Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

English High Court Bans Publication of 0-Day Threat To Auto Immobilizers

timothy posted about a year ago | from the driving-on-the-wrong-side-would-work-too dept.

Transportation 168

An anonymous reader writes "The High Court — England's highest civil court — has temporarily banned the publication of a scientific paper that would reveal the details of a zero day vulnerability in vehicle immobilisers and, crucially, give details of how to crack the system. Motor manufacturers argued that revealing the details of the crack would allow criminals to steal cars. Could this presage the courts getting involved in what gets posted on your local Bugzilla? It certainly means that software giants who dislike security researchers publishing the full facts on vulnerabilities might want to consider a full legal route."

cancel ×

168 comments

Sorry! There are no comments related to the filter you selected.

that settles it (5, Insightful)

frovingslosh (582462) | about a year ago | (#44403767)

It sure is a good thing that England controls the entire Internet and that no one anywhere will be able to publish this information now.

Re:that settles it (1)

gmuslera (3436) | about a year ago | (#44403807)

And the manufacturers won't have to worry about fixing that vulnerability for long time (or do a fake, incomplete, not certifiable, or open to even more vulnerabilities fix)

Re:that settles it (5, Informative)

hutsell (1228828) | about a year ago | (#44403915)

Keeping in mind; temporarily banned. Synopsis from another article by the Guardian:

The University of Birmingham's Flavio Garcia, British computer scientist, cracked the security system by discovering the unique algorithm that allows the car (Porsches, Audis, Bentleys and Lamborghinis — leaves me out) to verify the identity of the ignition key.

Is this meant to be a temporary injunction until these auto companies resolve their problem, which seems to be the right thing to do? However, if it isn't temporary and turns out to be kind of permanent because they think these companies will save a lot of money by not having to deal with the problem, then they're deluding themselves. Someone into stealing cars already knows or now knows a solution exists and will soon know the algorithm in one way or another.

It would be nice if the method used to find the solution was eventually made public. Then someone might be able to create a defense to variations on the discovery and prevent this from being applied to other vehicles; a breach that may already exist, if not now, perhaps at a later time?

Re:that settles it (1)

gadget junkie (618542) | about a year ago | (#44404021)

Keeping in mind; temporarily banned. Synopsis from another article by the Guardian:

The University of Birmingham's Flavio Garcia, British computer scientist, cracked the security system by discovering the unique algorithm that allows the car (Porsches, Audis, Bentleys and Lamborghinis — leaves me out) to verify the identity of the ignition key.

Is this meant to be a temporary injunction until these auto companies resolve their problem, which seems to be the right thing to do? However, if it isn't temporary and turns out to be kind of permanent because they think these companies will save a lot of money by not having to deal with the problem, then they're deluding themselves. Someone into stealing cars already knows or now knows a solution exists and will soon know the algorithm in one way or another.

It would be nice if the method used to find the solution was eventually made public. Then someone might be able to create a defense to variations on the discovery and prevent this from being applied to other vehicles; a breach that may already exist, if not now, perhaps at a later time?

It can only be temporary. Cat's out of the bag anyway, and while they are banned to publish the details, any "Yep. still there" six months of now would pit owners and insurance companied vs manufacturers, with manufacturers losing for having known, and not acted upon, a problem with their car.

not even until fix, until a full hearing (5, Insightful)

raymorris (2726007) | about a year ago | (#44404089)

Generally temporary injunctions like this are just until there is a full hearing. Volkswagen will probably have a fix in place by then, but the main purpose is to avoid doing irreversible damage until there can be a full hearing on the facts.

A temporary injunction is common in many types of cases and in no way indicates the court's opinion on the substantive issues. It's simply a recognition that they can't unpublish the information, so they need to wait until a decision is made before they publish. The same is often done with property disputes such as divorces. A temporary injunction orders both parties not to sell or otherwise dispose of the property until a decision is made as to ownership.

Ps - I don't care for the injunction. I would have preferred that the court hint at whether they think the case has merit, then let the researcher decide whether to release the information immediately, risking a successful suit for damages. The injunction, as a prior restraint on speech, is censorship. Still, it's best not to exaggerate the effect of the or intent of the injunction.

Re:not even until fix, until a full hearing (2)

Tom (822) | about a year ago | (#44404515)

A temporary injunction is common in many types of cases and in no way indicates the court's opinion on the substantive issues.

Wrong. I was deeply involved in corporate legal stuff for a couple years and I have been in court cases like this. A temporary injunction does not mean the court will decide the same way in the full hearing, true. However, a temporary injunction is only granted if the court believes that the party seeking it has at least a reasonable chance to persist in the full hearing. As such, it does indicate the courts opinion, to some extent. If the court thought you're full of shit, it wouldn't grant the temporary injunction.

Re:not even until fix, until a full hearing (1)

Anonymous Coward | about a year ago | (#44404813)

I was deeply involved in corporate legal stuff

Well, corporate legal stuff. You're still the wrong one. If the court thought the plaintiff was full of shit, that would be an opinion on the matter. Having two people come to you and telling them to put something on hold until you sort it out is not an opinion on which person is right.

Re:not even until fix, until a full hearing (1)

SuricouRaven (1897204) | about a year ago | (#44405011)

How do they fix this? They can put a new firmware in cars easily enough, but the many already on the road have no auto-update capability, and the typical driver isn't even aware their car has firmware. Assuming it's something that can be updated - I wouldn't be surprised if this is handled by a chip that needs to be physically replaced by a garage.

