AUTOLOCKSMITHING
SPONSORED BY ADVANCED KEYS
HIGH COURT JUDGE BLOCKS CAR KEY IMMOBILISER HACK REVELATIONS
A High Court judge has blocked three security researchers from publishing details of how to crack a car immobilisation system.
The interim ruling was obtained by German car maker Volkswagen and French defence group Thales after they argued that the information could be used by criminals. The technology is used by several car manufacturers. The academics had planned to present the information at a conference in August. The three researchers are Flavio Garcia, a computer science lecturer at the University of Birmingham, and Baris Ege and Roel Verdult, security researchers at Radboud University Nijmegen in the Netherlands. “The University of Birmingham is disappointed with the judgement which did not uphold the defence of academic freedom and public interest, but respects the decision,” said a spokeswoman. “It has decided to defer publication of the academic paper in any form while additional technical and legal advice is obtained given the continuing litigation.” She said that the university was, therefore, unable to comment further at this stage. responsible disclosure. The researchers have insisted from the start that the chipmaker inform its own clients.” Neither VW nor Thales was able to provide comment. meaning that it could be compromised, and added that there was a strong public interest that the information be disclosed to ensure the problem was addressed. But VW and Thales argued that the algorithm was confidential information, and whoever had released it on the net had probably done so illegally. Furthermore, they said, there was good reason to believe that criminal gangs would try to take advantage of the revelation to steal vehicles. The researchers argued that this risk was overblown since car thieves would need to run a computer program for about two days to make use of the exploit in each case. They said that removing the sections which VW and Thales wanted expunged would mean their paper would have to be peer reviewed a second time, and they would miss their slot at the conference as a consequence. They also argued that their right to publish was covered by freedom of speech safeguards in the European Convention on Human Rights. The judge, however, ruled that, pending a full trial, the details should be withheld.
‘Dismantling Megamos Crypto: Wirelessly Lock-picking a Vehicle Immobiliser - is still listed on the website of the Usenix Security Symposium’
The ruling was issued on 25 June, but the case only gained public attention following an article in The Guardian newspaper. The presentation - entitled Dismantling Megamos Crypto: Wirelessly Lock-picking a Vehicle Immobiliser - is still listed on the website of the Usenix Security Symposium, which will be held in Washington in August. Megamos Crypto refers to a transponder built into car keys, which uses RFID (radio-frequency identification) to transmit an encrypted signal to the vehicles. This de-activates a system which otherwise prevents their engines from starting. VW introduced the technology in the late 1990s and it is also used by Honda and Fiat among others. The researchers said they had obtained a software programme from the internet which contained the algorithm devised by Thales to provide the security feature. They said it had been on the net since 2009. Audi VW has used the security tech in its Audi cars among other brands The researchers said they had then discovered a weakness in the code
‘The publication in no way describes how to easily steal a car’
Radboud University Nijmegen said it found the ban “incomprehensible” . “The publication in no way describes how to easily steal a car, as additional and different information is needed for this to be possible,” said a spokeswoman. “The researchers informed the chipmaker nine months before the intended publication - November 2012 - so that measures could be taken. The Dutch government considers six months to be a reasonable notification period for
‘Pending a full trial, the details should be withheld’
Legal experts suggested that it is the way the researchers discovered the flaw that proved their undoing. They had not obtained the software from a legitimate source but downloaded it from an unauthorised website. This persuaded the court that the underlying algorithm was confidential in nature, and bearing in mind the public interest of not having security flaws potentially abused by criminal gangs, led to the injunction.
84
THE JUL/AUG 2013 ISSUE SPONSORED BY ALDRIDGE
To read more, visit www.locksmithjournal.co.u