Slashdot Mirror

← Back to Stories (view on slashdot.org)

'Banned' Article About Faulty Immobilizer Chip Published After Two Years

Posted by timothy on from the speaking-of-immobilizing dept.

An anonymous reader writes: In 2012, three computer security researchers Roel Verdult, Flavio D. Garcia and Baris Ege discovered weaknesses in the Megamos chip, which is widely used in immobilizers for various brands of cars. Based on the official responsible disclosure guidelines, the scientists informed the chip manufacturer months before the intended publication, and they wrote a scientific article that was accepted for publication at Usenix Security 2013. However, the publication never took place because in June 2013 the High Court of London, acting at the request of Volkswagen, pronounced a provisional ban and ruled that the article had to be withdrawn. Two years ago, the lead author of a controversial research paper about flaws in luxury car lock systems was not allowed to give any details in his presentation at Usenix Security 2013. Now, in August 2015, the controversial article Dismantling Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobilizer that was 'banned' in 2013 is being published after all.

87 comments

  1. Ahhh, well. by Anonymous Coward · · Score: 0

    Luxury cars you say? Fuck 'em.

    1. Re:Ahhh, well. by cayenne8 · · Score: 0
      Ok, my basic question is...What the hell is an immobilizer chip? Is this something in all cars I didn't know about? Does this somehow let external parties (i.e. police) be able to just shut your car off/down with you in it?

      If so...when did they start putting these in cars?!?!

      --
      Light travels faster than sound. This is why some people appear bright until you hear them speak.........
    2. Re:Ahhh, well. by invictusvoyd · · Score: 1, Funny

      Too much automation makes Jack an insecure boy.

    3. Re:Ahhh, well. by Anonymous Coward · · Score: 0

      For someone with such a low numbered ID, you certainly post as if you're new here.

    4. Re:Ahhh, well. by cayenne8 · · Score: 0

      For someone with such a low numbered ID, you certainly post as if you're new here.

      As a long time Slashdot user, I know better than to actually read the articles, or Google myself before posting questions.

      Just keep on here...you'll catch on soon.

      ;)

      --
      Light travels faster than sound. This is why some people appear bright until you hear them speak.........
    5. Re:Ahhh, well. by Anonymous Coward · · Score: 0

      For all the other VW owners out there... Why don't you bother to look up what an immobilizer chip is before speculating (very incorrectly) about what it is? Try enlightening yourself before spouting off.

    6. Re:Ahhh, well. by Darinbob · · Score: 2

      Too many questions makes Jack a potential terrorist.

    7. Re:Ahhh, well. by invictusvoyd · · Score: 0

      Too many questions makes Jack a potential terrorist.

      Not asking too many questions makes Jack a potential terrorist.
      FTFY

    8. Re:Ahhh, well. by jmanforever · · Score: 0

      Is any user ID below 1,000,000 considered low these days?
      Hmm... I guess maybe I have been here for a while, but I too was wondering: What the hell is an immobilizer chip?
      Nevermind, I know how to use Google.

    9. Re:Ahhh, well. by Archangel+Michael · · Score: 0

      I know, right ... (waiting for lower number to one up me)

      --
      Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
    10. Re:Ahhh, well. by Barefoot+Monkey · · Score: 4, Informative

      An immobiliser is a device used to prevent the engine of a car from running unless the correct key is used (this may or may not be the same key as used for the ignition). The first immobiliser was patented in 1919, although I wouldn't describe that as an "immobiliser chip" because that pre-dates integrated circuits. Anyway, immobilisers have been commonplace for many decades, and even mandatory for all cars in a number of countries since the '90s.

      Normally you need a key to turn the ignition, but a car thief can reconnect the wiring to bypass the ignition lock and send power to the engine (this is known as "hot-wiring"). The immobiliser is there to prevent hot-wired cars from starting, making it considerably more difficult to steal them. That's all there is to it, really - it's not a remote-control shutdown switch.

