Luxury Car Hacker To Speak At USENIX Despite Injunction

← Back to Stories (view on slashdot.org)

Luxury Car Hacker To Speak At USENIX Despite Injunction

Posted by Unknown on Friday August 2, 2013 @11:10AM from the insecurity-through-obscurity dept.

alphadogg writes "The lead author of a controversial research paper about flaws in luxury car lock systems will deliver a presentation at this month's USENIX Security Symposium even though a UK court ruling (inspired by a Volkswagen complaint) has forced the paper to be pulled from the event's proceedings. USENIX has announced that 'in keeping with its commitment to academic freedom and open access to research,' researcher Roel Verdult will speak at the Aug. 14-16 conference, to be held in Washington, D.C. Verdult and 2 co-authors were recently prohibited by the High Court of Justice in the U.K. from publishing certain portions of their paper, 'Dismantling Megamos Crypto: Wireless Lockpicking a Vehicle Immobilizer.' Among the most sensitive information: Codes for cracking the car security system in Porsches, Audis, etc."

5 of 70 comments (clear)

Min score:

Reason:

Sort:

Re:UK court jurisdiction... by Lunix+Nutcase · 2013-08-02 11:27 · Score: 4, Informative

US law does not extend outside of the US other, but people have, for example, been arrested for going to places like Thailand and having sex with underage girls and boys. He's still going to be liable to the UK court's decision unless he's never planning to return to his home country.
Re:Organized crime by pipatron · 2013-08-02 11:48 · Score: 4, Informative

The original article (after clicking through a couple of blog-layers) indicates that the software leaked to the internet four years ago.

--
c++; /* this makes c bigger but returns the old value */
Re:Well maybe there will be some time to fix thing by Anonymous Coward · 2013-08-02 15:25 · Score: 5, Informative

From http://www.bbc.co.uk/news/technology-23487928 :
"The researchers informed the chipmaker nine months before the intended publication - November 2012 - so that measures could be taken. The Dutch government considers six months to be a reasonable notification period for responsible disclosure. The researchers have insisted from the start that the chipmaker inform its own clients."
So essentially they have followed the responsible disclosure protocol but are now being blocked anyway
Re:I wonder... by BitZtream · 2013-08-02 15:59 · Score: 3, Informative

The UK pretty much only said 'don't publish the actual key codes you discovered, but you can talk about how you discovered them all you want.
They said 'OMG NO MUST HAVE FULL DISCLOSURE!$#^@Q^@#'
The UK doesn't really have a major problem with the publication, they just don't want half the cars in the country to suddenly be stolen by 15 year old boys who bought a $5 device from China tomorrow.

--
Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
Re:Well maybe there will be some time to fix thing by tibit · 2013-08-02 19:11 · Score: 4, Informative

The researchers informed the chipmaker

That's the key phrase here. Most likely the chips are not field-reprogrammable. There are no measures to take short of getting new silicon out and recalling the hardware. Knowing the corporate inertia, they'd probably need a year from the date the recall decision was made to implement it and push to the dealers, if they really worked on it like crazy. Fixing crypto where the cost of another mistake may be another recall isn't something you do casually. Presumably some people with suitable theoretical background would need to be contracted and check things out before it hits the fabs. How long would deciding on a recall take I wouldn't know, but presumably not overnight either.

--
A successful API design takes a mixture of software design and pedagogy.