Re:that settles it (5, Informative)

Anonymous Coward | about a year ago | (#44404103)

The US income tax was a "temporary" measure. US copyrights are supposed to be "temporary".

In real life, the powers that be want the guy muzzled.

The lesson learned is to do one of three things if finding an exploit:

1: Release it far and wide anonymously. This puts people at risk, but when customers are being attacked, vendors will fix problems. However, this is a career killer, if one is found to do this, perhaps might run them afoul of the law in their area.

2: Release both a warning to the company anonymously, then release the exploit, both anonymously. Again, similar to #1, it can kill a career.

3: Have "escrow agents", and let the vendor know. If they attempt to shoo the problem under the rug, the "anonymous" posters from other countries will ensure it gets out even if the person who found the bug has disappeared.

Re:that settles it (0)

Anonymous Coward | about a year ago | (#44404295)

Tor masterminds R. Dingledine and J. Appelbaum lecture @ the Technical University of Munich about Tor, government surveillance, free software, and why Windows isn't suited for privacy software and shouldn't be used.

https://gnunet.org/tor2013tum-video [gnunet.org]

Re:that settles it (2)

isorox (205688) | about a year ago | (#44405037)

In real life, the powers that be want the guy muzzled.

If the UK they use the courts to block the publication of the paper

In the US they use the CIA to murder the author [reuters.com]

Re:that settles it (1)

jbolden (176878) | about a year ago | (#44405207)

The US income tax was a "temporary" measure. US copyrights are supposed to be "temporary".

US Const: I.8.8: To promote the Progress of Science and useful Arts, by securing for limited Times to Authors and Inventors the exclusive Right to their respective Writings and Discoveries.

US Const Am 16: The Congress shall have power to lay and collect taxes on incomes, from whatever source derived, without apportionment among the several States, and without regard to any census or enumeration.

The constitution is about as non-temporary as you can get.

Re:that settles it (0)

Anonymous Coward | about a year ago | (#44404463)

So they rolled their own encryption system I guess.
Knowing the algorithm shouldn't allow you to be verified.

Re:that settles it (0)

Anonymous Coward | about a year ago | (#44405001)

find you local friendly radio ham put a carrier out on 432.920 kills all imobilisers instantly also makes for good fun in car parks squirt of carrier ( on a ham frequency) and the donkeys are wondering why their bollocks wagon or blackmans wheels or jercedes wont unlokck or lock ....

Re:that settles it (5, Insightful)

gagol (583737) | about a year ago | (#44403809)

Not only that, if I had a recent vehicle, I would want to get the exploit public so the car manufacturer have an incentive to ACTUALLY FIX the problem.

Re:that settles it (0)

mlts (1038732) | about a year ago | (#44403843)

Even if the car maker can't/won't fix it, at least I know what it is so I can make a workaround, such as adding a relay to the circuit with the transponder antenna which would deny access to all keys, even valid ones, unless the switch is found.

Re:that settles it (1)

SuricouRaven (1897204) | about a year ago | (#44405027)

This is for the immobiliser, not the door locks, so you don't need to dabble in the delicate electronics of the engine control or fiddley RF line. Just put your relay in the cable that powers the solonoid coil for the starter (Do cars still use those, or have they gone solid-state now? Same idea) or power line to the ignition.

Re:that settles it (5, Insightful)

meerling (1487879) | about a year ago | (#44403903)

I suspect the criminals don't want that. They probably want to keep the info under wraps for as long as possible so the manufacturer has little incentive to fix it while they continue to use it for their illicit advantage.

Ok, so it wouldn't be your local thug on the corner, but there are some criminal groups that pride themselves on using the 'slick' methods.

Re:that settles it (5, Insightful)

Opportunist (166417) | about a year ago | (#44404183)

Not only that, but to have a claim against insurance when (not if) this blows.

It would certainly not be the first time that an insurance refuses a claim because "this can't happen". You have NO idea how long it took insurances to accept that certain locks can (despite any claims from manufacturers) be picked without damaging the lock. Manufacturer said it can't be, so people who made an insurance claim after being robbed actually had to face charges of insurance fraud.

It is VITAL that not only manufacturers but also insurances get this information!

They never fixed it so far (4, Interesting)

dutchwhizzman (817898) | about a year ago | (#44404749)

Have a recent BMW? There is a known vulnerability where you can copy an actual key inside the car, using the data in the car's computer and the car's own transponder. BMW has not fixed this and won't fix it. The vulnerability is that BMW relied on being the only source of blank, programmable keys and having all the programming equipment in house. Once someone reversed the key system (the car itself contains unprotected, unencrypted key strings), they found out what electronics to put in the key and made blank keys and software to program them using the keys found in the car's computer. This is a massive problem that was out for probably at least a year before there was enough public attention to the enormous theft of BMWs with that system. I think that the number of BMWs stolen had quadrupled in that period. Right now, since BMW won't fix it, getting a BMW that suffers from this vulnerability is prohibitively expensive to insure, making their second hand value very low. It may be that insurers now require 3rd party alarm systems to be installed or something, I don't know, but the vendor didn't fix it and basically left their customers without a solution.

