'Banned' Article About Faulty Immobilizer Chip Published After Two Years

An anonymous reader writes: In 2012, three computer security researchers Roel Verdult, Flavio D. Garcia and Baris Ege discovered weaknesses in the Megamos chip, which is widely used in immobilizers for various brands of cars. Based on the official responsible disclosure guidelines, the scientists informed the chip manufacturer months before the intended publication, and they wrote a scientific article that was accepted for publication at Usenix Security 2013. However, the publication never took place because in June 2013 the High Court of London, acting at the request of Volkswagen, pronounced a provisional ban and ruled that the article had to be withdrawn. Two years ago, the lead author of a controversial research paper about flaws in luxury car lock systems was not allowed to give any details in his presentation at Usenix Security 2013. Now, in August 2015, the controversial article Dismantling Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobilizer that was 'banned' in 2013 is being published after all.

Way to encourage responsible disclosure.

[SvnLyrBrto]

Two years? That's outrageous. Any vendor that takes that long to patch their holes *deserves* to get zero-day'd.

Things like this, and that nonsense that the court in Boston pulled wrt/ to the researchers and their DEFCON presentation, really sour me on the idea of "responsible disclosure." If the result of my courtesy is going to be a lawsuit and a gag order, I'd not be particularly inclined to offer vendors the courtesy in the first place.

Maybe there's a place for a network of "vulnerability escrow" services. Submit the vulnerability simultaneously to the vendor and the service, which would have to reside outside of the terrirory of whatever court system has jurisdiction over the researchers, and a stick 30-day timer starts, after which the data is automatically and immediately released.

Re:Way to encourage responsible disclosure.

[0123456]

Newsflash: the bad guys are busy finding these kind of holes and exploiting them, and don't wait for a court to tell them they're allowed to.

Re:Ahhh, well.

[Barefoot+Monkey]

An immobiliser is a device used to prevent the engine of a car from running unless the correct key is used (this may or may not be the same key as used for the ignition). The first immobiliser was patented in 1919, although I wouldn't describe that as an "immobiliser chip" because that pre-dates integrated circuits. Anyway, immobilisers have been commonplace for many decades, and even mandatory for all cars in a number of countries since the '90s.

Normally you need a key to turn the ignition, but a car thief can reconnect the wiring to bypass the ignition lock and send power to the engine (this is known as "hot-wiring"). The immobiliser is there to prevent hot-wired cars from starting, making it considerably more difficult to steal them. That's all there is to it, really - it's not a remote-control shutdown switch.

Re:Ahhh, well.

[vrt3]

Hi!

(Sorry, nothing to see here, move along)

Re:Ahhh, well.

[KGIII]

Dude... It was a Capri. I'd be surprised if you could start it at all.