    11. Re:Ahhh, well. by Anonymous Coward · · Score: 1

      I don't own a VW (BMW) but a "immobilizer chip" is a anti-theft system where a transponder (or other rolling code generator) in the key / smart fob will generate a code. The code may be transmitted wireless or via a conductor path (for those cars that still use a physical key). If the code from the fob matches that of the immobilizer the engine will be allowed to start. If the code does not match the engine will not start. Some immobilizer systems can transmit the vehicles GPS coordinates so the vehicle can be traced. It is rumored that a some vehicle manufactures are able to erase specific control modules via the immobilizer to make the vehicle impossible to operate until these modules are reprogrammed at a dealership. But again, AFAIK, that's only a rumor

    12. Re:Ahhh, well. by PhrostyMcByte · · Score: 1

      Ok, my basic question is...What the hell is an immobilizer chip?

      Just about all cars made in the last several years have immobilizer chips in their keys. When you start the car, the chip is read and the car won't start if it is missing or has an unknown identifier. If you've ever had to replace a key, this is why that is so expensive.

      It's designed to make cars harder to steal. There is no remote capability.

    13. Re:Ahhh, well. by vrt3 · · Score: 3, Funny

      Hi!

      (Sorry, nothing to see here, move along)

      --
      This sig under construction. Please check back later.
    14. Re:Ahhh, well. by mrbester · · Score: 0

      You called?

      Oh, wait...

      --
      "Wait. Something's happening. It's opening up! My God, it's full of apricots!"
    15. Re:Ahhh, well. by Anonymous Coward · · Score: 0

      An immobilizer does just that, it prevents the vehicle from moving if it detects that the normal operation of the ignition switch has been tampered with (attempted bypass). Just like guessing the wrong password on a website; if you incorrectly attempt to subvert the system 3 times it permanently disables the ability to start the vehicle and it must be towed to a dealership. In my experience immobilizers cause more issues than it's worth. Imagine when something goes wrong like a short in the system and it leaves you stranded plus requires you to take it to a dealership (even if the vehicle is 30 years old well past the warranty) which = expensive bill. I actively avoid purchasing a vehicle that has an immobilizer, they are simply not worth the heartache they can cause you and your wallet.

    16. Re:Ahhh, well. by mrbester · · Score: 2

      My Capri had a hidden switch somewhere under the carpet on the driver's side of the central column just in front of the seat.

      Then I fitted a Thatcham alarm system which came with its own one. So I had two. No twocer was going to be able to start *my* car...

      --
      "Wait. Something's happening. It's opening up! My God, it's full of apricots!"
    17. Re:Ahhh, well. by Frederic54 · · Score: 0

      I was surprised 626475 is considered a low number too?!?

      --
      "Science will win because it works." - Stephen Hawking
    18. Re:Ahhh, well. by saider · · Score: 0

      A little lower - Fall, 1999.

      --


      Remember, You are unique...just like everyone else.
    19. Re:Ahhh, well. by FacePlant · · Score: 0

      #3788, you skipped an order of magnitude on us.
      Patience is a virtue.

      --
      My Heart Is A Flower
    20. Re:Ahhh, well. by fulldecent · · Score: 0

      HEY GUYS WHAT"S GOING ON?

      --

      -- I was raised on the command line, bitch

    21. Re:Ahhh, well. by Anonymous Coward · · Score: 0

      Too many questions makes Jack a potential terrorist.

      Answer my questions you damned terrorist!

    22. Re:Ahhh, well. by Rob+Riggs · · Score: 0

      Am I too late to join this party?

      --
      the growth in cynicism and rebellion has not been without cause
    23. Re:Ahhh, well. by Megane · · Score: 1

      Most importantly, there's a big difference between a new car with electronic paranoia shit like that, and a 5- or 10-year old car with that shit.

      I'm going to guess that most new car buyers sell a car before 5 years, for the simple reason that they wouldn't likely be buying new cars if they didn't keep selling their old ones. So guess what, they probably won't have to deal with that shit breaking, and now the people who buy used cars are going to have to deal with it as these cars find their way into the used market. (Same with hybrid or electric car batteries getting old, too.) I don't even like chipped keys, because it means you can't get a cheap replacement.

