Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Luxury Car Hacker To Speak At USENIX Despite Injunction

Unknown Lamer posted about a year ago | from the insecurity-through-obscurity dept.

Security 70

alphadogg writes "The lead author of a controversial research paper about flaws in luxury car lock systems will deliver a presentation at this month's USENIX Security Symposium even though a UK court ruling (inspired by a Volkswagen complaint) has forced the paper to be pulled from the event's proceedings. USENIX has announced that 'in keeping with its commitment to academic freedom and open access to research,' researcher Roel Verdult will speak at the Aug. 14-16 conference, to be held in Washington, D.C. Verdult and 2 co-authors were recently prohibited by the High Court of Justice in the U.K. from publishing certain portions of their paper, 'Dismantling Megamos Crypto: Wireless Lockpicking a Vehicle Immobilizer.' Among the most sensitive information: Codes for cracking the car security system in Porsches, Audis, etc."

cancel ×

70 comments

Sorry! There are no comments related to the filter you selected.

Organized crime (4, Insightful)

pipatron (966506) | about a year ago | (#44462359)

Because if they block the documents, organized crime will never find out.

Re:Organized crime (-1)

Anonymous Coward | about a year ago | (#44462367)

If I fuck you in the ass will you eat the santorum?

Re:Organized crime (1)

Narcocide (102829) | about a year ago | (#44462447)

Relax, buddy. He's being sarcastic. I'm sure the documents will be all over the internet soon whether they block them or not.

Re:Organized crime (0)

Anonymous Coward | about a year ago | (#44462459)

You don't seem to understand that VW needs time to implement the fixes, roll it into flash images, distribute it to the dealer network, notify customers, and reflash the affected control units. The process is slightly more complicated than Windows Update, you know.

Re:Organized crime (4, Informative)

pipatron (966506) | about a year ago | (#44462523)

The original article (after clicking through a couple of blog-layers) indicates that the software leaked to the internet four years ago.

Re:Organized crime (1)

b4dc0d3r (1268512) | 1 year,30 days | (#44463501)

Jesus fucked a monkey!

Moses on a giant boat, we need to get a handle on this. We have to delete four years worth of memories. Plus however long it takes you to figure out how to delete memories. Plus however long it takes to figure out who leaked this. Get fecking started, you ass-bastards!

Oh, and the deleting of memories and independent learning need not coincide. So get something on my desk yesterday. Other than your ass gasses. We know how to create a false memory now - can we create the memory that you never invented something that you invented?

Re:Organized crime (1)

melikamp (631205) | about a year ago | (#44462529)

So what? How much time do criminals need (who, by the way, are disorganized to the extreme, even the organized part of them) to learn to use, manufacture, and distribute digital lockpicks? Probably years before they can leverage this hack on a noticeable scale. And years of time is what we will give them if we don't publish security research NOW and MAKE the vendors to repair vulnerabilities. Because let's face it: security is an afterthought, and more often no-thought to proprietary software vendors.

Re: Organized crime (4, Insightful)

Anonymous Coward | 1 year,30 days | (#44462631)

Well... http://t.today.com/news/police-admit-theyre-stumped-mystery-car-thefts-6C10169993

Re: Organized crime (0)

Anonymous Coward | 1 year,29 days | (#44464553)

"And they always seem to strike on the passenger side. Investigators don't know why."

The ignition lock / keyless go field on the steering column is facing passenger side.
Could it be, that they're aiming at the antenna integrated into it?
Keyless entry systems usually don't allow to lock the car while there's a key fob inside - could it be that they trick the car into believing that the key is still in the car, and due to a flaw in the control logic, the car unlocks the doors?

Re:Organized crime (1)

Anonymous Coward | 1 year,30 days | (#44463335)

So what? How much time do criminals need (who, by the way, are disorganized to the extreme, even the organized part of them) to learn to use, manufacture, and distribute digital lockpicks? Probably years before they can leverage this hack on a noticeable scale. And years of time is what we will give them if we don't publish security research NOW and MAKE the vendors to repair vulnerabilities. Because let's face it: security is an afterthought, and more often no-thought to proprietary software vendors.

