'Banned' Article About Faulty Immobilizer Chip Published After Two Years 87
An anonymous reader writes: In 2012, three computer security researchers Roel Verdult, Flavio D. Garcia and Baris Ege discovered weaknesses in the Megamos chip, which is widely used in immobilizers for various brands of cars. Based on the official responsible disclosure guidelines, the scientists informed the chip manufacturer months before the intended publication, and they wrote a scientific article that was accepted for publication at Usenix Security 2013.
However, the publication never took place because in June 2013 the High Court of London, acting at the request of Volkswagen, pronounced a provisional ban and ruled that the article had to be withdrawn. Two years ago, the lead author of a controversial research paper about flaws in luxury car lock systems was not allowed to give any details in his presentation at Usenix Security 2013. Now, in August 2015, the controversial article Dismantling Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobilizer that was 'banned' in 2013 is being published after all.
Re: (Score:1)
If so...when did they start putting these in cars?!?!
Re: (Score:2, Funny)
Re: (Score:3)
Too many questions makes Jack a potential terrorist.
Re: (Score:1)
Too many questions makes Jack a potential terrorist.
Not asking too many questions makes Jack a potential terrorist.
FTFY
Re: (Score:1)
As a long time Slashdot user, I know better than to actually read the articles, or Google myself before posting questions.
Just keep on here...you'll catch on soon.
Re: (Score:1)
Is any user ID below 1,000,000 considered low these days?
Hmm... I guess maybe I have been here for a while, but I too was wondering: What the hell is an immobilizer chip?
Nevermind, I know how to use Google.
Re: (Score:1)
I know, right ... (waiting for lower number to one up me)
Re: (Score:3, Funny)
Hi!
(Sorry, nothing to see here, move along)
Re: (Score:1)
Re: (Score:1)
#3788, you skipped an order of magnitude on us.
Patience is a virtue.
Re: (Score:1)
HEY GUYS WHAT"S GOING ON?
Re: (Score:1)
Re: (Score:2)
Am I too late to join this party?
Yes. Moose out front shoulda told ya.
Re: (Score:1)
A little lower - Fall, 1999.
Re: (Score:2)
If not the same day, the same week as me.
Re: (Score:1)
I don't own a VW (BMW) but a "immobilizer chip" is a anti-theft system where a transponder (or other rolling code generator) in the key / smart fob will generate a code. The code may be transmitted wireless or via a conductor path (for those cars that still use a physical key). If the code from the fob matches that of the immobilizer the engine will be allowed to start. If the code does not match the engine will not start. Some immobilizer systems can transmit the vehicles GPS coordinates so the vehicle can
Re:Ahhh, well. (Score:5, Informative)
An immobiliser is a device used to prevent the engine of a car from running unless the correct key is used (this may or may not be the same key as used for the ignition). The first immobiliser was patented in 1919, although I wouldn't describe that as an "immobiliser chip" because that pre-dates integrated circuits. Anyway, immobilisers have been commonplace for many decades, and even mandatory for all cars in a number of countries since the '90s.
Normally you need a key to turn the ignition, but a car thief can reconnect the wiring to bypass the ignition lock and send power to the engine (this is known as "hot-wiring"). The immobiliser is there to prevent hot-wired cars from starting, making it considerably more difficult to steal them. That's all there is to it, really - it's not a remote-control shutdown switch.
Re: (Score:2)
My Capri had a hidden switch somewhere under the carpet on the driver's side of the central column just in front of the seat.
Then I fitted a Thatcham alarm system which came with its own one. So I had two. No twocer was going to be able to start *my* car...
Re: (Score:3, Funny)
Dude... It was a Capri. I'd be surprised if you could start it at all.
as for how they work (Score:2)
Immos are just a backup electronic key embedded in your real key. They either work by contacts on the key, or by radio with a little loop antenna wrapped around the ignition lock, and the radio tag embedded in the head of the key. The key immo code has to match the immo code in the pcm or whatever, e.g. these immo chips. And then the car either doesn't get started, or it gets killed after getting started. The function tends to be built into the pcm, but there's also matching codes in other modules most time
Re: (Score:2)
Perhaps you have an American car?