      --
      #naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
    24. Re:Ahhh, well. by Anonymous Coward · · Score: 0

      Normally you need a key to turn the ignition, but a car thief can reconnect the wiring to bypass the ignition lock and send power to the engine (this is known as "hot-wiring"). The immobiliser is there to prevent hot-wired cars from starting, making it considerably more difficult to steal them.

      No, it is not "considerably more difficult". My car has an immobilizer. The RF connection to the key fob is encrypted and all. But from the immobilizer box, a single "device enable" line goes to the engine management box. It is documented as a plain 12V on/off signal - no harder to hot-wire than the ignition lock. You have to know where the damn box is, but the service manual tells you that . . .

    25. Re:Ahhh, well. by Anonymous Coward · · Score: 0

      Existing makes Jack a potential terrorist. Not existing terrifies them even more.

    26. Re:Ahhh, well. by Archangel+Michael · · Score: 1

      If not the same day, the same week as me.

      --
      Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
    27. Re:Ahhh, well. by Anonymous Coward · · Score: 0

      An immobilizer is a device which has a primary purpose of allowing a dealership to charge you $100+ to replace a key.

    28. Re:Ahhh, well. by viperidaenz · · Score: 1

      Perhaps you have an American car?
      Not all are that simple. The more common method, at least in Japanese cars, is to have a code stored in the ECU and the immobiliser. The code sent from the immobiliser must match the one stored in the ECU. It's not a simple enable line.
      That's how it worked in my 15 year old Subaru, my 10 year old Honda and 9 year old Mazda.

    29. Re:Ahhh, well. by Anonymous Coward · · Score: 0

      Who is Jack?

    30. Re: Ahhh, well. by Anonymous Coward · · Score: 0

      You don't know Jack!?!!!

    31. Re: Ahhh, well. by Anonymous Coward · · Score: 0

      Mr. Jack Off and Mr. Fapper

    32. Re:Ahhh, well. by KGIII · · Score: 3, Funny

      Dude... It was a Capri. I'd be surprised if you could start it at all.

      --
      "So long and thanks for all the fish."
    33. Re:Ahhh, well. by gl4ss · · Score: 1

      immobilizer chip = the thing that makes it harder to start the car without the thing that talks to the immobilizer chip and says to it that it's ok to start. basically it should make it impossible to start the car by connecting two wires behind the steering wheel. it's the thing that makes just making a physical copy of your key pattern useless for stealing your car.

      it's not like there hasn't been craploads of articles on them on slashdot before you know..

      --
      world was created 5 seconds before this post as it is.
    34. Re:Ahhh, well. by mmontour · · Score: 1

      Am I too late to join this party?

      Yes. Moose out front shoulda told ya.

  2. Memo to authors - put pre-prints in escrow abroad by davidwr · · Score: 2

    Memo to authors who think they will be sued into silence:

    Put your pre-published papers in escrow in a country that's out of reach of any potential lawsuits, with instructions that if it is not published by a certain date that they publish it.

    Don't try this if you live in a country where you could be locked up for contempt of court for doing this (emigrate first!), and don't try this for state-secret-level stuff like nuclear-weapons-research or you will likely find yourself behind bars or otherwise "permanently silenced." But for stuff like car-safety issues for people who live in relatively sane-legal-system countries, "publication escrow" will probably become the norm for researchers who work in "people will sue me into silence" research areas.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  3. Before you even ask by Anonymous Coward · · Score: 0

    The High Court of London is located in the City of London. You know, corporate paradise. The only reason this corporate court even had the power to issue an injunction against the publication of the paper is because one of the researchers moved to Birmingham.

  4. Way to encourage responsible disclosure. by SvnLyrBrto · · Score: 4, Interesting

    Two years? That's outrageous. Any vendor that takes that long to patch their holes *deserves* to get zero-day'd.

    Things like this, and that nonsense that the court in Boston pulled wrt/ to the researchers and their DEFCON presentation, really sour me on the idea of "responsible disclosure." If the result of my courtesy is going to be a lawsuit and a gag order, I'd not be particularly inclined to offer vendors the courtesy in the first place.

    Maybe there's a place for a network of "vulnerability escrow" services. Submit the vulnerability simultaneously to the vendor and the service, which would have to reside outside of the terrirory of whatever court system has jurisdiction over the researchers, and a stick 30-day timer starts, after which the data is automatically and immediately released.

