English High Court Bans Publication of 0-Day Threat To Auto Immobilizers

An anonymous reader writes "The High Court — England's highest civil court — has temporarily banned the publication of a scientific paper that would reveal the details of a zero day vulnerability in vehicle immobilisers and, crucially, give details of how to crack the system. Motor manufacturers argued that revealing the details of the crack would allow criminals to steal cars. Could this presage the courts getting involved in what gets posted on your local Bugzilla? It certainly means that software giants who dislike security researchers publishing the full facts on vulnerabilities might want to consider a full legal route."

that settles it

[frovingslosh]

It sure is a good thing that England controls the entire Internet and that no one anywhere will be able to publish this information now.

Re:that settles it

[gagol]

Not only that, if I had a recent vehicle, I would want to get the exploit public so the car manufacturer have an incentive to ACTUALLY FIX the problem.

Re:that settles it

[bill_mcgonigle]

It sure is a good thing that England controls the entire Internet

Not just the Internet - this action is curious because of jurisdiction. USENIX is in Washington, DC in a few weeks. Volkswagen is German. One of the authors is in the UK, but the other two are in the Netherlands.

So, the action must be specifically targeting this one author. Weird - it's an accepted paper and the other two authors were obviously planning to present. I guess they won't be going through Heathrow.

Re:that settles it

[meerling]

I suspect the criminals don't want that. They probably want to keep the info under wraps for as long as possible so the manufacturer has little incentive to fix it while they continue to use it for their illicit advantage.

Ok, so it wouldn't be your local thug on the corner, but there are some criminal groups that pride themselves on using the 'slick' methods.

Re:that settles it

[hutsell]

Keeping in mind; temporarily banned. Synopsis from another article by the Guardian:

The University of Birmingham's Flavio Garcia, British computer scientist, cracked the security system by discovering the unique algorithm that allows the car (Porsches, Audis, Bentleys and Lamborghinis — leaves me out) to verify the identity of the ignition key.

Is this meant to be a temporary injunction until these auto companies resolve their problem, which seems to be the right thing to do? However, if it isn't temporary and turns out to be kind of permanent because they think these companies will save a lot of money by not having to deal with the problem, then they're deluding themselves. Someone into stealing cars already knows or now knows a solution exists and will soon know the algorithm in one way or another.

It would be nice if the method used to find the solution was eventually made public. Then someone might be able to create a defense to variations on the discovery and prevent this from being applied to other vehicles; a breach that may already exist, if not now, perhaps at a later time?

Re:that settles it

[EmperorArthur]

Now here's a thought.

Many conferences have you submit at least a rough draft of your slides/paper early in the process. So, it's already been distributed to at least a few people. I wonder what the ramifications would be for the other authors to present anyways. Or if the conference CDs will contain the slide regardless.

Re:that settles it

The US income tax was a "temporary" measure. US copyrights are supposed to be "temporary".

In real life, the powers that be want the guy muzzled.

The lesson learned is to do one of three things if finding an exploit:

1: Release it far and wide anonymously. This puts people at risk, but when customers are being attacked, vendors will fix problems. However, this is a career killer, if one is found to do this, perhaps might run them afoul of the law in their area.

2: Release both a warning to the company anonymously, then release the exploit, both anonymously. Again, similar to #1, it can kill a career.

3: Have "escrow agents", and let the vendor know. If they attempt to shoo the problem under the rug, the "anonymous" posters from other countries will ensure it gets out even if the person who found the bug has disappeared.

Re:that settles it

[Opportunist]

Not only that, but to have a claim against insurance when (not if) this blows.

It would certainly not be the first time that an insurance refuses a claim because "this can't happen". You have NO idea how long it took insurances to accept that certain locks can (despite any claims from manufacturers) be picked without damaging the lock. Manufacturer said it can't be, so people who made an insurance claim after being robbed actually had to face charges of insurance fraud.

It is VITAL that not only manufacturers but also insurances get this information!

How long have they known?

[gman003]

It's standard practice, when publishing about security flaws, to alert the producer of the products affected before doing so openly, only publishing when a) the hole is patched, or b) if they are ignoring the issue and refusing (or at least taking too long) to fix it.

If they have not given the manufacturer a reasonable amount of time to fix the problem, I can understand why they're being censored - it's unnecessarily dangerous. However, if this is simply the manufacturer trying even harder to pretend the problem doesn't exist, I would of course object strenuously, and support publishing the hole because that will not only force them to get a fix out ASAP, but will punish them for taking so long.

And, while TFA doesn't say either way on the issue, I would expect the latter, not the former.

That's nothing compared to Black Hat

[Animats]

Take a look at this year's Black Hat presentations. These are just the ones on vulnerabilities in embedded systems.

• Compromising Industrial Facilities From 40 Miles Away
• Energy Fraud and Orchestrated Blackouts: Issues with Wireless Metering Protocols (wM-Bus)
• Exploiting Network Surveillance Cameras Like a Hollywood Hacker
• Fact and Fiction: Defending your Medical Devices
• Hacking, Surveilling, and Deceiving victims on Smart TV
• Home Invasion v2.0 - Attacking Network-Controlled Hardware
• Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
• Implantable Medical Devices: Hacking Humans
• Let's get physical: Breaking home security systems and bypassing buildings controls
• Out of Control: Demonstrating SCADA device exploitation
• The SCADA That Didn't Cry Wolf- Who's Really Attacking Your ICS Devices- Part Deux!

not even until fix, until a full hearing

[raymorris]

Generally temporary injunctions like this are just until there is a full hearing. Volkswagen will probably have a fix in place by then, but the main purpose is to avoid doing irreversible damage until there can be a full hearing on the facts.

A temporary injunction is common in many types of cases and in no way indicates the court's opinion on the substantive issues. It's simply a recognition that they can't unpublish the information, so they need to wait until a decision is made before they publish. The same is often done with property disputes such as divorces. A temporary injunction orders both parties not to sell or otherwise dispose of the property until a decision is made as to ownership.

Ps - I don't care for the injunction. I would have preferred that the court hint at whether they think the case has merit, then let the researcher decide whether to release the information immediately, risking a successful suit for damages. The injunction, as a prior restraint on speech, is censorship. Still, it's best not to exaggerate the effect of the or intent of the injunction.

Re:this should be standard

[frovingslosh]

On the other hand, as these researchers learned, if you notify the company, they can get a court order against you. If you let the cat out of the bag without notifying them them, they can't really stop you. And if you figured it out, there is a good chance that the company knows about it already anyway. They simply don't have any incentive to correct it unless they know that the general public knows about it too.