Slashdot Mirror
'Banned' Article About Faulty Immobilizer Chip Published After Two Years
An anonymous reader writes: In 2012, three computer security researchers Roel Verdult, Flavio D. Garcia and Baris Ege discovered weaknesses in the Megamos chip, which is widely used in immobilizers for various brands of cars. Based on the official responsible disclosure guidelines, the scientists informed the chip manufacturer months before the intended publication, and they wrote a scientific article that was accepted for publication at Usenix Security 2013.
However, the publication never took place because in June 2013 the High Court of London, acting at the request of Volkswagen, pronounced a provisional ban and ruled that the article had to be withdrawn. Two years ago, the lead author of a controversial research paper about flaws in luxury car lock systems was not allowed to give any details in his presentation at Usenix Security 2013. Now, in August 2015, the controversial article Dismantling Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobilizer that was 'banned' in 2013 is being published after all.
Memo to authors who think they will be sued into silence:
Put your pre-published papers in escrow in a country that's out of reach of any potential lawsuits, with instructions that if it is not published by a certain date that they publish it.
Don't try this if you live in a country where you could be locked up for contempt of court for doing this (emigrate first!), and don't try this for state-secret-level stuff like nuclear-weapons-research or you will likely find yourself behind bars or otherwise "permanently silenced." But for stuff like car-safety issues for people who live in relatively sane-legal-system countries, "publication escrow" will probably become the norm for researchers who work in "people will sue me into silence" research areas.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
Two years? That's outrageous. Any vendor that takes that long to patch their holes *deserves* to get zero-day'd.
Things like this, and that nonsense that the court in Boston pulled wrt/ to the researchers and their DEFCON presentation, really sour me on the idea of "responsible disclosure." If the result of my courtesy is going to be a lawsuit and a gag order, I'd not be particularly inclined to offer vendors the courtesy in the first place.
Maybe there's a place for a network of "vulnerability escrow" services. Submit the vulnerability simultaneously to the vendor and the service, which would have to reside outside of the terrirory of whatever court system has jurisdiction over the researchers, and a stick 30-day timer starts, after which the data is automatically and immediately released.
Imagine all the people...
Too many questions makes Jack a potential terrorist.
An immobiliser is a device used to prevent the engine of a car from running unless the correct key is used (this may or may not be the same key as used for the ignition). The first immobiliser was patented in 1919, although I wouldn't describe that as an "immobiliser chip" because that pre-dates integrated circuits. Anyway, immobilisers have been commonplace for many decades, and even mandatory for all cars in a number of countries since the '90s.
Normally you need a key to turn the ignition, but a car thief can reconnect the wiring to bypass the ignition lock and send power to the engine (this is known as "hot-wiring"). The immobiliser is there to prevent hot-wired cars from starting, making it considerably more difficult to steal them. That's all there is to it, really - it's not a remote-control shutdown switch.
Hi!
(Sorry, nothing to see here, move along)
This sig under construction. Please check back later.
My Capri had a hidden switch somewhere under the carpet on the driver's side of the central column just in front of the seat.
Then I fitted a Thatcham alarm system which came with its own one. So I had two. No twocer was going to be able to start *my* car...
"Wait. Something's happening. It's opening up! My God, it's full of apricots!"
Who cares how long the development time is? When a company has a dangerous product, the Press is supposed to ensure the product gets fixed. Imagine if the Dell Laptop battery issue was put under a gag order for 2 years. Dell and the court knew that it could catch fire causing death and injury, but did not want to hurt Dell's profit margins.
I have no idea why people lose any established logic because something is Electronic versus Mechanical. If a person could hit a car a certain way and cause the transmission gears to fall off, it would be all over the news and a law suit. Even if the Transmission was being developed for decades (as many are), there would not be a gag order on findings. Why you want to put an electronic system on a pedestal and insult people who can equate the two is appalling.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
The way this works is that when you start one of the cars with this security hardware in it a chip in your car key talks to a chip inside the cars computer using secrets stored in both chips. If the secrets match, the car will start.
What the researchers figured out was a way to start the car without having the correct key.
Even if they had chips that were 100% compatible in hardware and software but with a new more secure algorithm, the cost to replace all of the chips in every car and every key (and to program the cars and keys with the correct secrets so that the right keys will open the right cars) would be astronomical.
Dude... It was a Capri. I'd be surprised if you could start it at all.
"So long and thanks for all the fish."
> Even if they had chips that were 100% compatible in
> hardware and software but with a new more secure
> algorithm, the cost to replace all of the chips in every
> car and every key (and to program the cars and keys
> with the correct secrets so that the right keys will
> open the right cars) would be astronomical.
So what? They released a defective product. The onus is on them to make things right. Their "shoot the messenger" approach is wholly unacceptable.
I'm sure Honda, Toyota, and so on are are spending a good hunk of money to replace all of defective airbags they built into their cars. Hell, I had a car once that was subject to a recall... and fixed at the manufacturer's expense... because it was sold to me with a faulty oxygen sensor. And the only repercussion of leaving it unfixed would have been marginally more emissions (Nitric oxide, IIRC.), only during winter, only if I lived somewhere with sub-freezing overnights, and only for fifteen minutes or so until the car warmed up.
Imagine all the people...
this is why all exploits should be announced first as a working exploit kit or working worm kit posted anonymously to 4chan. over and over again companies spit in the face of security research and threaten researches with civil and criminal prosecution for discovering their shoddy work.
Snowden and Manning are heroes.