Not all are that simple. The more common method, at least in Japanese cars, is to have a code stored in the ECU and the immobiliser. The code sent from the immobiliser must match the one stored in the ECU. It's not a simple enable line.
That's how it worked in my 15 year old Subaru, my 10 year old Honda and 9 year old Mazda.
Re: (Score:2)
Just about all cars made in the last several years have immobilizer chips in their keys. When you start the car, the chip is read and the car won't start if it is missing or has an unknown identifier. If you've ever had to replace a key, this is why that is so expensive.
It's designed to make cars harder to steal. There is no remote capability.
Re: (Score:2)
Most importantly, there's a big difference between a new car with electronic paranoia shit like that, and a 5- or 10-year old car with that shit.
I'm going to guess that most new car buyers sell a car before 5 years, for the simple reason that they wouldn't likely be buying new cars if they didn't keep selling their old ones. So guess what, they probably won't have to deal with that shit breaking, and now the people who buy used cars are going to have to deal with it as these cars find their way into the us
Re: (Score:2)
immobilizer chip = the thing that makes it harder to start the car without the thing that talks to the immobilizer chip and says to it that it's ok to start. basically it should make it impossible to start the car by connecting two wires behind the steering wheel. it's the thing that makes just making a physical copy of your key pattern useless for stealing your car.
it's not like there hasn't been craploads of articles on them on slashdot before you know..
Memo to authors - put pre-prints in escrow abroad (Score:2)
Memo to authors who think they will be sued into silence:
Put your pre-published papers in escrow in a country that's out of reach of any potential lawsuits, with instructions that if it is not published by a certain date that they publish it.
Don't try this if you live in a country where you could be locked up for contempt of court for doing this (emigrate first!), and don't try this for state-secret-level stuff like nuclear-weapons-research or you will likely find yourself behind bars or otherwise "permanen
Re: (Score:2)
Re: (Score:2)
The issue here is that this isn't like a piece of computer software where you can disclose the vulnerability to the vendor, give them a few months to push a patch and then go public.
The only way for Volkswagen and the many other car makers using this Megamos cryptography chip can fix their cars to not be vulnerable would be to replace both the computer system responsible for the immobilizer AND the keys/remotes/etc that talk to it. That would be a VERY expensive exercise.
And what about cars that are old eno
Re: (Score:2)
Does that "this will go to the press if I don't check in" failsafe actually work in real life, or only in detective fiction?
Who provides this kind of service? My first guess would be an attorney, but that might require some explaining and some examining of information and the attorney might be unwilling to play along if they thought they would get some blowback from it.
Re: (Score:1)
If you are injuncted against publishing in your country, having someone else publish it somewhere else counts as you publishing it,
I doubt it.
I don't see how this timeline can be "contempt of court" in a country that actually (vs. theoretically) values free speech, etc.:
* Monday I put information in escrow abroad, saying "no matter what, release this a year from now, and if I or anyone else contacts you in this manner between now and then, release it immediately"
* Tuesday, I contact a company and share my disclosure with them
* Wednesday I get an injunction
* Thursday I fight the injunction and notify the judge of what I did on Monday
*
Correction on "Wednesday" -I RECEIVE an injunction (Score:1)
Meant to say "On Wednesday I receive an injunction barring disclosure".
Re: (Score:2)
And emigration isn't hard, or leaving you in places you don't want to be. Plenty of places are better than the US. And the way US corporations work, if you contact a US company with something, they'll get a US injunction against you. Yes, if they were to file it where you are, then it'd be more effective.
Way to encourage responsible disclosure. (Score:5, Interesting)
Two years? That's outrageous. Any vendor that takes that long to patch their holes *deserves* to get zero-day'd.
