English High Court Bans Publication of 0-Day Threat To Auto Immobilizers

An anonymous reader writes "The High Court — England's highest civil court — has temporarily banned the publication of a scientific paper that would reveal the details of a zero day vulnerability in vehicle immobilisers and, crucially, give details of how to crack the system. Motor manufacturers argued that revealing the details of the crack would allow criminals to steal cars. Could this presage the courts getting involved in what gets posted on your local Bugzilla? It certainly means that software giants who dislike security researchers publishing the full facts on vulnerabilities might want to consider a full legal route."

that settles it

[frovingslosh]

It sure is a good thing that England controls the entire Internet and that no one anywhere will be able to publish this information now.

Re:that settles it

[gagol]

Not only that, if I had a recent vehicle, I would want to get the exploit public so the car manufacturer have an incentive to ACTUALLY FIX the problem.

Re:that settles it

[bill_mcgonigle]

It sure is a good thing that England controls the entire Internet

Not just the Internet - this action is curious because of jurisdiction. USENIX is in Washington, DC in a few weeks. Volkswagen is German. One of the authors is in the UK, but the other two are in the Netherlands.

So, the action must be specifically targeting this one author. Weird - it's an accepted paper and the other two authors were obviously planning to present. I guess they won't be going through Heathrow.

Re:that settles it

[meerling]

I suspect the criminals don't want that. They probably want to keep the info under wraps for as long as possible so the manufacturer has little incentive to fix it while they continue to use it for their illicit advantage.

Ok, so it wouldn't be your local thug on the corner, but there are some criminal groups that pride themselves on using the 'slick' methods.

Re:that settles it

[hutsell]

Keeping in mind; temporarily banned. Synopsis from another article by the Guardian:

The University of Birmingham's Flavio Garcia, British computer scientist, cracked the security system by discovering the unique algorithm that allows the car (Porsches, Audis, Bentleys and Lamborghinis — leaves me out) to verify the identity of the ignition key.

Is this meant to be a temporary injunction until these auto companies resolve their problem, which seems to be the right thing to do? However, if it isn't temporary and turns out to be kind of permanent because they think these companies will save a lot of money by not having to deal with the problem, then they're deluding themselves. Someone into stealing cars already knows or now knows a solution exists and will soon know the algorithm in one way or another.

It would be nice if the method used to find the solution was eventually made public. Then someone might be able to create a defense to variations on the discovery and prevent this from being applied to other vehicles; a breach that may already exist, if not now, perhaps at a later time?

Re:that settles it

[EmperorArthur]

Now here's a thought.

Many conferences have you submit at least a rough draft of your slides/paper early in the process. So, it's already been distributed to at least a few people. I wonder what the ramifications would be for the other authors to present anyways. Or if the conference CDs will contain the slide regardless.

Re:that settles it

The US income tax was a "temporary" measure. US copyrights are supposed to be "temporary".

In real life, the powers that be want the guy muzzled.

The lesson learned is to do one of three things if finding an exploit:

1: Release it far and wide anonymously. This puts people at risk, but when customers are being attacked, vendors will fix problems. However, this is a career killer, if one is found to do this, perhaps might run them afoul of the law in their area.

2: Release both a warning to the company anonymously, then release the exploit, both anonymously. Again, similar to #1, it can kill a career.

3: Have "escrow agents", and let the vendor know. If they attempt to shoo the problem under the rug, the "anonymous" posters from other countries will ensure it gets out even if the person who found the bug has disappeared.

Re:that settles it

[sabri]

It sure is a good thing that England controls the entire Internet and that no one anywhere will be able to publish this information now.

Yeah, next thing you know they'll be banning porn!

Re:that settles it

[Opportunist]

Not only that, but to have a claim against insurance when (not if) this blows.

It would certainly not be the first time that an insurance refuses a claim because "this can't happen". You have NO idea how long it took insurances to accept that certain locks can (despite any claims from manufacturers) be picked without damaging the lock. Manufacturer said it can't be, so people who made an insurance claim after being robbed actually had to face charges of insurance fraud.