You're right... it was years before the leveraged this hack on a noticeable scale, and it's been years of NOT publishing this info, during which the car manufacturers pretended the problem didn't exist. This isn't some 0-day exploit; the tech is already in use by organized crime (and starting to be by disorganized crime). So yes; this stuff needs to be published.

Re:Organized crime (1)

tibit (1762298) | 1 year,30 days | (#44463869)

In case of most transponder modules in keyfobs and the like, I don't think there's anything to repair short of replacing the hardware with as-of-yet vaporware. There's a reason why there's a particular vendor's chip (say Microchip's) in those keyfobs/transponder tubes. There's either nothing else available, or the alternatives are no better. You need to spin new silicon to fix this. So, first the Microchip's stuff from the keyfobs was found vulnerable due to homegrown crypto tech, now whatever is the part of this break, is there anything left out there that's not solidly broken by now?

Re:Organized crime (1)

tibit (1762298) | 1 year,30 days | (#44463861)

Is it really fixable? The stuff in the transponders is practically a fixed-function unit that can't do anything else and can't be reprogrammed, I'd think. Unless the vulnerability is explicitly in the car-side software and can be patched up.

Re:Organized crime (0)

Anonymous Coward | 1 year,29 days | (#44464339)

You can iron out many silicon bugs in firmware, it's enough if you block them from exploiting the vulnerability.
(Access control is usually just a sub-function of an integrated control unit, which offers other functions as well - diagnostics, for example, which is a popular attack vector.)
In the worst case, VW still has the option of exchanging affected control units with updated HW revisions.
But in the meantime, they'll do anything to protect the possessions of their clients, obviously. This has nothing to do with academic freedom.

(Btw, KeeLoq's vulnerability is not a new issue, so possibly Microchip and their clients already implemented some countermeasures. Also, the last vulnerability I've read about in 2008, was a side-channel attack, which involved measuring power consumption while transmitter and receiver communicated with each other. You can't really do that on the street.)

Well maybe there will be some time to fix things (4, Insightful)

Sycraft-fu (314770) | about a year ago | (#44462537)

See here's the deal: Just because one person discovers something, it doesn't magically mean that everyone else can figure it out right away. It might be the person who discovered it is pretty clever, and has done a lot of work in that field. So it may well take others quite some time to find it out. If you want to see some examples, look at various military technologies, in particular stealth technology. You might note that that US had working stealth systems long before anyone else.

Now as this relates to security, what it means is that disclosing right away may not be that useful. Perhaps if you give some time for a fix to be implemented, or at least a mitigation, then things could be a little better. Remember with cars it isn't like one can just post a bug fix on a website. All other things aside in terms of what has to be changed, there is pretty extensive testing and certification.

So one can well argue if you've found a flaw in a car you need to notify the manufacturers and give them time to fix it or mitigate it, which may be a good deal of time, rather than running out and telling the world so people know how clever you are.

Like say I discovered that if I pushed on a particular spot in your house, the whole thing would come crashing down on your head. Turns out, said spot is not easy to fix, you can't just go and spend $5 and an hour to do it. It will take a good bit of time and money to fix the problem. Would you like me to let you know, quietly, or would you like me to stick up a poster letting anyone who sees it know, and how that nobody does anything?

Re:Well maybe there will be some time to fix thing (4, Insightful)

pipatron (966506) | 1 year,30 days | (#44462583)

Indeed. And normally in cases like this, the researchers alert the people responsible for fixing the problem in good time before publication. In some (many?) cases, the people in charge of the problem doesn't take it seriously, downplaying the risks, or plays the never ending blame-the-contractor game. In that case the only way forward is to threaten to publish the information.

I don't know what happens here, the article never mentions either scenario, but seeing how the people behind the article are serious researchers, I don't think it's very far fetched to guess that they have at least taken some sort of responsible action before publishing the paper. It says that the source code for the crypto has been available since 2009, but hard to know what that means.

Re:Well maybe there will be some time to fix thing (5, Informative)

Anonymous Coward | 1 year,30 days | (#44463297)

From http://www.bbc.co.uk/news/technology-23487928 :

"The researchers informed the chipmaker nine months before the intended publication - November 2012 - so that measures could be taken. The Dutch government considers six months to be a reasonable notification period for responsible disclosure. The researchers have insisted from the start that the chipmaker inform its own clients."

So essentially they have followed the responsible disclosure protocol but are now being blocked anyway

Re:Well maybe there will be some time to fix thing (1)

kthreadd (1558445) | 1 year,30 days | (#44463837)

Nine months. That's way more than the standard 14 days. Then there's no excuse. Present.

Re:Well maybe there will be some time to fix thing (4, Informative)

tibit (1762298) | 1 year,30 days | (#44463881)

The researchers informed the chipmaker

That's the key phrase here. Most likely the chips are not field-reprogrammable. There are no measures to take short of getting new silicon out and recalling the hardware. Knowing the corporate inertia, they'd probably need a year from the date the recall decision was made to implement it and push to the dealers, if they really worked on it like crazy. Fixing crypto where the cost of another mistake may be another recall isn't something you do casually. Presumably some people with suitable theoretical background would need to be contracted and check things out before it hits the fabs. How long would deciding on a recall take I wouldn't know, but presumably not overnight either.

Re:Well maybe there will be some time to fix thing (0)

Anonymous Coward | 1 year,30 days | (#44463947)

Very likely they invented their own crypto instead of simply implementing a well established one-time-password method using standard crytographic hashing algorithms.

If that is the case they deserve to have to do a recall of all the keys and produce new ones. I am pretty sure they could have bought all the IP if they didn't have time to write all the RTL by hand. And it doesn't even need to be high performance, it just needs to do it within a second.

Re:Well maybe there will be some time to fix thing (2)

hotseat (102621) | 1 year,29 days | (#44464355)

If you read the actual court judgment, you'll find a slight nuance. The algorithm was invented by Thales. They licenced it to EM. EM and another company called Delphi make immobilizer equipment using it and then sell the kit to Volkswagen and others. The researchers informed EM; EM failed to inform anyone else. VW found out a few weeks before publication and were pissed off.

Which is not to blame the researchers (except perhaps for notifying everyone, rather than simply the maker of the one component they compromised) but it does explain why the judge was fairly scathing: "It may well not be the defendants' fault that Volkswagen were not told earlier, but once the defendants were told about Volkswagen 's concern a responsible academic, concerned with responsible disclosure, would have realised that publication should be delayed, at least for a reasonable period, to allow for discussion with Volkswagen."

Re:Well maybe there will be some time to fix thing (3, Insightful)

thsths (31372) | 1 year,29 days | (#44464573)

And I disagree. The researchers told the company of the product they found vulnerable. This is a security company - they should have measures in place to communicate the flaw up and down. The fact that they did not means they do not take security serious, and they cannot be trusted. There is nothing to fix here - the company has to get out of the security business one way or another.

Should the researchers also listen to any old guy who used a remote locking system on a shed? If I have a VW, can I block the publication because I did not have time to go to the garage yet? Where does it stop? As I see it, VW is just a customer here, and they are at the mercy of the supplier. The supplier can go to court, but VW should stay out of it.

Re:Well maybe there will be some time to fix thing (0)

Anonymous Coward | 1 year,27 days | (#44478727)

The car makers should have no extra time. Be required to pay for vehicle rentals while the luxury car owner's vehicle's get fixed. This will teach them to act fast on fixing a serious problem that should have been analyzed and tested before the car was ever even put into production!!!

Re:Well maybe there will be some time to fix thing (1)

tibit (1762298) | 1 year,30 days | (#44463875)

the researchers alert the people responsible for fixing the problem in good time before publication

This is no openssl vulnerability. Such findings require to spin new silicon, and there's no field fixes short of recalling hardware. It may well be that paying for insurance coverage for increased liability from lawsuits would be cheaper than doing a recall on presumably tens of millions of vehicles from multiple vendors.

Re:Well maybe there will be some time to fix thing (4, Insightful)

citizenr (871508) | 1 year,30 days | (#44462883)

See here's the deal: Just because one person discovers something, it doesn't magically mean that everyone else can figure it out right away. It might be the person who discovered it is pretty clever, and has done a lot of work in that field.

History proves you wrong. Usually all it takes is the notion something is possible and vague explanation, or merely advances in other fields that make new discovery feasible. Look up parallel invention.
http://www.kk.org/thetechnium/archives/2009/08/progression_of.php [kk.org]

Re:Well maybe there will be some time to fix thing (2)

jrumney (197329) | 1 year,30 days | (#44463353)

You might note that that US had working stealth systems long before anyone else.

...or perhaps its just that other countries' stealth systems actually work.

Re:Well maybe there will be some time to fix thing (3, Insightful)

firewrought (36952) | 1 year,30 days | (#44463697)

See here's the deal: Just because one person discovers something, it doesn't magically mean that everyone else can figure it out right away.

Um, no, that pretty much is the case with computers. Unlike stealth technology (your example), you don't have to have a multi-billion dollar military-industrial partnership to accomplish something clever with computers. You've just got to spend time learning and tinkering. And these security flaws aren't some fundamental-problem-of-physics stuff... it's often just a matter of sniffing out broken/shoddy code, which is pretty much the standard output of the industry. If you think differently, you're probably one of those people who refers to your nephew as a "computer genius" because he got your email working again that one time.

Here's the other deal: companies would rather shut you up than to acknowledge and fix the flaws in their own products. They'd also rather their customers live with the risk. For many companies, it is only the threat of disclosure that makes them invest the time and resources needed to secure their systems. (I'll grant that most software companies seem to have finally accepted this reality and tackle security more heavily, but it seems that the auto companies are still trying to play legal hardball.) And most security researchers (including this one, if other comments I've seen are correct) are willing to give manufactures some advance notice (though it resulted in court troubles in thanks, apparently). But ultimately the utmost professional obligation of a security researcher is to inform the public so they can either protect themselves or force the manufacturer's hand.

Re:Well maybe there will be some time to fix thing (0)

Anonymous Coward | 1 year,30 days | (#44463997)

You might note that that US had working stealth systems long before anyone else.

Wikipedia (Stealth aircraft): The first stealth aircraft was the Horten Ho 229.

The Nazis had a working prototype aircraft and had been working on stealth subs at the end of WWII, the Wikipedia entry for stealth technology mentions 1958 for the first U.S. stealth project.

Among other things the computer was also a parallel development during WWII.

TL;DR: Get your history right

Re:Organized crime (1)

BitZtream (692029) | 1 year,30 days | (#44463397)

Thats not actually the concern.

Organized crime won't immediately go steal every Porsche on the planet because of this. Its too obvious and too dangerous for them to get busted. They aren't stupid, they don't cut off their nose to spite their face.

What you should be afraid of is every teenager being able to order a cheap 'open every car' device from China for $5. They will do something stupid like see how many cars they can steal in one day, just for shits and giggles or worse.

I'm afraid of assholes like those at Gizmodo who do think universal remotes make them cool since they can fuck with TVs at public presentations ... those are the asshats you need to be worried about having this information.

Re:Organized crime (1)

tibit (1762298) | 1 year,30 days | (#44463885)

What are those public presentations you speak of? Because I think you just made it all up. Universal "tv-zappers" are normally used for turning off annoying stuff in public spaces of some sort, yes, but it's usually for the benefit of everyone present in such space. Nofuckingbody is my corporate overlord enough for me to let them induce a headache just because they think ads blaring in a loop are a good thing to have in a waiting room.

Re:Organized crime (0)

Anonymous Coward | 1 year,29 days | (#44464373)

> What are those public presentations you speak of? Because I think you just made it all up.

Well, then think again:
http://news.cnet.com/8301-10784_3-9848317-7.html

Re:Organized crime (1)

Bing Tsher E (943915) | 1 year,29 days | (#44466161)

The TLDR for those who don't want to follow the link:

Don't Piss Off The Marketing Fucks.

UK court jurisdiction... (1)

tjlee (1695968) | about a year ago | (#44462365)

does not extend into the US where the conference will be held.

