Slashdot Mirror
Luxury Car Hacker To Speak At USENIX Despite Injunction
alphadogg writes "The lead author of a controversial research paper about flaws in luxury car lock systems will deliver a presentation at this month's USENIX Security Symposium even though a UK court ruling (inspired by a Volkswagen complaint) has forced the paper to be pulled from the event's proceedings. USENIX has announced that 'in keeping with its commitment to academic freedom and open access to research,' researcher Roel Verdult will speak at the Aug. 14-16 conference, to be held in Washington, D.C. Verdult and 2 co-authors were recently prohibited by the High Court of Justice in the U.K. from publishing certain portions of their paper, 'Dismantling Megamos Crypto: Wireless Lockpicking a Vehicle Immobilizer.' Among the most sensitive information: Codes for cracking the car security system in Porsches, Audis, etc."
Because if they block the documents, organized crime will never find out.
c++;
does not extend into the US where the conference will be held.
Have you ever used a SDR to read the transaction between a fob and a volkwagen ? It's very interesting. Also it's not encrypted. I don't know why.
Fuck the limey court.
Once scientists, even the dim-witted social scientists, get muzzled, the Western Civilization is finished.
Seriously, what's the difference between Ayatollah-mullah fatwas encouraging violence to cartoon drawers, and multinational industrial outfits threatening legal/financial ruins to those who tell truth to power?
Fuck systemd. Fuck Redhat. Fuck Soylent, too. Wait, scratch the last one.
See here's the deal: Just because one person discovers something, it doesn't magically mean that everyone else can figure it out right away. It might be the person who discovered it is pretty clever, and has done a lot of work in that field. So it may well take others quite some time to find it out. If you want to see some examples, look at various military technologies, in particular stealth technology. You might note that that US had working stealth systems long before anyone else.
Now as this relates to security, what it means is that disclosing right away may not be that useful. Perhaps if you give some time for a fix to be implemented, or at least a mitigation, then things could be a little better. Remember with cars it isn't like one can just post a bug fix on a website. All other things aside in terms of what has to be changed, there is pretty extensive testing and certification.
So one can well argue if you've found a flaw in a car you need to notify the manufacturers and give them time to fix it or mitigate it, which may be a good deal of time, rather than running out and telling the world so people know how clever you are.
Like say I discovered that if I pushed on a particular spot in your house, the whole thing would come crashing down on your head. Turns out, said spot is not easy to fix, you can't just go and spend $5 and an hour to do it. It will take a good bit of time and money to fix the problem. Would you like me to let you know, quietly, or would you like me to stick up a poster letting anyone who sees it know, and how that nobody does anything?
Indeed. And normally in cases like this, the researchers alert the people responsible for fixing the problem in good time before publication. In some (many?) cases, the people in charge of the problem doesn't take it seriously, downplaying the risks, or plays the never ending blame-the-contractor game. In that case the only way forward is to threaten to publish the information.
I don't know what happens here, the article never mentions either scenario, but seeing how the people behind the article are serious researchers, I don't think it's very far fetched to guess that they have at least taken some sort of responsible action before publishing the paper. It says that the source code for the crypto has been available since 2009, but hard to know what that means.
c++;
Fuck the system, no negotiations, no surrender. Information is made for trickling out.
Were the tables turned -- if a US injunction prohibited him from publicizing the security flaw -- the US would undoubtedly be leaning on the UK to arrest him as soon as he finished his presentation (or maybe even during it). How much do you want a bet they'll tell the UK to bugger off and deal with it themselves if they are asked to do the same?
See here's the deal: Just because one person discovers something, it doesn't magically mean that everyone else can figure it out right away. It might be the person who discovered it is pretty clever, and has done a lot of work in that field.
History proves you wrong. Usually all it takes is the notion something is possible and vague explanation, or merely advances in other fields that make new discovery feasible. Look up parallel invention.
http://www.kk.org/thetechnium/archives/2009/08/progression_of.php
Who logs in to gdm? Not I, said the duck.
From http://www.bbc.co.uk/news/technology-23487928 :
"The researchers informed the chipmaker nine months before the intended publication - November 2012 - so that measures could be taken. The Dutch government considers six months to be a reasonable notification period for responsible disclosure. The researchers have insisted from the start that the chipmaker inform its own clients."
So essentially they have followed the responsible disclosure protocol but are now being blocked anyway
I know it's not what they mean by "exotic crystals", but when I see the phrase I start thinking about mana and elemental damage. Sorry guys.
See here's the deal: Just because one person discovers something, it doesn't magically mean that everyone else can figure it out right away.
Um, no, that pretty much is the case with computers. Unlike stealth technology (your example), you don't have to have a multi-billion dollar military-industrial partnership to accomplish something clever with computers. You've just got to spend time learning and tinkering. And these security flaws aren't some fundamental-problem-of-physics stuff... it's often just a matter of sniffing out broken/shoddy code, which is pretty much the standard output of the industry. If you think differently, you're probably one of those people who refers to your nephew as a "computer genius" because he got your email working again that one time.