It is VITAL that not only manufacturers but also insurances get this information!

Re:that settles it

[Chrisq]

It sure is a good thing that England controls the entire Internet and that no one anywhere will be able to publish this information now.

I think this is the real reason behind Cameron's porn block. He starts off talking about porn but then when discussing details its suddenly about "illegal content". I'm pretty sure this will include things that the courts (and government departments) decide we shouldn't here

Re:that settles it

[isorox]

In real life, the powers that be want the guy muzzled.

If the UK they use the courts to block the publication of the paper

In the US they use the CIA to murder the author

Security through obscurity?

[gagol]

I taught this one died 10 years ago...

Re:Security through obscurity?

[Pentium100]

Security through obscurity does work, not very effectively, but it does. Or at least, the obscure system is more secure than the same system that is open.

For example - let's say I keep a backup key to my house buried somewhere in the yard or in a flowerpot ( there are many flowerpots and I chose one at random). While this is not as secure as not having the backup key, it is more secure than placing a sign indicating where the key is.

Same thing here - while the system is not as as it would have been if the vulnerability did not exist, if the exploit was published, then everyone would know how to hack it, even those who would not be able to come up with the hack on their own.

My car is too old to have a computer in it, but I use an aftermarket security "system" - I have to push a button (the button is visible and usually has another function) before I try to start the engine or it would crank, but not start. Now this would not be a problem for a competent thief - he would figure out how to circumvent this, it's not that difficult. However, some drug addict or a drunk teenager may just conclude that the car is broken and steal some other car instead.

Re:Security through obscurity?

[fuzzyfuzzyfungus]

I taught this one died 10 years ago...

For whatever reason (whether it be power/gate constraints or sheer laziness) the state of 'security' in low power RF security systems (automotive keyless entry, MIFARE and friends payment and access control fobs, etc.) is maybe 10 years behind the (atrocious) state of security in general purpose software. On a good day.

How long have they known?

[gman003]

It's standard practice, when publishing about security flaws, to alert the producer of the products affected before doing so openly, only publishing when a) the hole is patched, or b) if they are ignoring the issue and refusing (or at least taking too long) to fix it.

If they have not given the manufacturer a reasonable amount of time to fix the problem, I can understand why they're being censored - it's unnecessarily dangerous. However, if this is simply the manufacturer trying even harder to pretend the problem doesn't exist, I would of course object strenuously, and support publishing the hole because that will not only force them to get a fix out ASAP, but will punish them for taking so long.

And, while TFA doesn't say either way on the issue, I would expect the latter, not the former.

Re:How long have they known?

[eth1]

Actually, I would think the courts taking this route would simply encourage researchers to publish first, ask questions later, rather than risk being gagged.

It's standard practice, when publishing about security flaws, to alert the producer of the products affected before doing so openly, only publishing when a) the hole is patched, or b) if they are ignoring the issue and refusing (or at least taking too long) to fix it.

If they have not given the manufacturer a reasonable amount of time to fix the problem, I can understand why they're being censored - it's unnecessarily dangerous. However, if this is simply the manufacturer trying even harder to pretend the problem doesn't exist, I would of course object strenuously, and support publishing the hole because that will not only force them to get a fix out ASAP, but will punish them for taking so long.

And, while TFA doesn't say either way on the issue, I would expect the latter, not the former.

Re:How long have they known?

[RandomFactor]

I don't want auto manufacturers to fix the problem and distribute it slowly to people, I want people to realize how much of a problem this is so they can take their manufacturer to task.

This is a false dichotomy. The better answer is both.

I would prefer the manufacturer both distribute a fix and that vulnerability and mitigation information be made available openly and quickly to those who can benefit from it.

Re:ATTENTION BEAN SPILLERS !!

[EmperorArthur]

Do not announce !! SPiLL !! SPiLL !! SPiLL !!

Muw haha haha !!

