Slashdot Mirror
'Banned' Article About Faulty Immobilizer Chip Published After Two Years
An anonymous reader writes: In 2012, three computer security researchers Roel Verdult, Flavio D. Garcia and Baris Ege discovered weaknesses in the Megamos chip, which is widely used in immobilizers for various brands of cars. Based on the official responsible disclosure guidelines, the scientists informed the chip manufacturer months before the intended publication, and they wrote a scientific article that was accepted for publication at Usenix Security 2013.
However, the publication never took place because in June 2013 the High Court of London, acting at the request of Volkswagen, pronounced a provisional ban and ruled that the article had to be withdrawn. Two years ago, the lead author of a controversial research paper about flaws in luxury car lock systems was not allowed to give any details in his presentation at Usenix Security 2013. Now, in August 2015, the controversial article Dismantling Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobilizer that was 'banned' in 2013 is being published after all.
Memo to authors who think they will be sued into silence:
Put your pre-published papers in escrow in a country that's out of reach of any potential lawsuits, with instructions that if it is not published by a certain date that they publish it.
Don't try this if you live in a country where you could be locked up for contempt of court for doing this (emigrate first!), and don't try this for state-secret-level stuff like nuclear-weapons-research or you will likely find yourself behind bars or otherwise "permanently silenced." But for stuff like car-safety issues for people who live in relatively sane-legal-system countries, "publication escrow" will probably become the norm for researchers who work in "people will sue me into silence" research areas.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Two years? That's outrageous. Any vendor that takes that long to patch their holes *deserves* to get zero-day'd.
Things like this, and that nonsense that the court in Boston pulled wrt/ to the researchers and their DEFCON presentation, really sour me on the idea of "responsible disclosure." If the result of my courtesy is going to be a lawsuit and a gag order, I'd not be particularly inclined to offer vendors the courtesy in the first place.
Maybe there's a place for a network of "vulnerability escrow" services. Submit the vulnerability simultaneously to the vendor and the service, which would have to reside outside of the terrirory of whatever court system has jurisdiction over the researchers, and a stick 30-day timer starts, after which the data is automatically and immediately released.
Imagine all the people...
Too much automation makes Jack an insecure boy.
If they just replaced the chip - and whatever device it was contained inside (engine block? entire car? let's hope not) with a patched chip or, more likely, a dummy chip that didn't have any purpose other than to say "no, sorry, function disabled" whenever it was asked to do something, that would patch the vulnerability.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
this is an information which should be cared of 2 years passed away and .. car makers did something ? a lot of fixes ? nothing ?
Too many questions makes Jack a potential terrorist.
Does that "this will go to the press if I don't check in" failsafe actually work in real life, or only in detective fiction?
Who provides this kind of service? My first guess would be an attorney, but that might require some explaining and some examining of information and the attorney might be unwilling to play along if they thought they would get some blowback from it.
An immobiliser is a device used to prevent the engine of a car from running unless the correct key is used (this may or may not be the same key as used for the ignition). The first immobiliser was patented in 1919, although I wouldn't describe that as an "immobiliser chip" because that pre-dates integrated circuits. Anyway, immobilisers have been commonplace for many decades, and even mandatory for all cars in a number of countries since the '90s.
Normally you need a key to turn the ignition, but a car thief can reconnect the wiring to bypass the ignition lock and send power to the engine (this is known as "hot-wiring"). The immobiliser is there to prevent hot-wired cars from starting, making it considerably more difficult to steal them. That's all there is to it, really - it's not a remote-control shutdown switch.
I don't own a VW (BMW) but a "immobilizer chip" is a anti-theft system where a transponder (or other rolling code generator) in the key / smart fob will generate a code. The code may be transmitted wireless or via a conductor path (for those cars that still use a physical key). If the code from the fob matches that of the immobilizer the engine will be allowed to start. If the code does not match the engine will not start. Some immobilizer systems can transmit the vehicles GPS coordinates so the vehicle can be traced. It is rumored that a some vehicle manufactures are able to erase specific control modules via the immobilizer to make the vehicle impossible to operate until these modules are reprogrammed at a dealership. But again, AFAIK, that's only a rumor
Just about all cars made in the last several years have immobilizer chips in their keys. When you start the car, the chip is read and the car won't start if it is missing or has an unknown identifier. If you've ever had to replace a key, this is why that is so expensive.
It's designed to make cars harder to steal. There is no remote capability.
Hi!
(Sorry, nothing to see here, move along)
This sig under construction. Please check back later.
I like how Slashdot is so efficient now that they put their dupes together in the same summary:
they wrote a scientific article that was accepted for publication at Usenix Security 2013. However, the publication never took place
Two years ago, the lead author of a controversial research paper about flaws in luxury car lock systems was not allowed to give any details in his presentation at Usenix Security 2013.
systemd is Roko's Basilisk.
My Capri had a hidden switch somewhere under the carpet on the driver's side of the central column just in front of the seat.
Then I fitted a Thatcham alarm system which came with its own one. So I had two. No twocer was going to be able to start *my* car...
"Wait. Something's happening. It's opening up! My God, it's full of apricots!"
Immos are just a backup electronic key embedded in your real key. They either work by contacts on the key, or by radio with a little loop antenna wrapped around the ignition lock, and the radio tag embedded in the head of the key. The key immo code has to match the immo code in the pcm or whatever, e.g. these immo chips. And then the car either doesn't get started, or it gets killed after getting started. The function tends to be built into the pcm, but there's also matching codes in other modules most times like the cluster and the tcm.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Most importantly, there's a big difference between a new car with electronic paranoia shit like that, and a 5- or 10-year old car with that shit.