Re:UK court jurisdiction... (4, Informative)

Lunix Nutcase (1092239) | about a year ago | (#44462397)

US law does not extend outside of the US other, but people have, for example, been arrested for going to places like Thailand and having sex with underage girls and boys. He's still going to be liable to the UK court's decision unless he's never planning to return to his home country.

Re:UK court jurisdiction... (1)

Cruciform (42896) | about a year ago | (#44462425)

US law extends wherever the treaties they have with other countries allow them to.

Re:UK court jurisdiction... (0)

Anonymous Coward | 1 year,30 days | (#44463315)

"Thou shalt feed thy citizens fat-filled, floppy burgers."

Re:UK court jurisdiction... (1)

Annorax (242484) | 1 year,30 days | (#44462595)

Sounds like a perfect test case to start hacking away at the UK's continued abuse of free speech.

Re:UK court jurisdiction... (5, Insightful)

Samantha Wright (1324923) | 1 year,30 days | (#44462659)

Which is the Netherlands. A German company is taking legal action against a Dutch hacker giving a presentation in the US using British law. This is like the poster child for jurisdictional WTFery. Do all laws of all EU member states now apply to every country in the EU? That doesn't sound quite right.

Re:UK court jurisdiction... (4, Insightful)

pipatron (966506) | 1 year,30 days | (#44462721)

It's not necessary that convoluted. The legal action is taken by the UK-based court on this particular work of the UK-based researcher, working at the University of Birmingham. The original article reads as if the court almost initiated this themselves, due to an ongoing case involving Volkswagen Group. Not sure how that actually holds up.

Re:UK court jurisdiction... (0)

Anonymous Coward | 1 year,29 days | (#44464305)

This is like the poster child for jurisdictional WTFery. Do all laws of all EU member states now apply to every country in the EU?

Just ask Julian Assange, an Australian citizen hiding in the Ecuadorian embassy from a UK arrest warrant to face trial in Sweden (from where he may or may not be extradited to the US to face trial for something he did in Iceland).

Re:UK court jurisdiction... (1)

Anonymous Coward | 1 year,30 days | (#44463203)

For some things it follows citizenship rather than geography. For example the IRS will try to collect taxes from income a U.S. citizen makes anywhere in the worlk, even if they haven't ever stepped foot inside the states.

Re:UK court jurisdiction... (1)

matfud (464184) | 1 year,29 days | (#44465407)

Many places like Thailand do have laws against under age sex. If found you will be prosecuted locally. If not then a request for extradition can be placed to the US (as an example). Many countries will not comply with the extradition request as they deem the punishment in the country the offence occurred in to be unacceptable.

That does not mean the person will get away with the crime as it is often also a crime in their home country. Many countries expect their citizens to obey their own laws even while abroad (and the law of the country they are in). Hence they can be prosecuted for the offence under their own justice system.

The US is actually a bit of a git about this as they tend to refuse any extradition requests and often do not prosecute the offender. And the US military will not extradite anyone for any crime.

Re:UK court jurisdiction... (0)

Anonymous Coward | about a year ago | (#44462421)

On the other hand, EU laws probably allow the author to be extradited from the country where he lives, which is The Netherlands.

Re:UK court jurisdiction... (1)

tjlee (1695968) | about a year ago | (#44462457)

I don't know the details of the UK court order, but it seems like it was about publication of the paper. Did the court order also include a gag order to prevent speaking about the topic as well?

Re:UK court jurisdiction... (1)

Anonymous Coward | about a year ago | (#44462509)

What the UK needs to do is tell Obama to blow up Roel Verdult with a drone strike, then imprison everyone that downloads the documents and/or attends the conference in their secret prisons.

I wrote that as a joke, but then I realized it wasn't very funny because we're almost at the point where Obama could do something like that and face no punishment whatsoever from anyone.

Re:UK court jurisdiction... (0)

Anonymous Coward | 1 year,30 days | (#44463325)

almost?

Re:UK court jurisdiction... (1)

pipatron (966506) | about a year ago | (#44462535)

It doesn't seem to include a gag order, at least not from the original article in The Guardian. They don't link to the court order, however.