It sounds harsh, but this whole injunction and others like it are why so many people are against responsible disclosure. If you put it on the internet, then by the time someone could issue an injunction it's too late.

Expect to see this leaked/rediscovered, and then the court to blame the researcher.

That's nothing compared to Black Hat

[Animats]

Take a look at this year's Black Hat presentations. These are just the ones on vulnerabilities in embedded systems.

• Compromising Industrial Facilities From 40 Miles Away
• Energy Fraud and Orchestrated Blackouts: Issues with Wireless Metering Protocols (wM-Bus)
• Exploiting Network Surveillance Cameras Like a Hollywood Hacker
• Fact and Fiction: Defending your Medical Devices
• Hacking, Surveilling, and Deceiving victims on Smart TV
• Home Invasion v2.0 - Attacking Network-Controlled Hardware
• Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
• Implantable Medical Devices: Hacking Humans
• Let's get physical: Breaking home security systems and bypassing buildings controls
• Out of Control: Demonstrating SCADA device exploitation
• The SCADA That Didn't Cry Wolf- Who's Really Attacking Your ICS Devices- Part Deux!

Re:Bottle - Genie?

[Trax3001BBS]

If you follow the phrase "Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobiliser" you get:

That link I didn't post, it comes with the copy and paste kinda neat, kinda freaky. A self writing copy and paste so I don't get it wrong.

Enamored so by the self writing javascript I posted the wrong address
https://www.usenix.org/conference/usenixsecurity13/session/attacks and what this ruling blocks.

not even until fix, until a full hearing

[raymorris]

Generally temporary injunctions like this are just until there is a full hearing. Volkswagen will probably have a fix in place by then, but the main purpose is to avoid doing irreversible damage until there can be a full hearing on the facts.

A temporary injunction is common in many types of cases and in no way indicates the court's opinion on the substantive issues. It's simply a recognition that they can't unpublish the information, so they need to wait until a decision is made before they publish. The same is often done with property disputes such as divorces. A temporary injunction orders both parties not to sell or otherwise dispose of the property until a decision is made as to ownership.

Ps - I don't care for the injunction. I would have preferred that the court hint at whether they think the case has merit, then let the researcher decide whether to release the information immediately, risking a successful suit for damages. The injunction, as a prior restraint on speech, is censorship. Still, it's best not to exaggerate the effect of the or intent of the injunction.

Re:not even until fix, until a full hearing

[Tom]

A temporary injunction is common in many types of cases and in no way indicates the court's opinion on the substantive issues.

Wrong. I was deeply involved in corporate legal stuff for a couple years and I have been in court cases like this. A temporary injunction does not mean the court will decide the same way in the full hearing, true. However, a temporary injunction is only granted if the court believes that the party seeking it has at least a reasonable chance to persist in the full hearing. As such, it does indicate the courts opinion, to some extent. If the court thought you're full of shit, it wouldn't grant the temporary injunction.

Re:But am I vulnerable?

[flyingfsck]

"cassette player" I heard that 8 track players are in demand again with the over 70s nostalgia crowd...

Re:this should be standard

[mark-t]

Why?

While it's certainly true that publishing an exploit does increase awareness among criminals on how to go about breaking the law, it also increases awareness among people who might be better in a position to try to mitigate how the exploit will affect them.

It also damn well puts a fire under the asses of people who need to get a fix out as quickly as possible... letting them dilly-dally around while they figure out just how high priority they need to treat the situation just leaves a lot of people vulnerable for a far longer period to criminals who *DON'T* rely on publicly published media for their information.

And you know that stealing cars is already illegal, right? And that it's not exactly something that is always just as easy to get away with as, say, remotely hacking into somebody's computer. Especially in cities that have instituted bait car programs.

Re:this should be standard

[frovingslosh]

On the other hand, as these researchers learned, if you notify the company, they can get a court order against you. If you let the cat out of the bag without notifying them them, they can't really stop you. And if you figured it out, there is a good chance that the company knows about it already anyway. They simply don't have any incentive to correct it unless they know that the general public knows about it too.

