  PS When can I get a T-shirt with the key and algorithm on it? My DeCSS shirt is getting worn.
2. Re:Streisand Keys by Stan92057 · 2013-07-28 08:40 · Score: 1
  
  You think the US is the only country on the planet? "Reverse engineering is not only protected, but essential to survival." That statement is for the USA only, other country's dont have the same laws or protections.
  
  --
  Jack of all trades,master of none
Temporary injunction. by phorm · 2013-07-29 04:19 · Score: 1

Well, an injunction that's only good for X days might be a good incentive to fix the issue before X days is up...
i get it by KingBenny · 2013-07-29 17:04 · Score: 1

that means criminals are idiots and would never resort to doing research so just keep everyone stupid on all subjects and no holes need to be plugged. Every time i open my eyes and it's only 6am i smell doom at the horizon.

--
Free speech was meant to be free for all... how can anyone grow up in a nanny state ?