    --
    Imagine all the people...
    1. Re:Way to encourage responsible disclosure. by rotorbudd · · Score: 1

      Wikileaks maybe?

      --
      A bullet may have your name on it, but artillery is addressed to " Whom It May concern"
    2. Re:Way to encourage responsible disclosure. by Etcetera · · Score: 1

      Two years? That's outrageous. Any vendor that takes that long to patch their holes *deserves* to get zero-day'd.

      Newsflash: Fixing a problem like this in the field is harder than making a git commit and telling people to recompile.

      Also, only a dipshit with no ethics equates "vendor" with "customer" when life or limb is on the line.

      --
      Hire a Linux system administrator, systems engineer,
    3. Re:Way to encourage responsible disclosure. by 0123456 · · Score: 4, Insightful

      Newsflash: the bad guys are busy finding these kind of holes and exploiting them, and don't wait for a court to tell them they're allowed to.

    4. Re:Way to encourage responsible disclosure. by Anonymous Coward · · Score: 1

      Funny how we are consumers to corporations when we are being taken advantage of and beloved customers when they need our support.

    5. Re:Way to encourage responsible disclosure. by mandark1967 · · Score: 2

      They sound like conscientious, proactive people I would like to have working for me.

      Signed,

      Dr. Evil

      --
      Sig Follows: "Suppose you were an idiot. And suppose you were a member of Congress. But I repeat myself." -- Mark Twain
    6. Re:Way to encourage responsible disclosure. by Cramer · · Score: 2

      Your talking about a system that's been used for 20+ years. It cannot be "patched" ('tho in older systems it can be "turned off") as it's not software. It cannot be "replaced" because it's built into many subsystems throughout the vehicle, most of which are a serious pain in the ass to even get to, much less crack open to replace a chip. (ECU, instrument cluster, ABS module, automatic transmission computer, electronic door/window modules, even the f'ing radio.)

    7. Re:Way to encourage responsible disclosure. by BlueStrat · · Score: 2

      Two years? That's outrageous. Any vendor that takes that long to patch their holes *deserves* to get zero-day'd.

      Things like this, and that nonsense that the court in Boston pulled wrt/ to the researchers and their DEFCON presentation, really sour me on the idea of "responsible disclosure." If the result of my courtesy is going to be a lawsuit and a gag order, I'd not be particularly inclined to offer vendors the courtesy in the first place.

      Easy fix.

      Just make it a high crime with onerous penalties to perform security vulnerability testing, release vulnerabilities, or to be complicit with either or both without both the manufacturer's and government's prior approval, either of which may withdraw consent/approval at a later date and leave researchers et al legally liable & open to prosecution ex post facto if things don't turn out to the manufacturer's and/or government's expectations.

      Problem solved! /s

      Strat

      --
      Progressivism (aka US 'Liberalism'): Ideas so good they need a police/surveillance-state to enforce.
    8. Re:Way to encourage responsible disclosure. by Anonymous Coward · · Score: 0

      This.

      People don't seem to realize how long development times are for vehicles and why they are that long.
      Especially everything dealing with anything that makes the car move or not move or has to do with theft protection requires long verification procedures, sometimes by external entities like insurance companies.

      "Patching" in the field is not as simple as exchanging small pieces of hardware. The key fob is one thing (note that a whole new chip has to be developed or integrated here), but the vehicle side is another, which will require significant development effort to exchange the transmitter hardware.

      Hating on car OEMs is easy and the legal measures were probably overkill, but this ignorance on slashdot is apalling.

    9. Re:Way to encourage responsible disclosure. by steelfood · · Score: 1

      Agreed. The "responsible" in responsible disclosure applies to both the researcher and the company. If the company is not responsible in their behavior towards the security hole, then there's no point in the researcher being responsible either.

      Companies that have a bad track record of responsibility should have their security holes publicized immediately. After all, if they don't take their product's security seriously today, there's no reason to expect them to take their product's security seriously the next time around.

