Print 11 comment(s) - last by krutou.. on Jul 31 at 12:29 PM

Volkswagen worried it would lead to car theft

Volkswagen has won a UK court case which will prevent a team of computer scientists from publishing a study that reveals secret codes used to start luxury vehicles. 

Mr Justice Birss of the high court ruled in favor of Volkswagen, imposing an injunction on the scientists who wrote the paper. The paper, titled "Dismantling Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobiliser," was written by Falvio Garcia (University of Birmingham in England), Roel Verdult and Baris Ege (both from Radboud University Nijmegen in the Netherlands).

The paper detailed an algorithm -- called Megamos Crypto -- which is a security system that allows a vehicle to correctly identify its ignition key through a series of codes. 

Volkswagen argued that sophisticated criminals could use the codes to steal luxury vehicles under its umbrella including Porsches, Audis, Bentleys, and Lamborghinis. 

But the research team said that the paper wasn't written for the purpose of helping criminals. Rather, it was meant to expose flaws in security systems in order to make them better. Also, the team said that criminals may already be aware of the flaws, but the public doesn't, and they need to be armed with this knowledge. 

Volkswagen asked that the team publish a version of the paper without the codes, but Garcia and the others declined this request.  

However, the judge sided with Volkswagen's reasoning in regards to worries over theft, and imposed an interim injunction that would prevent the team from presenting the paper at the Usenix Security Symposium in Washington, DC this August. 

Source: Automotive News Europe

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

not as serious for the consumer
By daboom06 on 7/30/2013 12:40:05 PM , Rating: 2
The researchers argued that this risk was overblown since car thieves would need to run a computer program for about two days to make use of the exploit in each case.

from the bbc article:

RE: not as serious for the consumer
By Schrag4 on 7/30/2013 1:05:53 PM , Rating: 2
Running a computer program for 2 days isn't exactly hard labor. Does one need to be in close proximity to the vehicle the entire time? I guess what I'm getting at is that thieves could find a car in a parking lot where people work and simply come back once the program is done, or if the entire 2 days has to be spent next to the car, they could perhaps park next to the target car during work hours and run the progam on a laptop, for as many days as it takes.

RE: not as serious for the consumer
By Flunk on 7/30/2013 1:37:01 PM , Rating: 3
How long until that 2 days is 5 minutes? If you apply 1000x the processing power it's 2.88 minutes. You need to remember that we're currently living in a world where you can set up a huge cluster fairly quickly and cheaply and only pay for the processing time you actually use (Amazon EC2 is a great example of this).

It's too late anyway, the unedited paper was already published online. Any sufficiently sophisticated criminal already has the information.

RE: not as serious for the consumer
By Strunf on 7/31/2013 10:30:55 AM , Rating: 3
It depends on how the system works, if you basically querying the car with codes and the car only replies every other second then it doesn't really matter if you have a laptop or a cluster, VW could easily make the 2 days into 20 by just increasing the time the car takes to answer each code.

RE: not as serious for the consumer
By Owls on 7/30/2013 2:01:17 PM , Rating: 2
Exactly. Go to an airport parking lot and pick what you want to take.

RE: not as serious for the consumer
By Motoman on 7/30/2013 10:55:18 PM , Rating: 2
Hell, you could probably get a bearded old IT guy to make you a beowolf cluster out of old discarded Compaqs and get the time down to a few minutes.

Fire under their feet
By Schrag4 on 7/30/2013 12:57:37 PM , Rating: 2
Also, the team said that criminals may already be aware of the flaws, but the public doesn't, and they need to be armed with this knowledge.

I agree with their reasoning. Whether or not the codes are ultimately released, VW needs to think they will be released so that they have the incentive necessary to get it fixed. IMO it's much more irresponsible for VW to try to hide the codes and do nothing than it is for researchers to release the codes, assuming they give VW a heads up and plenty of time to fix the issue.

I don't own one of these vehicles, but I imagine if I did then I'd still take the position that I'd rather VW have serious incentive to get the issue fixed rather than hoping criminals won't exploit a known security flaw to steal their customers' cars. Any owners here? How do you feel?

RE: Fire under their feet
By Strunf on 7/31/2013 10:44:25 AM , Rating: 3
The thing is you as an owner can't do anything, and VW besides recalling all their cars can't do much either, it's not like software where a simple update and it's done, it implies recalling all the cars and the cost is thousands of times higher than what could cost an update to MS.

It's true this codes may already be on wrong hands, but it's not like all the car thieves share their tricks, by releasing the codes then ANYONE with a RF emitter could steal one of their cars, personally I would rather keep these codes within a restrict number of thieves than allow just about anyone to steal my car.

An exploit is known
By japlha on 7/30/2013 1:09:19 PM , Rating: 2
The fact is that now criminals know, at the very least, that an exploit exists and it can take 2 days to compromise. This provides some information on duplicating the scientist's results. Perhaps someone has already figured out the exploit. Whether the paper is published or not, VW should consider this system as compromised and treat it as such.

RE: An exploit is known
By krutou on 7/31/2013 12:29:15 PM , Rating: 2
Right but: "Volkswagen asked that the team publish a version of the paper without the codes , but Garcia and the others declined this request."

At least it would slow down the number of thefts giving Volkswagen more time to develop a work around.

Can be fixed
By Egglick on 7/30/2013 1:54:11 PM , Rating: 2
They should be able to correct this with a firmware update to the car, and/or new ignition keys. I'm sure it would be expensive for VW to do this across millions of vehicles, which is likely why they're dragging their feet. If I owned a 200k luxury vehicle I'd be demanding it.

"Nowadays, security guys break the Mac every single day. Every single day, they come out with a total exploit, your machine can be taken over totally. I dare anybody to do that once a month on the Windows machine." -- Bill Gates

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki