English High Court Bans Publication of 0-Day Threat To Auto Immobilizers

An anonymous reader writes "The High Court — England's highest civil court — has temporarily banned the publication of a scientific paper that would reveal the details of a zero day vulnerability in vehicle immobilisers and, crucially, give details of how to crack the system. Motor manufacturers argued that revealing the details of the crack would allow criminals to steal cars. Could this presage the courts getting involved in what gets posted on your local Bugzilla? It certainly means that software giants who dislike security researchers publishing the full facts on vulnerabilities might want to consider a full legal route."

How long have they known?

[gman003]

It's standard practice, when publishing about security flaws, to alert the producer of the products affected before doing so openly, only publishing when a) the hole is patched, or b) if they are ignoring the issue and refusing (or at least taking too long) to fix it.

If they have not given the manufacturer a reasonable amount of time to fix the problem, I can understand why they're being censored - it's unnecessarily dangerous. However, if this is simply the manufacturer trying even harder to pretend the problem doesn't exist, I would of course object strenuously, and support publishing the hole because that will not only force them to get a fix out ASAP, but will punish them for taking so long.

And, while TFA doesn't say either way on the issue, I would expect the latter, not the former.

Re:that settles it

[EmperorArthur]

Now here's a thought.

Many conferences have you submit at least a rough draft of your slides/paper early in the process. So, it's already been distributed to at least a few people. I wonder what the ramifications would be for the other authors to present anyways. Or if the conference CDs will contain the slide regardless.

That's nothing compared to Black Hat

[Animats]

Take a look at this year's Black Hat presentations. [blackhat.com] These are just the ones on vulnerabilities in embedded systems.

• Compromising Industrial Facilities From 40 Miles Away
• Energy Fraud and Orchestrated Blackouts: Issues with Wireless Metering Protocols (wM-Bus)
• Exploiting Network Surveillance Cameras Like a Hollywood Hacker
• Fact and Fiction: Defending your Medical Devices
• Hacking, Surveilling, and Deceiving victims on Smart TV
• Home Invasion v2.0 - Attacking Network-Controlled Hardware
• Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
• Implantable Medical Devices: Hacking Humans
• Let's get physical: Breaking home security systems and bypassing buildings controls
• Out of Control: Demonstrating SCADA device exploitation
• The SCADA That Didn't Cry Wolf- Who's Really Attacking Your ICS Devices- Part Deux!

Re:How long have they known?

[RandomFactor]

I don't want auto manufacturers to fix the problem and distribute it slowly to people, I want people to realize how much of a problem this is so they can take their manufacturer to task.

This is a false dichotomy. The better answer is both.

I would prefer the manufacturer both distribute a fix and that vulnerability and mitigation information be made available openly and quickly to those who can benefit from it.

They never fixed it so far

[dutchwhizzman]

Have a recent BMW? There is a known vulnerability where you can copy an actual key inside the car, using the data in the car's computer and the car's own transponder. BMW has not fixed this and won't fix it. The vulnerability is that BMW relied on being the only source of blank, programmable keys and having all the programming equipment in house. Once someone reversed the key system (the car itself contains unprotected, unencrypted key strings), they found out what electronics to put in the key and made blank keys and software to program them using the keys found in the car's computer. This is a massive problem that was out for probably at least a year before there was enough public attention to the enormous theft of BMWs with that system. I think that the number of BMWs stolen had quadrupled in that period. Right now, since BMW won't fix it, getting a BMW that suffers from this vulnerability is prohibitively expensive to insure, making their second hand value very low. It may be that insurers now require 3rd party alarm systems to be installed or something, I don't know, but the vendor didn't fix it and basically left their customers without a solution.

Right now, there's no indication that VW can and will fix this problem once it gets out. I highly doubt they will recall all vehicles and replace the parts that are vulnerable with a system that has the flaw removed. For all we know, that could cost thousands per vehicle and apply to all VAG cars from the last 10 years. That could be over 100M cars, worst case. Then again, if it'd only apply to a certain model and year and it is an affordable fix, they may actually do it, but I wouldn't count on them fixing anything.