      --
      "If a nation expects to be ignorant and free in a state of civilization, it expects what never was and never will be."
    10. Re:Way to encourage responsible disclosure. by mjwx · · Score: 1

      Newsflash: the bad guys are busy finding these kind of holes and exploiting them, and don't wait for a court to tell them they're allowed to.

      Its always be easy to bypass an immobiliser... Most mechanics will know how but most mechanics have better things to do than steal cars.

      In Australia the most popular form of car theft involves stealing the keys first although with keyless start becoming standard in many base models I imagine that soon an off the shelf device that can emulate a key will soon appear in the same way crims can buy off the shelf card skimmers.

      Fortunately with Australia being so backwards, if such a device was released tomorrow we'd still not have to worry about it for 20 years.

      --
      Calling someone a "hater" only means you can not rationally rebut their argument.
    11. Re:Way to encourage responsible disclosure. by Anonymous Coward · · Score: 0

      There is nothing but the laws of nature that can't be patched or replaced. Nothing.

    12. Re:Way to encourage responsible disclosure. by 0123456 · · Score: 1

      In Australia the most popular form of car theft involves stealing the keys first although with keyless start becoming standard in many base models I imagine that soon an off the shelf device that can emulate a key will soon appear in the same way crims can buy off the shelf card skimmers.

      There was a news story recently about thieves using directional antennas and signal boosters to convince the car to talk to your key while you had it in your house. So they already seem to have worked that out.

    13. Re:Way to encourage responsible disclosure. by SvnLyrBrto · · Score: 1

      Odd... I seem to remember what happened when a Model S caught on fire once after running over a piece of metal that punctured the battery pack.

      I seem to remember Tesla releasing a temporary software patch, remotely, to cars "in the field" that adjusted the suspensions of the cars so that they would ride higher on the road; making it unlikely that there would be a repeat of the incident while they worked out a permanent solution: a titanium shield that they fitted to the bottom of the sled... free of charge... when they cycled in for their maintenance intervals.

      To me, as a "consumer", having the "vendor" do that seems like its a lot easier then *pulling* from github and compiling.

      But you so cleverly "Newsflash"ed me that that would be "hard". I guess the whole thing must be just a figment of my imagination.

      --
      Imagine all the people...
  5. err... patched? by Anonymous Coward · · Score: 0

    my understanding is that it still hasn't been "patched." The root cause is so far down in the implementation that it can't be patched.

  6. Re:Memo to authors - put pre-prints in escrow abro by Anonymous Coward · · Score: 0

    I'm sorry, but sane-legal-systems went extinct.

    Captcha: confine

  7. Re:Memo to authors - put pre-prints in escrow abro by Anonymous Coward · · Score: 0

    Better yet,
    don't inform the manufacturer and publish anonymously.
    Companies show time and again that there is no advantage to telling them about vulnerabilities.
    Better to just tell the world and let the company deal with the fallout.

  8. It's patch-able in principle by davidwr · · Score: 1

    If they just replaced the chip - and whatever device it was contained inside (engine block? entire car? let's hope not) with a patched chip or, more likely, a dummy chip that didn't have any purpose other than to say "no, sorry, function disabled" whenever it was asked to do something, that would patch the vulnerability.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
    1. Re:It's patch-able in principle by jonwil · · Score: 2

      The way this works is that when you start one of the cars with this security hardware in it a chip in your car key talks to a chip inside the cars computer using secrets stored in both chips. If the secrets match, the car will start.

      What the researchers figured out was a way to start the car without having the correct key.

      Even if they had chips that were 100% compatible in hardware and software but with a new more secure algorithm, the cost to replace all of the chips in every car and every key (and to program the cars and keys with the correct secrets so that the right keys will open the right cars) would be astronomical.

    2. Re:It's patch-able in principle by viperidaenz · · Score: 1

      It's an immobilizer.
      If you replace it with a chip that says "no, sorry, function disabled" that's either going to be "never let the car start" or "always let the car start"
      That's worse than doing nothing.

    3. Re:It's patch-able in principle by SvnLyrBrto · · Score: 2

      > Even if they had chips that were 100% compatible in
      > hardware and software but with a new more secure
      > algorithm, the cost to replace all of the chips in every
      > car and every key (and to program the cars and keys
      > with the correct secrets so that the right keys will
      > open the right cars) would be astronomical.