Right now, there's no indication that VW can and will fix this problem once it gets out. I highly doubt they will recall all vehicles and replace the parts that are vulnerable with a system that has the flaw removed. For all we know, that could cost thousands per vehicle and apply to all VAG cars from the last 10 years. That could be over 100M cars, worst case. Then again, if it'd only apply to a certain model and year and it is an affordable fix, they may actually do it, but I wouldn't count on them fixing anything.

The queen still in charge ? (-1)

Anonymous Coward | about a year ago | (#44403821)

It must be the doings of that damn bastard tripartite commission !!

Re:The queen still in charge ? (0)

Anonymous Coward | about a year ago | (#44403939)

It must be the doings of that damn bastard tripartite commission !!

We are the Trilateral Commission, and we caution you
not to get our name wrong again.

Re:that settles it (0)

Anonymous Coward | about a year ago | (#44403849)

If the court wants to order something hidden from public, they should ban such stupid shit from being installed in the first place. What you bet there are a lot of "hackers" out there watching and waiting automotive automation to "advance" far enough for them to get the chance to play GTA with other peoples cars? Don't forget, that will inherently be a much smaller number then the "crackers" who are waiting, watching, and drooling. And they get to play with the lights too! Guess when they done with them you can drill them full of holes, fill them full of concrete and dump them in the Mariana Trench. After all, that is as close as you can get their system to "secure" right?

Re: that settles it (1)

Hamfist (311248) | about a year ago | (#44403877)

And I'm not even sure about that one...

Re:that settles it (5, Insightful)

bill_mcgonigle (4333) | about a year ago | (#44403869)

It sure is a good thing that England controls the entire Internet

Not just the Internet - this action is curious because of jurisdiction. USENIX is in Washington, DC in a few weeks. Volkswagen is German. One of the authors is in the UK, but the other two are in the Netherlands.

So, the action must be specifically targeting this one author. Weird - it's an accepted paper and the other two authors were obviously planning to present. I guess they won't be going through Heathrow.

Re:that settles it (5, Interesting)

EmperorArthur (1113223) | about a year ago | (#44403981)

Now here's a thought.

Many conferences have you submit at least a rough draft of your slides/paper early in the process. So, it's already been distributed to at least a few people. I wonder what the ramifications would be for the other authors to present anyways. Or if the conference CDs will contain the slide regardless.

Re:that settles it (1)

fustakrakich (1673220) | about a year ago | (#44404255)

I guess they won't be going through Heathrow.

The US is hardly a safe haven [infotoday.com] .. I believe a place like Iceland would be the safest for these kinds of gatherings..

Re:that settles it (1)

Chrisq (894406) | about a year ago | (#44405003)

I guess they won't be going through Heathrow.

The US is hardly a safe haven [infotoday.com] .. I believe a place like Iceland would be the safest for these kinds of gatherings..

I understand there's also a nice hotel in the "flight side" of Moscow airport

Re: that settles it (0)

Anonymous Coward | about a year ago | (#44404737)

The UK, Germany and the Netherlands are all in the EU.

Re: that settles it (1)

gl4ss (559668) | about a year ago | (#44405015)

The UK, Germany and the Netherlands are all in the EU.

so what? now, which country does censorship of trivial things like if some footballer had been fucking some girl/dude/whatever? the UK.

UK is of these countries one that pretends you can use courts to decide what people can speak about if they happen to know.

"Reasonable time" (1)

flyingfsck (986395) | about a year ago | (#44404157)

Under English law 'a reasonable time' is usually 14 days. So unless the court put a date on it, the injunction will expire quite soon.

Re:that settles it (2, Funny)

sabri (584428) | about a year ago | (#44404165)

It sure is a good thing that England controls the entire Internet and that no one anywhere will be able to publish this information now.

Yeah, next thing you know they'll be banning porn!

Re:that settles it (1)

91degrees (207121) | about a year ago | (#44404537)

Where are the other people going to get the information from if the people who created it can't publish it?

Re:that settles it (2)

Chrisq (894406) | about a year ago | (#44404997)

It sure is a good thing that England controls the entire Internet and that no one anywhere will be able to publish this information now.

I think this is the real reason behind Cameron's porn block [bbc.co.uk] . He starts off talking about porn but then when discussing details its suddenly about "illegal content". I'm pretty sure this will include things that the courts (and government departments) decide we shouldn't here

Get moving people... (0)

Anonymous Coward | about a year ago | (#44403801)

We know the exploit exists... Now we just need to find it! Again.

too bad we don't use these zero days to take down (0)

Anonymous Coward | about a year ago | (#44403813)

too bad we don't use these zero days to take down the shitty system...

Security through obscurity? (2)

gagol (583737) | about a year ago | (#44403815)

I taught this one died 10 years ago...

Re:Security through obscurity? (0)

Anonymous Coward | about a year ago | (#44403847)

Security through obscurity will never die, because it can always go hide somewhere and not tell anyone where it has gone.

Re:Security through obscurity? (4, Insightful)

Pentium100 (1240090) | about a year ago | (#44404041)

Security through obscurity does work, not very effectively, but it does. Or at least, the obscure system is more secure than the same system that is open.

For example - let's say I keep a backup key to my house buried somewhere in the yard or in a flowerpot ( there are many flowerpots and I chose one at random). While this is not as secure as not having the backup key, it is more secure than placing a sign indicating where the key is.