I'm going to guess that most new car buyers sell a car before 5 years, for the simple reason that they wouldn't likely be buying new cars if they didn't keep selling their old ones. So guess what, they probably won't have to deal with that shit breaking, and now the people who buy used cars are going to have to deal with it as these cars find their way into the used market. (Same with hybrid or electric car batteries getting old, too.) I don't even like chipped keys, because it means you can't get a cheap replacement.
#naabhaprzrag, #sverubfr-000, #agi-fcbafberq, negvpyr[pynff*=' negvpyr-ary-'] { qvfcynl: abar !vzcbegnag; }
Who cares how long the development time is? When a company has a dangerous product, the Press is supposed to ensure the product gets fixed. Imagine if the Dell Laptop battery issue was put under a gag order for 2 years. Dell and the court knew that it could catch fire causing death and injury, but did not want to hurt Dell's profit margins.
I have no idea why people lose any established logic because something is Electronic versus Mechanical. If a person could hit a car a certain way and cause the transmission gears to fall off, it would be all over the news and a law suit. Even if the Transmission was being developed for decades (as many are), there would not be a gag order on findings. Why you want to put an electronic system on a pedestal and insult people who can equate the two is appalling.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
If not the same day, the same week as me.
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
The issue here is that this isn't like a piece of computer software where you can disclose the vulnerability to the vendor, give them a few months to push a patch and then go public.
The only way for Volkswagen and the many other car makers using this Megamos cryptography chip can fix their cars to not be vulnerable would be to replace both the computer system responsible for the immobilizer AND the keys/remotes/etc that talk to it. That would be a VERY expensive exercise.
And what about cars that are old enough where its just not possible to redesign the computer module and run a new production run (e.g. the computer module may rely on other components that you cant get anymore)
Or trying to find every single example of a car (whether made by Volkswagen or otherwise) that contains one of these vulnerable security chips so that it can have its system replaced?
Perhaps you have an American car?
Not all are that simple. The more common method, at least in Japanese cars, is to have a code stored in the ECU and the immobiliser. The code sent from the immobiliser must match the one stored in the ECU. It's not a simple enable line.
That's how it worked in my 15 year old Subaru, my 10 year old Honda and 9 year old Mazda.
That's what you get for acting responsibly
My ism, it's full of beliefs.
Dude... It was a Capri. I'd be surprised if you could start it at all.
"So long and thanks for all the fish."
Am I the only one who thought that they ought to have posted the paper on-line on a site outside the jurisdiction of the judge in question?
I'm all in favour of responsible disclosure, but years should not be required to resolve a serious security flaw.
linquendum tondere
immobilizer chip = the thing that makes it harder to start the car without the thing that talks to the immobilizer chip and says to it that it's ok to start. basically it should make it impossible to start the car by connecting two wires behind the steering wheel. it's the thing that makes just making a physical copy of your key pattern useless for stealing your car.
it's not like there hasn't been craploads of articles on them on slashdot before you know..
world was created 5 seconds before this post as it is.
this is why all exploits should be announced first as a working exploit kit or working worm kit posted anonymously to 4chan. over and over again companies spit in the face of security research and threaten researches with civil and criminal prosecution for discovering their shoddy work.
Snowden and Manning are heroes.
Am I too late to join this party?
Yes. Moose out front shoulda told ya.
Funnier if you had said it was deprecated.
Okay, so the immobilizer functionality has been defeated, and the only "harm" is that it makes your car easier to steal. Other than that, it doesn't interfere with your normal use of the car.
I'd be much more worried if they figured out a way to permanently immobilize your car or install a back-door so they could control it remotely at a later date.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
If you are injuncted against publishing in your country, having someone else publish it somewhere else counts as you publishing it,
I doubt it.
I don't see how this timeline can be "contempt of court" in a country that actually (vs. theoretically) values free speech, etc.:
* Monday I put information in escrow abroad, saying "no matter what, release this a year from now, and if I or anyone else contacts you in this manner between now and then, release it immediately"
* Tuesday, I contact a company and share my disclosure with them
* Wednesday I get an injunction
* Thursday I fight the injunction and notify the judge of what I did on Monday
* The judge knows that he can order me to contact the overseas party holding the data in escrow but that any attempt to do will backfire and nothing I say or do now to comply with his order will change that
* The judge knows the odds of his getting a foreign government to seize the data before it is released are zero
* The judge knows that if he tries to hold me in contempt for doing something BEFORE the case ever hit a courtroom he will be overturned on appeal
* The judge knows that, barring specific situations like state secrets or bankruptcy fraud where criminal statutes may come into play, the only remedy for the other company is to sue me for damages, and that since the data isn't released yet, any suit for damages is likely premature.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Meant to say "On Wednesday I receive an injunction barring disclosure".
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
An injunction doesn't physically stop you. It just provides legal penalties. But if you had no ability to control the release, and the deadman was set before the injunction, you could prove innocence.
And emigration isn't hard, or leaving you in places you don't want to be. Plenty of places are better than the US. And the way US corporations work, if you contact a US company with something, they'll get a US injunction against you. Yes, if they were to file it where you are, then it'd be more effective. But the way it works, it's better/easier to file in the US only, then sue the non-US citizen for actions taken outside the US.
Learn to love Alaska