      So what? They released a defective product. The onus is on them to make things right. Their "shoot the messenger" approach is wholly unacceptable.

      I'm sure Honda, Toyota, and so on are are spending a good hunk of money to replace all of defective airbags they built into their cars. Hell, I had a car once that was subject to a recall... and fixed at the manufacturer's expense... because it was sold to me with a faulty oxygen sensor. And the only repercussion of leaving it unfixed would have been marginally more emissions (Nitric oxide, IIRC.), only during winter, only if I lived somewhere with sub-freezing overnights, and only for fifteen minutes or so until the car warmed up.

      --
      Imagine all the people...
    4. Re:It's patch-able in principle by AmiMoJo · · Score: 1

      So what are they doing? That's the question that none of the articles on this subject seem to address. Do owners of these vulnerable cars get a free upgrade? Under UK law they would seem to be due a free fix, due to the security features of the vehicle not being "fit for purpose". If anyone had their mysteriously VW stolen in the last couple of years and had to take the insurance hit, they should be talking to VW about compensation.

      It seems like VW is just ignoring this problem, or at least there has not been much coverage of the recall.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  9. but what about the car makers ? did their job too? by AdrianFlorinLazar · · Score: 1

    this is an information which should be cared of 2 years passed away and .. car makers did something ? a lot of fixes ? nothing ?

  10. Westend IT Store by Westend-IT-Store · · Score: 0

    nice job.

  11. Re:TAILS Linux 1.5 is out (Aug 11, 2015) by Anonymous Coward · · Score: 0

    It gives a bad impression to spam off-topic in other articles.

  12. Re:Memo to authors - put pre-prints in escrow abro by swb · · Score: 1

    Does that "this will go to the press if I don't check in" failsafe actually work in real life, or only in detective fiction?

    Who provides this kind of service? My first guess would be an attorney, but that might require some explaining and some examining of information and the attorney might be unwilling to play along if they thought they would get some blowback from it.

  13. vulnerabilities should be published without notice by Anonymous Coward · · Score: 0

    We put everybody at risk when companies are not forced (by virtue of having lots of time to fix the bugs) into fixing code quickly. By increasing the time companies have to fix the code it opens up opportunity for others to discover the same bugs and begin actively exploiting them. You may think this unlikely- but we already know that companies are submitting this bug information to entities such as the NSA who then proceeds to exploit them until the vulnerabilities are fixed. As it's not widespread exploitation it's rare for anybody to pick up on unlike in the case of typical commercial maleware thats widely distributed.

  14. Great, now we're duping in the same summary by wonkey_monkey · · Score: 1

    I like how Slashdot is so efficient now that they put their dupes together in the same summary:

    they wrote a scientific article that was accepted for publication at Usenix Security 2013. However, the publication never took place

    Two years ago, the lead author of a controversial research paper about flaws in luxury car lock systems was not allowed to give any details in his presentation at Usenix Security 2013.

    --
    systemd is Roko's Basilisk.
  15. Re:Memo to authors - put pre-prints in escrow abro by Anonymous Coward · · Score: 0

    Many companies have demonstrated that responsible disclosure (let them know, and give them a reasonable amount of time to fix the problem before going public) works well. Some companies have demonstrated that responsible disclosure doesn't work with them, because they don't fix things until it's public (Microsoft used to be part of this team). A few companies, such as the one being discussed in this article, are actively hostile to responsible disclosure, and will take pains to *prevent* disclosure in order to eliminate *their* risk for not fixing the vulnerability.

    The problem is that you don't know, when contacting a new company, which 'team' they belong to.
    If they're on team friendly, you get feedback indicating an estimated time to fix, and you can base your disclosure timeline based on that, or go with a default (your choice).
    If they're on team indifferent, you don't get a response, and you can go with your default disclosure timeline. No skin off your nose there.
    The only real problem lies in the folks on team hostile, as they can (and are prepared to) make your life *quite* miserable. There really ought to be a list of these folks that security researchers can reference, and go with immediate, full disclosure for them.