It also doesn't completely ban publication. First of all it's temporary, second, it allowed them to publish a paper without the specific codes. An offer they apparently refused, according to the article.

Re:UK court jurisdiction... (1)

mwvdlee (775178) | 1 year,30 days | (#44463805)

Nor does it extend to the two Dutch researchers that cooperated on the paper with the UK researcher.

Re:UK court jurisdiction... (1)

thsths (31372) | 1 year,29 days | (#44464581)

It depends on the law. Some laws apply to events outside of the UK, some do not. Some of the more serious crimes will be prosecuted world wide if a UK national or resident is involved.

All cars with keyless fobs are easy to hack (1)

jerryjnormandin (1942378) | about a year ago | (#44462519)

Have you ever used a SDR to read the transaction between a fob and a volkwagen ? It's very interesting. Also it's not encrypted. I don't know why.

Re:All cars with keyless fobs are easy to hack (2)

foniksonik (573572) | 1 year,30 days | (#44462657)

It's a one time pass like an RSA fob. It's synchronized with the cars chip so every time you use it and an exchange happens a net key pair is generated. The key pairs are useless. It's the generator algo you want. Then you'd have to sync up your extra fob with the car.

Re:All cars with keyless fobs are easy to hack (1)

TechyImmigrant (175943) | 1 year,30 days | (#44462723)

Top tip: The random number generator in these small battery operated devices is always crap. So the key establishment protocol cannot be secure.

Re:All cars with keyless fobs are easy to hack (2)

Em Adespoton (792954) | 1 year,30 days | (#44463359)

Top tip: The random number generator in these small battery operated devices is always crap. So the key establishment protocol cannot be secure.

Also, these aren't keypairs in fixed series; there is handshaking to know which keypair in the sequence to use... so you just need to know what a future key is, and keep trying it until it works. That's how they can have multiple keys for the same lock.

You Tell'em! (5, Interesting)

oldhack (1037484) | about a year ago | (#44462521)

Fuck the limey court.

Once scientists, even the dim-witted social scientists, get muzzled, the Western Civilization is finished.

Seriously, what's the difference between Ayatollah-mullah fatwas encouraging violence to cartoon drawers, and multinational industrial outfits threatening legal/financial ruins to those who tell truth to power?

Re:You Tell'em! (2)

sumdumass (711423) | 1 year,30 days | (#44462807)

Being alive or not.

and in this specific case, the guy has the option of not telling the complete story to avoid the legal/financial ruin. The court order only prohibited them from publishing discovered codes, not the methods and processes used to find them or showing it has been done.

Re:You Tell'em! (0)

Anonymous Coward | 1 year,29 days | (#44464917)

Fuck off yanky cunt. US courts allowed the arrest of a mathematician for daring to talk about cryptography because of Adobe, another US corporation. Your courts allow people to be locked up for years without being charged, your courts allow software patents, while the rest of the civilised world say they BS. Fix your own house because moaning about other countries. No wonder the US is the most hated country on the planet.

Full disclosure (0)

Anonymous Coward | 1 year,30 days | (#44462611)

Fuck the system, no negotiations, no surrender. Information is made for trickling out.

I wonder... (2)

FuzzNugget (2840687) | 1 year,30 days | (#44462737)

Were the tables turned -- if a US injunction prohibited him from publicizing the security flaw -- the US would undoubtedly be leaning on the UK to arrest him as soon as he finished his presentation (or maybe even during it). How much do you want a bet they'll tell the UK to bugger off and deal with it themselves if they are asked to do the same?

Re:I wonder... (0)

Anonymous Coward | 1 year,30 days | (#44463113)

It won't unless it involved national security or the embarrassment of the US govt. The bad diplomacy isn't worth it.

Re:I wonder... (0)

Anonymous Coward | 1 year,30 days | (#44463389)

It does make me wonder why these hackers make grande announcements weeks before they are going to go on stage? Stay what you want to say on stage, not a teaser before. That's how people get into "car accidents."

Re:I wonder... (3, Informative)

BitZtream (692029) | 1 year,30 days | (#44463423)

The UK pretty much only said 'don't publish the actual key codes you discovered, but you can talk about how you discovered them all you want.