Things like this, and that nonsense that the court in Boston pulled wrt/ to the researchers and their DEFCON presentation, really sour me on the idea of "responsible disclosure." If the result of my courtesy is going to be a lawsuit and a gag order, I'd not be particularly inclined to offer vendors the courtesy in the first place.
Maybe there's a place for a network of "vulnerability escrow" services. Submit the vulnerability simultaneously to the vendor and the service, which would have to reside outside of the terrirory of whatever court system has jurisdiction over the researchers, and a stick 30-day timer starts, after which the data is automatically and immediately released.
It's patch-able in principle (Score:1)
If they just replaced the chip - and whatever device it was contained inside (engine block? entire car? let's hope not) with a patched chip or, more likely, a dummy chip that didn't have any purpose other than to say "no, sorry, function disabled" whenever it was asked to do something, that would patch the vulnerability.
Re: (Score:3)
The way this works is that when you start one of the cars with this security hardware in it a chip in your car key talks to a chip inside the cars computer using secrets stored in both chips. If the secrets match, the car will start.
What the researchers figured out was a way to start the car without having the correct key.
Even if they had chips that were 100% compatible in hardware and software but with a new more secure algorithm, the cost to replace all of the chips in every car and every key (and to prog
Re: (Score:3)
> Even if they had chips that were 100% compatible in
> hardware and software but with a new more secure
> algorithm, the cost to replace all of the chips in every
> car and every key (and to program the cars and keys
> with the correct secrets so that the right keys will
> open the right cars) would be astronomical.
So what? They released a defective product. The onus is on them to make things right. Their "shoot the messenger" approach is wholly unacceptable.
I'm sure Honda, Toyota, and so o
Re: (Score:2)
So what are they doing? That's the question that none of the articles on this subject seem to address. Do owners of these vulnerable cars get a free upgrade? Under UK law they would seem to be due a free fix, due to the security features of the vehicle not being "fit for purpose". If anyone had their mysteriously VW stolen in the last couple of years and had to take the insurance hit, they should be talking to VW about compensation.
It seems like VW is just ignoring this problem, or at least there has not be
Ah, that's all it is (Score:1)
Okay, so the immobilizer functionality has been defeated, and the only "harm" is that it makes your car easier to steal. Other than that, it doesn't interfere with your normal use of the car.
I'd be much more worried if they figured out a way to permanently immobilize your car or install a back-door so they could control it remotely at a later date.
Re: (Score:2)
It's an immobilizer.
If you replace it with a chip that says "no, sorry, function disabled" that's either going to be "never let the car start" or "always let the car start"
That's worse than doing nothing.
Re: (Score:1)
Wikileaks maybe?
Re: (Score:2)
Two years? That's outrageous. Any vendor that takes that long to patch their holes *deserves* to get zero-day'd.
Newsflash: Fixing a problem like this in the field is harder than making a git commit and telling people to recompile.
Also, only a dipshit with no ethics equates "vendor" with "customer" when life or limb is on the line.
Re:Way to encourage responsible disclosure. (Score:5, Insightful)
Newsflash: the bad guys are busy finding these kind of holes and exploiting them, and don't wait for a court to tell them they're allowed to.
Re: (Score:3)
They sound like conscientious, proactive people I would like to have working for me.
Signed,
Dr. Evil
Re: (Score:2)
Newsflash: the bad guys are busy finding these kind of holes and exploiting them, and don't wait for a court to tell them they're allowed to.
Its always be easy to bypass an immobiliser... Most mechanics will know how but most mechanics have better things to do than steal cars.
In Australia the most popular form of car theft involves stealing the keys first although with keyless start becoming standard in many base models I imagine that soon an off the shelf device that can emulate a key will soon appear in the same way crims can buy off the shelf card skimmers.