  16. as for how they work by drinkypoo · · Score: 1

    Immos are just a backup electronic key embedded in your real key. They either work by contacts on the key, or by radio with a little loop antenna wrapped around the ignition lock, and the radio tag embedded in the head of the key. The key immo code has to match the immo code in the pcm or whatever, e.g. these immo chips. And then the car either doesn't get started, or it gets killed after getting started. The function tends to be built into the pcm, but there's also matching codes in other modules most times like the cluster and the tcm.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  17. Re:Memo to authors - put pre-prints in escrow abro by Anonymous Coward · · Score: 0

    No, it does not work.

    If you are injuncted against publishing in your country, having someone else publish it somewhere else counts as you publishing it, so you can be held responsible for violating the injuntion. It works like that in every sane legal system, so the "emigrate first" part will leave you in places you really don't want to be.

  18. Re:Memo to authors - put pre-prints in escrow abro by Anonymous Coward · · Score: 0

    The problem is that you don't know, when contacting a new company, which 'team' they belong to.

    Well, you can always contact them from some hotmail address - or a less traceable Chinese equivalent. If they don't respond timely, publish anonymously. The same if they seems hostile.

  19. Pure trash by s.petry · · Score: 2

    Who cares how long the development time is? When a company has a dangerous product, the Press is supposed to ensure the product gets fixed. Imagine if the Dell Laptop battery issue was put under a gag order for 2 years. Dell and the court knew that it could catch fire causing death and injury, but did not want to hurt Dell's profit margins.

    I have no idea why people lose any established logic because something is Electronic versus Mechanical. If a person could hit a car a certain way and cause the transmission gears to fall off, it would be all over the news and a law suit. Even if the Transmission was being developed for decades (as many are), there would not be a gag order on findings. Why you want to put an electronic system on a pedestal and insult people who can equate the two is appalling.

    --

    -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

  20. Re:Memo to authors - put pre-prints in escrow abro by Anonymous Coward · · Score: 0

    It does protect the information against yourself and the company to some extent.

    The first part works because it's relatively easy to work up the moral backbone when the shit hasn't hit the fan yet. Yes, you might get sued eventually but whether you're sued or not, the information will be published. At the point when you put the information in escrow you are still brave or uninformed enough and when you aren't any longer, the information is secure and will be published.

    The second part works because in some cases a company might prefer the information getting out on favourable terms and decide to let you off based on that. This is legally speaking a form of blackmail, if the company doesn't go along...

    In summary, you put things in escrow not for yourself, but because you believe that some things are bigger than you. If you don't believe that for the particular case in question, don't put it in escrow. If you don't believe that in general, please jump in front of a train.

  21. Re:Memo to authors - put pre-prints in escrow abro by jonwil · · Score: 1

    The issue here is that this isn't like a piece of computer software where you can disclose the vulnerability to the vendor, give them a few months to push a patch and then go public.

    The only way for Volkswagen and the many other car makers using this Megamos cryptography chip can fix their cars to not be vulnerable would be to replace both the computer system responsible for the immobilizer AND the keys/remotes/etc that talk to it. That would be a VERY expensive exercise.

    And what about cars that are old enough where its just not possible to redesign the computer module and run a new production run (e.g. the computer module may rely on other components that you cant get anymore)

    Or trying to find every single example of a car (whether made by Volkswagen or otherwise) that contains one of these vulnerable security chips so that it can have its system replaced?

  22. A ban by MrKaos · · Score: 1

    That's what you get for acting responsibly

    --
    My ism, it's full of beliefs.
  23. Re:Memo to authors - put pre-prints in escrow abro by Anonymous Coward · · Score: 0

    You're not telling us anything we don't already know. Fixing defects in cars that have been distributed widely is a very expensive exercise. It's also a normal and expected part of distributing products with warrantees. The problem with the perspective you're presenting here is that it flips one important aspect of reality on its head. That is to say that, in reality, the problem is already extant. Releasing the information about it isn't creating it.