Re:Great Idea!

Seriously, how do people this stupid become judges?

Seriously, how do people this stupid manage to find their way to /. to post a reply on a matter of which they have no understanding.

The Court imposed a temporary injunction presumably to either allow Volkswagen to address the security issue or allow Volkswagen to present its case for a permanent injunction or more likely to request sufficient time to correct the issue before the research paper is published. The judges acted in accordance with UK jurisprudence.

stupidity won again

[Tom]

Yepp, the court fell for the oldest and most blatantely false argument of the full disclosure opponent.

The court assumes that bad guys don't already have this knowledge. From decades of experience in IT security we can conclude with near certainty that they do. What this provides is limited, short-term protection against those would-be thieves who don't, yet. Also, a false sense of security.

What would've happened if this had been published: The public would know, car manufacturers would (have to) scramble for a fix.

What will happen now: Nothing. The next model will be fixed, your current one will maybe get an update at the next maintainance cycle, but don't count on it.

The next years will be a great time to be a car thief.

Re:ridiculous

[Z00L00K]

What is now going public has been a known method for a while by criminals. There are already vehicle thefts going on of vehicles in the luxury segment in central/western Europe, and the vehicles finds their way to eastern Europe.

What immobilizers do are to deter joyriders and crackheads from stealing cars. The professionals already know how.

And knowing it can be done will just trigger the demand for cheap cracking devices for the mid group of thieves that steals cars for parting out.

They never fixed it so far

[dutchwhizzman]

Have a recent BMW? There is a known vulnerability where you can copy an actual key inside the car, using the data in the car's computer and the car's own transponder. BMW has not fixed this and won't fix it. The vulnerability is that BMW relied on being the only source of blank, programmable keys and having all the programming equipment in house. Once someone reversed the key system (the car itself contains unprotected, unencrypted key strings), they found out what electronics to put in the key and made blank keys and software to program them using the keys found in the car's computer. This is a massive problem that was out for probably at least a year before there was enough public attention to the enormous theft of BMWs with that system. I think that the number of BMWs stolen had quadrupled in that period. Right now, since BMW won't fix it, getting a BMW that suffers from this vulnerability is prohibitively expensive to insure, making their second hand value very low. It may be that insurers now require 3rd party alarm systems to be installed or something, I don't know, but the vendor didn't fix it and basically left their customers without a solution.

Right now, there's no indication that VW can and will fix this problem once it gets out. I highly doubt they will recall all vehicles and replace the parts that are vulnerable with a system that has the flaw removed. For all we know, that could cost thousands per vehicle and apply to all VAG cars from the last 10 years. That could be over 100M cars, worst case. Then again, if it'd only apply to a certain model and year and it is an affordable fix, they may actually do it, but I wouldn't count on them fixing anything.

Re:They never fixed it so far

[Cederic]

erm. BMW did fix this, and upgraded the software in my car for free with the fix.

Re:They never fixed it so far

[nosferatu1001]

Misinformation abounds...

This. Problem. WAS. fixed. Through a recall, and an update during routine service.

Disclosure: I work for BMW UK. The storm we had following watchdog didnt help.

Megamos RFID cracked

[dutchwhizzman]

Any car that uses the megamos RFID chip to identify the key, will be vulnerable. To fix this, the manufacturer will have to replace all keys and the receiver and reprogram all computers in the cars infected. VAG here has a problem with most recent Volkswagens, Audis, SEATs, Skodas, Bentleys, Lamborghini's and Porsches. Other manufacturers that rely on this system are probably affected too. Chances that VAG will proactively call back all these vehicles are extremely slim. A temporary injunction serves no purpose, unless VAG can prove without a doubt that they can and will fix this within a very short time frame. Mind you, designing a new system, testing it for security, mass producing it and recalling all cars will probably take well over a year before they can even start recalling and cost tens of billions to implement for VAG.