Fortunately with Australia being so backwards, if such a device was released tomo
Re: (Score:2)
In Australia the most popular form of car theft involves stealing the keys first although with keyless start becoming standard in many base models I imagine that soon an off the shelf device that can emulate a key will soon appear in the same way crims can buy off the shelf card skimmers.
There was a news story recently about thieves using directional antennas and signal boosters to convince the car to talk to your key while you had it in your house. So they already seem to have worked that out.
Re: (Score:1)
Funny how we are consumers to corporations when we are being taken advantage of and beloved customers when they need our support.
Pure trash (Score:3)
Who cares how long the development time is? When a company has a dangerous product, the Press is supposed to ensure the product gets fixed. Imagine if the Dell Laptop battery issue was put under a gag order for 2 years. Dell and the court knew that it could catch fire causing death and injury, but did not want to hurt Dell's profit margins.
I have no idea why people lose any established logic because something is Electronic versus Mechanical. If a person could hit a car a certain way and cause the transm
Re: (Score:2)
Odd... I seem to remember what happened when a Model S caught on fire once after running over a piece of metal that punctured the battery pack.
I seem to remember Tesla releasing a temporary software patch, remotely, to cars "in the field" that adjusted the suspensions of the cars so that they would ride higher on the road; making it unlikely that there would be a repeat of the incident while they worked out a permanent solution: a titanium shield that they fitted to the bottom of the sled... free of charge.
Re: (Score:2)
Your talking about a system that's been used for 20+ years. It cannot be "patched" ('tho in older systems it can be "turned off") as it's not software. It cannot be "replaced" because it's built into many subsystems throughout the vehicle, most of which are a serious pain in the ass to even get to, much less crack open to replace a chip. (ECU, instrument cluster, ABS module, automatic transmission computer, electronic door/window modules, even the f'ing radio.)
Re: (Score:3)
Two years? That's outrageous. Any vendor that takes that long to patch their holes *deserves* to get zero-day'd.
Things like this, and that nonsense that the court in Boston pulled wrt/ to the researchers and their DEFCON presentation, really sour me on the idea of "responsible disclosure." If the result of my courtesy is going to be a lawsuit and a gag order, I'd not be particularly inclined to offer vendors the courtesy in the first place.
Easy fix.
Just make it a high crime with onerous penalties to perform security vulnerability testing, release vulnerabilities, or to be complicit with either or both without both the manufacturer's and government's prior approval, either of which may withdraw consent/approval at a later date and leave researchers et al legally liable & open to prosecution ex post facto if things don't turn out to the manufacturer's and/or government's expectations.
Problem solved! /s
Strat
Re: (Score:2)
Agreed. The "responsible" in responsible disclosure applies to both the researcher and the company. If the company is not responsible in their behavior towards the security hole, then there's no point in the researcher being responsible either.
Companies that have a bad track record of responsibility should have their security holes publicized immediately. After all, if they don't take their product's security seriously today, there's no reason to expect them to take their product's security seriously the ne
but what about the car makers ? did their job too? (Score:1)
Great, now we're duping in the same summary (Score:2)
I like how Slashdot is so efficient now that they put their dupes together in the same summary:
they wrote a scientific article that was accepted for publication at Usenix Security 2013. However, the publication never took place
Two years ago, the lead author of a controversial research paper about flaws in luxury car lock systems was not allowed to give any details in his presentation at Usenix Security 2013.
A ban (Score:2)
Am I the only one? (Score:2)
Am I the only one who thought that they ought to have posted the paper on-line on a site outside the jurisdiction of the judge in question?
I'm all in favour of responsible disclosure, but years should not be required to resolve a serious security flaw.
Re: (Score:2)
Am I the only one who thought that they ought to have posted the paper on-line on a site outside the jurisdiction of the judge in question?
The paper may have been outside the Judge's jusisdiction, but unless they emigrate, they won't be.
Re: (Score:2)
4chan (Score:3)