  24. The Lesson Here by Anonymous Coward · · Score: 0

    The lesson here is to remain anonymous when following your responsible disclosure guidelines. They can't get a court injunction against publication if they don't know who wrote the paper or who is planning to publish it. You just mail them a copy of the paper anonymously with a note saying that it will be published worldwide in X number of months.

    1. Re: The Lesson Here by Anonymous Coward · · Score: 0

      The lesson here is to remain silent.

  25. Am I the only one? by FrozenGeek · · Score: 1

    Am I the only one who thought that they ought to have posted the paper on-line on a site outside the jurisdiction of the judge in question?

    I'm all in favour of responsible disclosure, but years should not be required to resolve a serious security flaw.

    --
    linquendum tondere
    1. Re:Am I the only one? by serviscope_minor · · Score: 1

      Am I the only one who thought that they ought to have posted the paper on-line on a site outside the jurisdiction of the judge in question?

      The paper may have been outside the Judge's jusisdiction, but unless they emigrate, they won't be.

      --
      SJW n. One who posts facts.
    2. Re:Am I the only one? by FrozenGeek · · Score: 1

      Fair enough, but looking at the paper itself, two of the three authors live in the Netherlands, so unless they intend to travel to old Blighty, they don't live in the judge's jurisdiction. Also, presumably the paper was peer reviewed and it's possible that some of the reviewers also do not live in England and might "accidentally" release the paper into the wild.

      --
      linquendum tondere
  26. 4chan by Lehk228 · · Score: 2

    this is why all exploits should be announced first as a working exploit kit or working worm kit posted anonymously to 4chan. over and over again companies spit in the face of security research and threaten researches with civil and criminal prosecution for discovering their shoddy work.

    --
    Snowden and Manning are heroes.
  27. Re:Memo to authors - put pre-prints in escrow abro by Fieryphoenix · · Score: 1

    Funnier if you had said it was deprecated.

  28. Ah, that's all it is by davidwr · · Score: 1

    Okay, so the immobilizer functionality has been defeated, and the only "harm" is that it makes your car easier to steal. Other than that, it doesn't interfere with your normal use of the car.

    I'd be much more worried if they figured out a way to permanently immobilize your car or install a back-door so they could control it remotely at a later date.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  29. Re:Memo to authors - put pre-prints in escrow abro by davidwr · · Score: 1

    If you are injuncted against publishing in your country, having someone else publish it somewhere else counts as you publishing it,

    I doubt it.

    I don't see how this timeline can be "contempt of court" in a country that actually (vs. theoretically) values free speech, etc.:

    * Monday I put information in escrow abroad, saying "no matter what, release this a year from now, and if I or anyone else contacts you in this manner between now and then, release it immediately"
    * Tuesday, I contact a company and share my disclosure with them
    * Wednesday I get an injunction
    * Thursday I fight the injunction and notify the judge of what I did on Monday
    * The judge knows that he can order me to contact the overseas party holding the data in escrow but that any attempt to do will backfire and nothing I say or do now to comply with his order will change that
    * The judge knows the odds of his getting a foreign government to seize the data before it is released are zero
    * The judge knows that if he tries to hold me in contempt for doing something BEFORE the case ever hit a courtroom he will be overturned on appeal
    * The judge knows that, barring specific situations like state secrets or bankruptcy fraud where criminal statutes may come into play, the only remedy for the other company is to sue me for damages, and that since the data isn't released yet, any suit for damages is likely premature.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  30. Correction on "Wednesday" -I RECEIVE an injunction by davidwr · · Score: 1

    Meant to say "On Wednesday I receive an injunction barring disclosure".

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  31. Re:Memo to authors - put pre-prints in escrow abro by AK+Marc · · Score: 1

    An injunction doesn't physically stop you. It just provides legal penalties. But if you had no ability to control the release, and the deadman was set before the injunction, you could prove innocence.

    And emigration isn't hard, or leaving you in places you don't want to be. Plenty of places are better than the US. And the way US corporations work, if you contact a US company with something, they'll get a US injunction against you. Yes, if they were to file it where you are, then it'd be more effective. But the way it works, it's better/easier to file in the US only, then sue the non-US citizen for actions taken outside the US.

    --
    Learn to love Alaska