Here's the other deal: companies would rather shut you up than to acknowledge and fix the flaws in their own products. They'd also rather their customers live with the risk. For many companies, it is only the threat of disclosure that makes them invest the time and resources needed to secure their systems. (I'll grant that most software companies seem to have finally accepted this reality and tackle security more heavily, but it seems that the auto companies are still trying to play legal hardball.) And most security researchers (including this one, if other comments I've seen are correct) are willing to give manufactures some advance notice (though it resulted in court troubles in thanks, apparently). But ultimately the utmost professional obligation of a security researcher is to inform the public so they can either protect themselves or force the manufacturer's hand.
-1, Too Many Layers Of Abstraction
Nine months. That's way more than the standard 14 days. Then there's no excuse. Present.
the researchers alert the people responsible for fixing the problem in good time before publication
This is no openssl vulnerability. Such findings require to spin new silicon, and there's no field fixes short of recalling hardware. It may well be that paying for insurance coverage for increased liability from lawsuits would be cheaper than doing a recall on presumably tens of millions of vehicles from multiple vendors.
A successful API design takes a mixture of software design and pedagogy.
The researchers informed the chipmaker
That's the key phrase here. Most likely the chips are not field-reprogrammable. There are no measures to take short of getting new silicon out and recalling the hardware. Knowing the corporate inertia, they'd probably need a year from the date the recall decision was made to implement it and push to the dealers, if they really worked on it like crazy. Fixing crypto where the cost of another mistake may be another recall isn't something you do casually. Presumably some people with suitable theoretical background would need to be contracted and check things out before it hits the fabs. How long would deciding on a recall take I wouldn't know, but presumably not overnight either.
A successful API design takes a mixture of software design and pedagogy.
Very likely they invented their own crypto instead of simply implementing a well established one-time-password method using standard crytographic hashing algorithms.
If that is the case they deserve to have to do a recall of all the keys and produce new ones. I am pretty sure they could have bought all the IP if they didn't have time to write all the RTL by hand. And it doesn't even need to be high performance, it just needs to do it within a second.
You might note that that US had working stealth systems long before anyone else.
Wikipedia (Stealth aircraft): The first stealth aircraft was the Horten Ho 229.
The Nazis had a working prototype aircraft and had been working on stealth subs at the end of WWII, the Wikipedia entry for stealth technology mentions 1958 for the first U.S. stealth project.
Among other things the computer was also a parallel development during WWII.
TL;DR: Get your history right
They keep talking about the luxury end of the market, but what about the cheaper brands like Seat? Pretty sure this will affect them too...
If you read the actual court judgment, you'll find a slight nuance. The algorithm was invented by Thales. They licenced it to EM. EM and another company called Delphi make immobilizer equipment using it and then sell the kit to Volkswagen and others. The researchers informed EM; EM failed to inform anyone else. VW found out a few weeks before publication and were pissed off.
Which is not to blame the researchers (except perhaps for notifying everyone, rather than simply the maker of the one component they compromised) but it does explain why the judge was fairly scathing: "It may well not be the defendants' fault that Volkswagen were not told earlier, but once the defendants were told about Volkswagen 's concern a responsible academic, concerned with responsible disclosure, would have realised that publication should be delayed, at least for a reasonable period, to allow for discussion with Volkswagen."
70cm ham radio tranceiver covering ism band with >10watts eirp, sweeping with white noise. opens doors, gates etc. high power takes care of the frontend, the noise spectrum does the rest. i developed the receiver for the 'bosch blocktronic', via a subcontractor called c.e.l. not knowing who i actually worked for and what the circuit was to be used for, i was told to keep it as simple as possible. so i used a 0-v-1 frontend and a sawtooth filter for the 'better' models. the 'rotating code' is anything but random.
And I disagree. The researchers told the company of the product they found vulnerable. This is a security company - they should have measures in place to communicate the flaw up and down. The fact that they did not means they do not take security serious, and they cannot be trusted. There is nothing to fix here - the company has to get out of the security business one way or another.
Should the researchers also listen to any old guy who used a remote locking system on a shed? If I have a VW, can I block the publication because I did not have time to go to the garage yet? Where does it stop? As I see it, VW is just a customer here, and they are at the mercy of the supplier. The supplier can go to court, but VW should stay out of it.
so their talk will be without the prohibited portions, otherwise they may just as well fire the researcher imho, as his research was done with public money which i already find a big problem as the money is better spend elsewhere than trying to crack a luxurycar's security.
Record the presentation and post online ASAP!
That's the only way to handle this sort of crap, then let the Streisand effect take over.
I know that my vehicle brand, Acura, has been broken into using keyless entry system flaws - make them fix it!
Even if he can't present at the conference, a webcam, projector and a white wall is all it takes to record a presentation almost anywhere. Publishing to Youtube and Vimeo and a quick email to a DefCon group - bam! the news is out worldwide.
The car makers should have no extra time. Be required to pay for vehicle rentals while the luxury car owner's vehicle's get fixed. This will teach them to act fast on fixing a serious problem that should have been analyzed and tested before the car was ever even put into production!!!