They said 'OMG NO MUST HAVE FULL DISCLOSURE!$#^@Q^@#'

The UK doesn't really have a major problem with the publication, they just don't want half the cars in the country to suddenly be stolen by 15 year old boys who bought a $5 device from China tomorrow.

Re:I wonder... (0)

Anonymous Coward | 1 year,28 days | (#44470359)

This.
I don't get why the guys are fighting so hard to publish the codes - It has no scientific value.

At this point it seems more like they're enjoying the publicity and/or want to punish Volkswagen or the chip maker. They don't give a rat's ass about the collateral damage to the owners of the cars which will get easily stolen because of this pissing match.

Re:I wonder... (0)

Anonymous Coward | 1 year,29 days | (#44464389)

> How much do you want a bet they'll tell the UK to bugger off and deal with it themselves if they are asked to do the same?

Are you saying, that among U.S. politicians, nobody's driving a Porsche?

Deliberate misinterpretation (1)

Bovius (1243040) | 1 year,30 days | (#44463393)

I know it's not what they mean by "exotic crystals", but when I see the phrase I start thinking about mana and elemental damage. Sorry guys.

What bout Volkswagens other brands? (1)

richy freeway (623503) | 1 year,30 days | (#44464137)

They keep talking about the luxury end of the market, but what about the cheaper brands like Seat? Pretty sure this will affect them too...

Re:What bout Volkswagens other brands? (0)

Anonymous Coward | 1 year,30 days | (#44464189)

Making wild guesses here, but if you look at the differences between lowclass and luxury cars and how the keyfob is authenticated there, not many probable reasons remain.

The attack likely requires to eavesdrop a successful authentication between the keyfob and the car to discover the cryptographic key used for that car.
That's a huge problem because the transmission occurs over a very short channel, that is right between key and the ignition lock and has a range of some centimeters. In other words, it's not possible as long as the attack isn't holding up some eavesdropping device right next to your hand as you start the car.

So the attack is only feasable if you have remote ignition where you don't have to plug in the key into the ignition lock any more and the authentication takes place over long enough distances to eavesdrop. You have probably seen this kind of system where people just get into the car, throw their keys into the middle console and start the car with the press of a button.

And guess which kind of cars usually have keyless ignition :)

Re:What bout Volkswagens other brands? (0)

Anonymous Coward | 1 year,29 days | (#44464467)

Meanwhile, it's 2013, and you can order keyless access and start for even the most basic VW Golf Trendline.
Mentioning Porsche and Audi only is just pure sensationalism.

Re:What bout Volkswagens other brands? (0)

Anonymous Coward | 1 year,29 days | (#44468839)

There's a big difference between keyless entry and keyless ignition.

'mystery method' (1)

noise-randomizer (3007085) | 1 year,29 days | (#44464515)

70cm ham radio tranceiver covering ism band with >10watts eirp, sweeping with white noise. opens doors, gates etc. high power takes care of the frontend, the noise spectrum does the rest. i developed the receiver for the 'bosch blocktronic', via a subcontractor called c.e.l. not knowing who i actually worked for and what the circuit was to be used for, i was told to keep it as simple as possible. so i used a 0-v-1 frontend and a sawtooth filter for the 'better' models. the 'rotating code' is anything but random.

so without said portions. (1)

SuperDre (982372) | 1 year,29 days | (#44464753)

so their talk will be without the prohibited portions, otherwise they may just as well fire the researcher imho, as his research was done with public money which i already find a big problem as the money is better spend elsewhere than trying to crack a luxurycar's security.

Record the presentation and post online ASAP! (0)

Anonymous Coward | 1 year,29 days | (#44464817)

Record the presentation and post online ASAP!
That's the only way to handle this sort of crap, then let the Streisand effect take over.

I know that my vehicle brand, Acura, has been broken into using keyless entry system flaws - make them fix it!

Even if he can't present at the conference, a webcam, projector and a white wall is all it takes to record a presentation almost anywhere. Publishing to Youtube and Vimeo and a quick email to a DefCon group - bam! the news is out worldwide.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>