Same thing here - while the system is not as as it would have been if the vulnerability did not exist, if the exploit was published, then everyone would know how to hack it, even those who would not be able to come up with the hack on their own.

My car is too old to have a computer in it, but I use an aftermarket security "system" - I have to push a button (the button is visible and usually has another function) before I try to start the engine or it would crank, but not start. Now this would not be a problem for a competent thief - he would figure out how to circumvent this, it's not that difficult. However, some drug addict or a drunk teenager may just conclude that the car is broken and steal some other car instead.

Re:Security through obscurity? (1)

subreality (157447) | about a year ago | (#44404227)

A false sense of security can be worse than just having the exploit exposed.

While obscurity will prevent widespread exploits for a while, there are other benefits: I want to be able to assess the risk myself, know how vulnerable my car is, and possibly upgrade the system if I decide it's inadequate.

Re:Security through obscurity? (1)

gweihir (88907) | about a year ago | (#44404409)

Indeed. A false sense of security increases the risk, as then people will implement less risk-mitigation measures.

Re:Security through obscurity? (1)

gweihir (88907) | about a year ago | (#44404405)

Security through obscurity does work, not very effectively, but it does. Or at least, the obscure system is more secure than the same system that is open.

I do not agree, and the whole crypto research community and secure software community does not agree either. What you forget is that this is not about physical goods, but software and algorithms. Once created, the product will be made into countless identical copies at basically zero cost per copy. Break one, and you have broken them all. The attack can be copied just as easily.

Your view has been discredited a long time ago. But there are a lot of idiots around that ignore history and established facts and come up with the same faulty view you have time and again. It just seems to be a widespread defect in the human mind.

Re:Security through obscurity? (1)

Pentium100 (1240090) | about a year ago | (#44404629)

So, if the exploit was published, the cars would be more secure than now? I mean before the manufacturers could release a patch and all affected car owners install it.

Yes, if the car manufacturers published the details (schematics and source code) for the system when they created it, someone would have found this vulnerability sooner and (hopefully) would have informed the car manufacturers who then would be able to patch it hopefully before it was installed in a lot of cars.
Publishing the exploit would only help if there was a workaround that was easily done to prevent that exploit. If there is no way to secure the system without the (currently non-existant) patch, then releasing the exploit would make it worse as it would be available to more car thieves.

Or, for example, if Sony published the source code etc for PS3 DRM, would it have taken as long to hack it?

Re:Security through obscurity? (1)

xenobyte (446878) | about a year ago | (#44405025)

Actually security through unique obscurity does work although not very efficiently on its own. This is actually used all the time in the form of hiding the internal structure of a local network for instance. This adds a level of difficulty to any attempt at penetrating as the attackers needs to find out the structure and the components and thus the possible attack vectors. If you for instance need a server to contact your evil server, messing with nameservers are a good idea, but then you need to either modify the configuration of the server (requires root) or poison the nameservers it uses. This requires that you find out how the internal network works - is it plain and simple or does it use a dedicated vlan on a secondary NIC or maybe some NAT remapping? - It might be that you cannot reach the nameserver at all except on port 53 tcp/udp, or that it simply listens for ssh on a completely different IP or network. Here the obscurity clearly helps in making the intruder work a lot harder to get what he/she wants, obviously making some simply give up and move on.

Re:Security through obscurity? (1)

mattpalmer1086 (707360) | about a year ago | (#44405049)

Well, I can't say that I speak for the entire crypto and security community, but I do work in the field and I have thought about this a bit.

"No security by obscurity" isn't meant to inform how we approach the entire process of vulnerability disclosure. It just makes the point that relying on obscurity for security will give you no real security. This is what we need people owning, building and maintaining things with security requirements to understand.

When thousands or millions of fielded products are already out there with a vulnerability, then giving the manufacturers time to fix the issue is just responsible disclosure.

Disclosing after some reasonable period of time is also responsible, as an incentive to actually fix it. We take obscurity away after some time, so they can't argue that the obscurity is all their customers need. We don't start with revealing everything when there isn't yet a fix. That makes no one more secure.

Re:Security through obscurity? (1)

mattpalmer1086 (707360) | about a year ago | (#44405091)

Sorry, replying to my own post, but I forgot to make the point I wanted to!

Obscurity definitely doesn't give you real security. But if all you have is obscurity, then it is better to have that than nothing.

It might confer no actual security, but taking the obscurity away straight away will definitely make no-one safer. The possibility exists that some people will be protected by the obscurity, at least in the short term. It just can't be relied upon.

Re:Security through obscurity? (0)

Anonymous Coward | about a year ago | (#44404795)

Great example! Or not. How on earth did you get votes? A sign saying where to find the key is not security to begin with.

Re:Security through obscurity? (0)

Anonymous Coward | about a year ago | (#44404151)

Please be more careful with your teachings.

Re:Security through obscurity? (1)

Opportunist (166417) | about a year ago | (#44404195)

It was a stillborn, but be honest, is that the first time people ride dead horses?

Re:Security through obscurity? (2)

fuzzyfuzzyfungus (1223518) | about a year ago | (#44404265)

I taught this one died 10 years ago...

