Judge Rules In Favor of Volkswagen and Silences Scientist

sl4shd0rk writes "Samsung-is-not-as-cool-as-Apple Judge Colin Birss, rules in favor of Volkswagon to ban Flavio Garcia, a computer scientist, from revealing details about 'Wirelessly Lockpicking a Vehicle Immobiliser' at USENIX in August. Volkswagen says the flaw could allow someone to 'break the security and steal a car' so it is justifiable grounds for blocking Flavio's paper. No word yet on how soon Volkswagen will have a patch."

Re:There's a wa out for him...

[Nyder]

Judge Colin Birss, rules in favor of Volkswagon to ban Flavio Garcia, a computer scientist, from revealing details about 'Wirelessly Lockpicking a Vehicle Immobiliser' at USENIX in August.

How about if it "turns out" that this fella Flavio Garcia wasn't doing research alone, and that members of his team would want to "leak" the details on torrent sites?

We could still get them, no?

By the way, who believes that the fella Flavio Garcia, is the only fountain of knowledge on the matter?

It doesn't matter. Now everyone knows it can be done, other people will be working on it. Criminals probably.

Sort of like how once we made a nuclear bomb, other scientist were able to make nuclear bombs.

Re:Solution timetable

[rwise2112]

Shouldnt Volkswagen be forced to provide a timetable as to when this will be fixed so the temporary egregious act of suspending the First for this person can be lifted? It is Volkswagen's fault, they need to fix it now.

So it seems that some form of this Megamos Crypto is used by just about all manufacturers. Does anyone know if all versions are broken? Since they all use it, it may come from a 3rd party, so Volkswagen may noy know when or how to fix it.

Re:This is why we have a first amendment.

[Sir_Sri]

The only difference is now only the bad actors know about the problem.

Know about but not necessarily how to actually do it. About all they know is from the guardian article that it took upwards of 50 000 GBP worth of equipment (and some security researchers) to actually figure out how to do it.

He should have disclosed without notifying. That way they could not have stopped him.

The point of notification is to give them an opportunity to fix it. The problem with cars is that 'fixing' it may not be possible, or may be astronomically expensive.

Volkswagon wanted them to publish a redacted version of the paper, that explained how they did the hack but not the actual key (codes) they discovered, and they refused. That seems kind of dickish on the researchers parts honestly. It depends on the details of what exactly was to be redacted, so I'll withhold too much judgment, but with things that aren't connected to the internet there's a big problem in trying to actually roll out fixes. Of course there's no point in publishing a paper if you can't say anything about your method used, and if anything interesting about that was redacted it's basically a non starter.

As we embed computers into more things this is going to be a bigger problem going forward. Are we going to need to replace 100 dollar car FOB starters every time there's a security hack? I suppose it might come to that, it's not like physical car locks are all that secure either. But if the hack requires 100 000 dollars in equipment and professional security expert time that puts the barrier to common criminals high.

The researchers main point seems to be that they aren't saying anything that isn't already public just from a different method. In that case sure, I suppose they could have just published and the situation wouldn't be much different. But I'm not sure how true their claim is.

Sounds like it's already out there...

[GodfatherofSoul]

It emerged in court that their complex mathematical investigation examined the software behind the code. It has been available on the internet since 2009.

My only objection to hackers revealing exploits is they must give the affected company time to fix the problem. This time is going to be longer for VW since their software is literally running all over the world. But, 4 years is ample time.

I'd be curious to know exactly what VW has done to address the problem, or more broadly did they even *bother* to fix the problem.