Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Bug Censorship Transportation United Kingdom

'Banned' Article About Faulty Immobilizer Chip Published After Two Years 87

An anonymous reader writes: In 2012, three computer security researchers Roel Verdult, Flavio D. Garcia and Baris Ege discovered weaknesses in the Megamos chip, which is widely used in immobilizers for various brands of cars. Based on the official responsible disclosure guidelines, the scientists informed the chip manufacturer months before the intended publication, and they wrote a scientific article that was accepted for publication at Usenix Security 2013. However, the publication never took place because in June 2013 the High Court of London, acting at the request of Volkswagen, pronounced a provisional ban and ruled that the article had to be withdrawn. Two years ago, the lead author of a controversial research paper about flaws in luxury car lock systems was not allowed to give any details in his presentation at Usenix Security 2013. Now, in August 2015, the controversial article Dismantling Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobilizer that was 'banned' in 2013 is being published after all.
This discussion has been archived. No new comments can be posted.

'Banned' Article About Faulty Immobilizer Chip Published After Two Years

Comments Filter:
  • Memo to authors who think they will be sued into silence:

    Put your pre-published papers in escrow in a country that's out of reach of any potential lawsuits, with instructions that if it is not published by a certain date that they publish it.

    Don't try this if you live in a country where you could be locked up for contempt of court for doing this (emigrate first!), and don't try this for state-secret-level stuff like nuclear-weapons-research or you will likely find yourself behind bars or otherwise "permanen

    • by swb ( 14022 )

      Does that "this will go to the press if I don't check in" failsafe actually work in real life, or only in detective fiction?

      Who provides this kind of service? My first guess would be an attorney, but that might require some explaining and some examining of information and the attorney might be unwilling to play along if they thought they would get some blowback from it.

  • by SvnLyrBrto ( 62138 ) on Thursday August 13, 2015 @02:21PM (#50311297)

    Two years? That's outrageous. Any vendor that takes that long to patch their holes *deserves* to get zero-day'd.

    Things like this, and that nonsense that the court in Boston pulled wrt/ to the researchers and their DEFCON presentation, really sour me on the idea of "responsible disclosure." If the result of my courtesy is going to be a lawsuit and a gag order, I'd not be particularly inclined to offer vendors the courtesy in the first place.

    Maybe there's a place for a network of "vulnerability escrow" services. Submit the vulnerability simultaneously to the vendor and the service, which would have to reside outside of the terrirory of whatever court system has jurisdiction over the researchers, and a stick 30-day timer starts, after which the data is automatically and immediately released.

    • Wikileaks maybe?

    • by Etcetera ( 14711 )

      Two years? That's outrageous. Any vendor that takes that long to patch their holes *deserves* to get zero-day'd.

      Newsflash: Fixing a problem like this in the field is harder than making a git commit and telling people to recompile.

      Also, only a dipshit with no ethics equates "vendor" with "customer" when life or limb is on the line.

      • by 0123456 ( 636235 ) on Thursday August 13, 2015 @02:35PM (#50311399)

        Newsflash: the bad guys are busy finding these kind of holes and exploiting them, and don't wait for a court to tell them they're allowed to.

        • They sound like conscientious, proactive people I would like to have working for me.

          Signed,

          Dr. Evil

        • by mjwx ( 966435 )

          Newsflash: the bad guys are busy finding these kind of holes and exploiting them, and don't wait for a court to tell them they're allowed to.

          Its always be easy to bypass an immobiliser... Most mechanics will know how but most mechanics have better things to do than steal cars.

          In Australia the most popular form of car theft involves stealing the keys first although with keyless start becoming standard in many base models I imagine that soon an off the shelf device that can emulate a key will soon appear in the same way crims can buy off the shelf card skimmers.

          Fortunately with Australia being so backwards, if such a device was released tomo

          • by 0123456 ( 636235 )

            In Australia the most popular form of car theft involves stealing the keys first although with keyless start becoming standard in many base models I imagine that soon an off the shelf device that can emulate a key will soon appear in the same way crims can buy off the shelf card skimmers.