For whatever reason (whether it be power/gate constraints or sheer laziness) the state of 'security' in low power RF security systems (automotive keyless entry, MIFARE and friends payment and access control fobs, etc.) is maybe 10 years behind the (atrocious) state of security in general purpose software. On a good day.

Re:Security through obscurity? (1)

gweihir (88907) | about a year ago | (#44404371)

I taught this one died 10 years ago...

It did a lot earlier than that...to anybody that is halfway competent in the area of IT security. These people have just exposed themselves as grossly incompetent and utterly greedy. Just like a lot of other manufacturing industries, they just want to go on selling their defective products for a few more years before they do anything about it which could cause them some reduction in profits.

Re:Security through obscurity? (1)

tlhIngan (30335) | about a year ago | (#44404499)

I taught this one died 10 years ago...

Only if it's the only means of security you have.

If you already have reasonable security measures adding a layer of obscurity can make life a lot simpler.

For example, let's say you have a web application that's properly secured and only for internal use, but available externally because people need access to it. Would you put it on port 80? Or if you can, put it on another port, say 8181? People who need to use it know about it, and even if it's found accidentally, it still is secure. Just you've eliminated 99% of random hacks and other crap that people are using and thus can deal with the actual legitimate hack attacks.

You've "obscured" the actual port, but have actual security behind it. The obscurity just makes it harder to find, but it isn't the sole means of security around.

Or to avoid filling up your SSH logs with invalid access attempts from script kiddies, you could put your secured SSH system on another port, then you can review your authentication logs without the noise of script attacks and see if someone is trying to hack in.

Bottle - Genie? (1)

CoolGopher (142933) | about a year ago | (#44403841)

So how is anyone, courts included, meant to unpublish something? Unless a security researcher is saying "in X days I'll release the details on vulnerability Y" how would you even know to get a court injunction against said person? Once the cat is out of the bag, that's it.

Of course, I can then see the "logical" progression that all vulnerability disclosure must be outlawed - think of the children!

Re:Bottle - Genie? (1)

Trax3001BBS (2368736) | about a year ago | (#44403989)

So how is anyone, courts included, meant to unpublish something?

It's happened already.

Today I had a chance to read about zero day vulnerability in vehicles but passed on the article cause I've read it already. or similiar (BlueTooth). A link from a site that has handles current headline news. It's been removed from that site and the sites history.

Google has this but it links to a 404,

Full Hacker News - Svay
svay.com/projects/FullHackerNews/?l=linux-kernel&m...q=raw?
18 hours ago - You can't manage this competition while sipping margaritas all day from your ..... of a single address,
followed by zero or more delimiter and single address pairs. ...... The cars are protected by a system called
Megamos Crypto, an algorithm ... Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobiliser – without the ...

If you follow the phrase "Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobiliser" you get:

London, July 27 : A British computer scientist, who cracked security system of cars including Porsches, Audis, Bentleys and Lamborghinis, has been banned from publishing an academic paper revealing the secret codes as it could lead to the theft of millions of vehicles. - See more at: http://www.newkerala.com/news/story/47249/scientist-banned-from-publishing-research-containing-luxury-car-security-codes.html#sthash.fJvoQSgv.dpuf [newkerala.com]

That link I didn't post, it comes with the copy and paste kinda neat, kinda freaky. A self writing copy and paste so I don't get it wrong.

Re:Bottle - Genie? (2)

Trax3001BBS (2368736) | about a year ago | (#44404047)

If you follow the phrase "Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobiliser" you get:

That link I didn't post, it comes with the copy and paste kinda neat, kinda freaky. A self writing copy and paste so I don't get it wrong.

Enamored so by the self writing javascript I posted the wrong address
https://www.usenix.org/conference/usenixsecurity13/session/attacks [usenix.org] and what this ruling blocks.

Re:Bottle - Genie? (1)

gweihir (88907) | about a year ago | (#44404417)

Simple: "The law" has only a remote connection to reality, but it does ignore that fact consistently.They are doing significant damage here, as in the future, things like this will just get published anonymously.

ridiculous (1)

Xicor (2738029) | about a year ago | (#44403845)

i would much prefer that they can be released to the public and subsequently FIXED than have a researcher sell it to criminals or use it himself to steal cars.

Re:ridiculous (2)

Z00L00K (682162) | about a year ago | (#44404637)

What is now going public has been a known method for a while by criminals. There are already vehicle thefts going on of vehicles in the luxury segment in central/western Europe, and the vehicles finds their way to eastern Europe.

What immobilizers do are to deter joyriders and crackheads from stealing cars. The professionals already know how.

And knowing it can be done will just trigger the demand for cheap cracking devices for the mid group of thieves that steals cars for parting out.

Great Idea! (0)

FuzzNugget (2840687) | about a year ago | (#44403863)

The vulnerability will surely never be exploited now, because it's simply not possible that anyone else is smart enough to figure it out. Even if they do, no thief would ever use it to steal a car right?

Seriously, how do people this stupid become judges?

Re:Great Idea! (1)

meerling (1487879) | about a year ago | (#44403921)

Actually, knowing it exists reduces the required resources by 90% or so.
Yeah, that's just a percentage I made up, but it has definitely been shown that as long as someone knows it's possible, because someone else did it, it will be repeated, and often in only a fraction of the time and other resources it took for the first one to achieve it, even if the details are kept top secret.