            There was a news story recently about thieves using directional antennas and signal boosters to convince the car to talk to your key while you had it in your house. So they already seem to have worked that out.

      • by Anonymous Coward

        Funny how we are consumers to corporations when we are being taken advantage of and beloved customers when they need our support.

      • Odd... I seem to remember what happened when a Model S caught on fire once after running over a piece of metal that punctured the battery pack.

        I seem to remember Tesla releasing a temporary software patch, remotely, to cars "in the field" that adjusted the suspensions of the cars so that they would ride higher on the road; making it unlikely that there would be a repeat of the incident while they worked out a permanent solution: a titanium shield that they fitted to the bottom of the sled... free of charge.

    • by Cramer ( 69040 )

      Your talking about a system that's been used for 20+ years. It cannot be "patched" ('tho in older systems it can be "turned off") as it's not software. It cannot be "replaced" because it's built into many subsystems throughout the vehicle, most of which are a serious pain in the ass to even get to, much less crack open to replace a chip. (ECU, instrument cluster, ABS module, automatic transmission computer, electronic door/window modules, even the f'ing radio.)

    • Two years? That's outrageous. Any vendor that takes that long to patch their holes *deserves* to get zero-day'd.

      Things like this, and that nonsense that the court in Boston pulled wrt/ to the researchers and their DEFCON presentation, really sour me on the idea of "responsible disclosure." If the result of my courtesy is going to be a lawsuit and a gag order, I'd not be particularly inclined to offer vendors the courtesy in the first place.

      Easy fix.

      Just make it a high crime with onerous penalties to perform security vulnerability testing, release vulnerabilities, or to be complicit with either or both without both the manufacturer's and government's prior approval, either of which may withdraw consent/approval at a later date and leave researchers et al legally liable & open to prosecution ex post facto if things don't turn out to the manufacturer's and/or government's expectations.

      Problem solved! /s

      Strat

    • Agreed. The "responsible" in responsible disclosure applies to both the researcher and the company. If the company is not responsible in their behavior towards the security hole, then there's no point in the researcher being responsible either.

      Companies that have a bad track record of responsibility should have their security holes publicized immediately. After all, if they don't take their product's security seriously today, there's no reason to expect them to take their product's security seriously the ne

  • this is an information which should be cared of 2 years passed away and .. car makers did something ? a lot of fixes ? nothing ?
  • I like how Slashdot is so efficient now that they put their dupes together in the same summary:

    they wrote a scientific article that was accepted for publication at Usenix Security 2013. However, the publication never took place

    Two years ago, the lead author of a controversial research paper about flaws in luxury car lock systems was not allowed to give any details in his presentation at Usenix Security 2013.

  • That's what you get for acting responsibly
  • Am I the only one who thought that they ought to have posted the paper on-line on a site outside the jurisdiction of the judge in question?

    I'm all in favour of responsible disclosure, but years should not be required to resolve a serious security flaw.

    • Am I the only one who thought that they ought to have posted the paper on-line on a site outside the jurisdiction of the judge in question?

      The paper may have been outside the Judge's jusisdiction, but unless they emigrate, they won't be.

      • Fair enough, but looking at the paper itself, two of the three authors live in the Netherlands, so unless they intend to travel to old Blighty, they don't live in the judge's jurisdiction. Also, presumably the paper was peer reviewed and it's possible that some of the reviewers also do not live in England and might "accidentally" release the paper into the wild.
  • by Lehk228 ( 705449 ) on Thursday August 13, 2015 @10:57PM (#50314041) Journal
    this is why all exploits should be announced first as a working exploit kit or working worm kit posted anonymously to 4chan. over and over again companies spit in the face of security research and threaten researches with civil and criminal prosecution for discovering their shoddy work.

If all else fails, lower your standards.

Working...