Re:Great Idea! (1)

lxs (131946) | about a year ago | (#44404311)

Now that post is straying dangerously close to the concept of morphic resonance [wikipedia.org] .

Re:Great Idea! (2, Insightful)

Anonymous Coward | about a year ago | (#44404361)

Seriously, how do people this stupid become judges?

Seriously, how do people this stupid manage to find their way to /. to post a reply on a matter of which they have no understanding.

The Court imposed a temporary injunction presumably to either allow Volkswagen to address the security issue or allow Volkswagen to present its case for a permanent injunction or more likely to request sufficient time to correct the issue before the research paper is published. The judges acted in accordance with UK jurisprudence.

Re:Great Idea! (1)

gweihir (88907) | about a year ago | (#44404433)

Seriously, how do people this stupid become judges?

That is by design. Judges are people tasked to interpret the law like it would apply to reality. It quite obviously does not in most instances, and hence judges have to be inherently stupid. Those that are not become lawyers (what they do is stupid, but at least they get rich), or never go into the study of law in the first place.

How long have they known? (5, Interesting)

gman003 (1693318) | about a year ago | (#44403881)

It's standard practice, when publishing about security flaws, to alert the producer of the products affected before doing so openly, only publishing when a) the hole is patched, or b) if they are ignoring the issue and refusing (or at least taking too long) to fix it.

If they have not given the manufacturer a reasonable amount of time to fix the problem, I can understand why they're being censored - it's unnecessarily dangerous. However, if this is simply the manufacturer trying even harder to pretend the problem doesn't exist, I would of course object strenuously, and support publishing the hole because that will not only force them to get a fix out ASAP, but will punish them for taking so long.

And, while TFA doesn't say either way on the issue, I would expect the latter, not the former.

Re:How long have they known? (1)

Anonymous Coward | about a year ago | (#44403947)

I wouldn't be surprised if the first thing the producer of the flawed product does is immediately hit their lawyers and try to get some type of gag order before a security flaw goes public. It is a lot easier to tie up a person with litigation (or even have them arrested) than it is to actually bother fixing things.

The only real protection against this is having someone in another country have the information. If a gag order is placed, that person will reveal the details from their place. Perhaps multiple people.

Re:How long have they known? (1)

MikeBabcock (65886) | about a year ago | (#44404017)

Its not standard practice, its a commonly requested nicety.

An awful lot of zero day exploits are so bad that people should know about them just as soon as manufacturers in order to defend themselves.

What's sick is that so many people in our day and age consider their cars, computers and everything else black boxes that should be managed from the outside instead of taking responsibility for them. I don't want auto manufacturers to fix the problem and distribute it slowly to people, I want people to realize how much of a problem this is so they can take their manufacturer to task. Auto manufacturers for all we know played fast and loose with designing these systems -- yet another reason to push for more not less openness.

Re:How long have they known? (0)

Anonymous Coward | about a year ago | (#44404163)

Let up to the auto makers, I wouldn't be surprised if they would use news of the exploit as a method of getting people to buy new vehicles that have it fixed.

I've worked with software companies like that. Product had security issues, and they refused to fix them in one version, telling customers to pay for an upgrade or deal, as the EULA/TOS states the software vendor isn't responsible, nor has to even bother with fixes.

Re:How long have they known? (3, Interesting)

RandomFactor (22447) | about a year ago | (#44404325)

I don't want auto manufacturers to fix the problem and distribute it slowly to people, I want people to realize how much of a problem this is so they can take their manufacturer to task.

This is a false dichotomy. The better answer is both.

I would prefer the manufacturer both distribute a fix and that vulnerability and mitigation information be made available openly and quickly to those who can benefit from it.

Re:How long have they known? (2)

eth1 (94901) | about a year ago | (#44404109)

Actually, I would think the courts taking this route would simply encourage researchers to publish first, ask questions later, rather than risk being gagged.

It's standard practice, when publishing about security flaws, to alert the producer of the products affected before doing so openly, only publishing when a) the hole is patched, or b) if they are ignoring the issue and refusing (or at least taking too long) to fix it.

If they have not given the manufacturer a reasonable amount of time to fix the problem, I can understand why they're being censored - it's unnecessarily dangerous. However, if this is simply the manufacturer trying even harder to pretend the problem doesn't exist, I would of course object strenuously, and support publishing the hole because that will not only force them to get a fix out ASAP, but will punish them for taking so long.

And, while TFA doesn't say either way on the issue, I would expect the latter, not the former.

Re:How long have they known? (1)

Tom (822) | about a year ago | (#44404501)

If the car industry is anything like the IT industry, it will be a ton of work to even reach someone who understands what the problem is.

These days, IT has finally learnt, but I still remember times where researchers had a hard time getting their 0-days to the attention of the manufacturer because corporations have a strong tendency to make it very, very hard to identify and contact anyone on the inside who's not in sales.

Re:How long have they known? (1)

Z00L00K (682162) | about a year ago | (#44404663)

The big fish already knows how to get around the immobilizers, and the crackheads and joyriders won't care since they aren't willing to put money and effort into getting a device. The mid sector of criminals will now know that it's possible and there will be a demand on ready to use devices - provided by the big guys.

wait... but... logic... (0)

Anonymous Coward | about a year ago | (#44403887)

Banning hackers from releasing information.
This has ALWAYS worked!

ATTENTION BEAN SPILLERS !! (0)

Anonymous Coward | about a year ago | (#44403899)

Do not announce !! SPiLL !! SPiLL !! SPiLL !!

Muw haha haha !!

Re:ATTENTION BEAN SPILLERS !! (2)

EmperorArthur (1113223) | about a year ago | (#44403993)

Do not announce !! SPiLL !! SPiLL !! SPiLL !!

Muw haha haha !!

It sounds harsh, but this whole injunction and others like it are why so many people are against responsible disclosure. If you put it on the internet, then by the time someone could issue an injunction it's too late.

Expect to see this leaked/rediscovered, and then the court to blame the researcher.

Re:ATTENTION BEAN SPILLERS !! (0)

Anonymous Coward | about a year ago | (#44405109)

This. Instead of punishing people for disclosing problems in other peoples products, they should fine those other people for any damages caused by bugs in their product.

But am I vulnerable? (1)

bobstreo (1320787) | about a year ago | (#44403909)

My car doesn't have power windows, or keyless entry or even remote start.

They may be able to impact my cassette player?

How will I know if I can't read the article?

Re:But am I vulnerable? (1)

sinij (911942) | about a year ago | (#44403937)

Relax, you are not vulnerable to automotive theft by virtue of driving rusted Grand Caravan.

Re:But am I vulnerable? (1)

iggymanz (596061) | about a year ago | (#44403983)

Guess again, just checked 2012 list of 10 most stolen cars in America (excludes SUV and trucks), 2000 Caravan is #5

Re:But am I vulnerable? (2)

flyingfsck (986395) | about a year ago | (#44404181)

"cassette player" I heard that 8 track players are in demand again with the over 70s nostalgia crowd...

Wouldn't it be better... (0)

Anonymous Coward | about a year ago | (#44403927)

to ban auto companies from not fixing bugs/vulnerabilities that are made public?

That's nothing compared to Black Hat (5, Interesting)

Animats (122034) | about a year ago | (#44404015)

Take a look at this year's Black Hat presentations. [blackhat.com] These are just the ones on vulnerabilities in embedded systems.

  • Compromising Industrial Facilities From 40 Miles Away
  • Energy Fraud and Orchestrated Blackouts: Issues with Wireless Metering Protocols (wM-Bus)
  • Exploiting Network Surveillance Cameras Like a Hollywood Hacker
  • Fact and Fiction: Defending your Medical Devices
  • Hacking, Surveilling, and Deceiving victims on Smart TV
  • Home Invasion v2.0 - Attacking Network-Controlled Hardware
  • Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
  • Implantable Medical Devices: Hacking Humans
  • Let's get physical: Breaking home security systems and bypassing buildings controls
  • Out of Control: Demonstrating SCADA device exploitation
  • The SCADA That Didn't Cry Wolf- Who's Really Attacking Your ICS Devices- Part Deux!

D'oh (1)

SigmaTao (629358) | about a year ago | (#44404035)

Even *if* they could suppress the details of how it's done across britain, do they not understand that the idea that it is possible, is enough for smart people to figure it out independently of this research?
Why don't they order it to be fixed rather than trying to prevent the information about it to be suppressed "somehow"?
Why don't they take it to another level and have a system implemented for identifying and solving problems like this - something like the air safety board when they investigate accidents? An automakers software / hardware safety council?

Black hat (1)

t8z5h3 (1241142) | about a year ago | (#44404065)

This is because of black hat, this changes nothing and if anything makes the really bad hackers the ones with out a sol move faster to put a exploit in the wild who of us thinks there will be a story next week about cars being stollen and driven into water as a call to action by anomaus or lolsec?

Ban publication? (1)

fustakrakich (1673220) | about a year ago | (#44404217)

All that does is raise the price of the exploit on the market. Oh by the way, is this 'exploit' the same thing as the repo man's kill switch?

this should be standard (1)

bob_jenkins (144606) | about a year ago | (#44404259)

It should be standard that you notify the company before releasing the flaw publicly, and it should also be standard that after some waiting period the bug should go public. Well, standard per product ... different products have different release cycles, I could see some wanting 2 months while others want 1 year. But it should be public information, that product X you should notify them first then you're allowed to report the bug publicly after n months. That waiting period should be part of the product specs.

Re:this should be standard (2)

mark-t (151149) | about a year ago | (#44404339)

Why?

While it's certainly true that publishing an exploit does increase awareness among criminals on how to go about breaking the law, it also increases awareness among people who might be better in a position to try to mitigate how the exploit will affect them.

It also damn well puts a fire under the asses of people who need to get a fix out as quickly as possible... letting them dilly-dally around while they figure out just how high priority they need to treat the situation just leaves a lot of people vulnerable for a far longer period to criminals who *DON'T* rely on publicly published media for their information.

And you know that stealing cars is already illegal, right? And that it's not exactly something that is always just as easy to get away with as, say, remotely hacking into somebody's computer. Especially in cities that have instituted bait car programs.

Re:this should be standard (5, Insightful)

frovingslosh (582462) | about a year ago | (#44404359)

On the other hand, as these researchers learned, if you notify the company, they can get a court order against you. If you let the cat out of the bag without notifying them them, they can't really stop you. And if you figured it out, there is a good chance that the company knows about it already anyway. They simply don't have any incentive to correct it unless they know that the general public knows about it too.

okay... (1)

slashmydots (2189826) | about a year ago | (#44404315)

So tell the auto makers then wait 24 hours then tell everyone. Then it's one day.

So, we don't need Knight Rider's KITT microlock? (1)

kriston (7886) | about a year ago | (#44404317)

So, we don't need Knight Rider's KITT microlock brakes anymore? Cool. Those were pretty cumbersome 1980s technology to deal with, anyway.

stupidity won again (4, Insightful)

Tom (822) | about a year ago | (#44404449)

Yepp, the court fell for the oldest and most blatantely false argument of the full disclosure opponent.

The court assumes that bad guys don't already have this knowledge. From decades of experience in IT security we can conclude with near certainty that they do. What this provides is limited, short-term protection against those would-be thieves who don't, yet. Also, a false sense of security.

What would've happened if this had been published: The public would know, car manufacturers would (have to) scramble for a fix.

What will happen now: Nothing. The next model will be fixed, your current one will maybe get an update at the next maintainance cycle, but don't count on it.

The next years will be a great time to be a car thief.

Re:stupidity won again (0)

Anonymous Coward | about a year ago | (#44404877)

It is a temporary injunction. At the full hearing, I would hope they check if in this case criminals likely do already know about this or not. And I would hope that even if criminals don't already know about this, they won't give VW more than a reasonable amount of time to develop a fix before allowing publication anyway. I don't think it is unreasonable to have a temporary injunction before the court actually looks at the case properly, and I don't think it unreasonable to play it safe and assume that the criminals don't have this information at this stage unless it can be trivially proven that they do.

How about, no. (0)

Anonymous Coward | about a year ago | (#44404633)

You're free to sell or otherwise not own overly complex gear you have no ability to properly secure or operate.

Re. Black Hat (0)

Anonymous Coward | about a year ago | (#44404641)

Hi, I already ran into such a problem, some cars have those infrared immobiliser "keys" and to hack those is something any 3 year old with a learning remote control and some time can do.
A similar unit with 433 MHz mod could be used so this has been public knowledge from a long time.

Did you know that under UK law, possession of a universal remote thus modified is actually classed as "going equipped" outside of a private residence. I think there have been like 4 prosecutions but none of them made the papers because it wasn't deemed interesting enough to publish.

Beware he who would deny you access to information (0)

Damouze (766305) | about a year ago | (#44404713)

For in his mind, he dreams himself your master.

Megamos RFID cracked (2)

dutchwhizzman (817898) | about a year ago | (#44404783)

Any car that uses the megamos RFID chip to identify the key, will be vulnerable. To fix this, the manufacturer will have to replace all keys and the receiver and reprogram all computers in the cars infected. VAG here has a problem with most recent Volkswagens, Audis, SEATs, Skodas, Bentleys, Lamborghini's and Porsches. Other manufacturers that rely on this system are probably affected too. Chances that VAG will proactively call back all these vehicles are extremely slim. A temporary injunction serves no purpose, unless VAG can prove without a doubt that they can and will fix this within a very short time frame. Mind you, designing a new system, testing it for security, mass producing it and recalling all cars will probably take well over a year before they can even start recalling and cost tens of billions to implement for VAG.

Why Would Anyone Buy A New Car? (0)

Anonymous Coward | about a year ago | (#44404789)

New cars come with immobilizers, exploits, remote death controls (at least in the Mercedes C250 Coupe), OnStar surveillance, and black boxes to testify against you - why the fuck would anyone buy a car made after the mid-90s? You can get a totally tricked-out and rebuilt early-90s Honda Civic that gets awesome gas mileage for way less than a new car. You can get a mind-blowing totally tricked-out and rebuilt early-90s Toyota or Nissan truck for.. well, not a whole lot less than a new one (but that's just because most of them still have 100K left on them). I'm sticking with cars that aren't my enemy, thanks.

Re:Why Would Anyone Buy A New Car? (2)

JockTroll (996521) | about a year ago | (#44405191)

why the fuck would anyone buy a car made after the mid-90s?

Soon, it will be illegal to even *own* a car without those features. You don't want to drive them, don't buy them. Boycott. Sabotage. Find out who the designers are and assassinate them. Can't make a "safe-for-teh-children" car when you have no head anymore and are buried in pieces in a shallow grave, can you?

Of course the real solution is to publish first. (0)

Anonymous Coward | about a year ago | (#44404805)

Then such censorship cannot be done.

Which law? (1)

Meneth (872868) | about a year ago | (#44404975)

What kind of law would allow a court to do this? I can't find any mention in TFA.

Also, can we get a copy of the court's decision document?

They have not choice but to go the legal route (0)

Anonymous Coward | about a year ago | (#44405149)

This is not something they can just simply patch because the crypto is inside the car key's hardware which is not updatable.
Also it should be noted that not only VW is affected, but all car manufacturers which use the Megamos transponder.

However, they must at least put up a legal fight or they will later become liable for not trying to protect their customers. They might not be able to stop the publication, but they have to at least try (despite the negative publicity) to prevent further lawsuits.

By the way, whoever suggested that the researchers should just release their findings without contacting the affected parties first: That is a surefire way to get sued with reasonable chances of success for actively aiding in the theft of vehicles.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>