Forgot your password?
typodupeerror
Transportation Bug Censorship Security United Kingdom

English High Court Bans Publication of 0-Day Threat To Auto Immobilizers 168

Posted by timothy
from the driving-on-the-wrong-side-would-work-too dept.
An anonymous reader writes "The High Court — England's highest civil court — has temporarily banned the publication of a scientific paper that would reveal the details of a zero day vulnerability in vehicle immobilisers and, crucially, give details of how to crack the system. Motor manufacturers argued that revealing the details of the crack would allow criminals to steal cars. Could this presage the courts getting involved in what gets posted on your local Bugzilla? It certainly means that software giants who dislike security researchers publishing the full facts on vulnerabilities might want to consider a full legal route."
This discussion has been archived. No new comments can be posted.

English High Court Bans Publication of 0-Day Threat To Auto Immobilizers

Comments Filter:
  • that settles it (Score:5, Insightful)

    by frovingslosh (582462) on Saturday July 27, 2013 @11:23PM (#44403767)
    It sure is a good thing that England controls the entire Internet and that no one anywhere will be able to publish this information now.
    • by gmuslera (3436)
      And the manufacturers won't have to worry about fixing that vulnerability for long time (or do a fake, incomplete, not certifiable, or open to even more vulnerabilities fix)
      • Re:that settles it (Score:5, Informative)

        by hutsell (1228828) on Sunday July 28, 2013 @12:03AM (#44403915) Homepage

        Keeping in mind; temporarily banned. Synopsis from another article by the Guardian:

        The University of Birmingham's Flavio Garcia, British computer scientist, cracked the security system by discovering the unique algorithm that allows the car (Porsches, Audis, Bentleys and Lamborghinis — leaves me out) to verify the identity of the ignition key.

        Is this meant to be a temporary injunction until these auto companies resolve their problem, which seems to be the right thing to do? However, if it isn't temporary and turns out to be kind of permanent because they think these companies will save a lot of money by not having to deal with the problem, then they're deluding themselves. Someone into stealing cars already knows or now knows a solution exists and will soon know the algorithm in one way or another.

        It would be nice if the method used to find the solution was eventually made public. Then someone might be able to create a defense to variations on the discovery and prevent this from being applied to other vehicles; a breach that may already exist, if not now, perhaps at a later time?

        • Keeping in mind; temporarily banned. Synopsis from another article by the Guardian:

          The University of Birmingham's Flavio Garcia, British computer scientist, cracked the security system by discovering the unique algorithm that allows the car (Porsches, Audis, Bentleys and Lamborghinis — leaves me out) to verify the identity of the ignition key.

          Is this meant to be a temporary injunction until these auto companies resolve their problem, which seems to be the right thing to do? However, if it isn't temporary and turns out to be kind of permanent because they think these companies will save a lot of money by not having to deal with the problem, then they're deluding themselves. Someone into stealing cars already knows or now knows a solution exists and will soon know the algorithm in one way or another.

          It would be nice if the method used to find the solution was eventually made public. Then someone might be able to create a defense to variations on the discovery and prevent this from being applied to other vehicles; a breach that may already exist, if not now, perhaps at a later time?

          It can only be temporary. Cat's out of the bag anyway, and while they are banned to publish the details, any "Yep. still there" six months of now would pit owners and insurance companied vs manufacturers, with manufacturers losing for having known, and not acted upon, a problem with their car.

          • by raymorris (2726007) on Sunday July 28, 2013 @12:57AM (#44404089)
            Generally temporary injunctions like this are just until there is a full hearing. Volkswagen will probably have a fix in place by then, but the main purpose is to avoid doing irreversible damage until there can be a full hearing on the facts.

            A temporary injunction is common in many types of cases and in no way indicates the court's opinion on the substantive issues. It's simply a recognition that they can't unpublish the information, so they need to wait until a decision is made before they publish. The same is often done with property disputes such as divorces. A temporary injunction orders both parties not to sell or otherwise dispose of the property until a decision is made as to ownership.

            Ps - I don't care for the injunction. I would have preferred that the court hint at whether they think the case has merit, then let the researcher decide whether to release the information immediately, risking a successful suit for damages. The injunction, as a prior restraint on speech, is censorship. Still, it's best not to exaggerate the effect of the or intent of the injunction.
            • by Tom (822)

              A temporary injunction is common in many types of cases and in no way indicates the court's opinion on the substantive issues.

              Wrong. I was deeply involved in corporate legal stuff for a couple years and I have been in court cases like this. A temporary injunction does not mean the court will decide the same way in the full hearing, true. However, a temporary injunction is only granted if the court believes that the party seeking it has at least a reasonable chance to persist in the full hearing. As such, it does indicate the courts opinion, to some extent. If the court thought you're full of shit, it wouldn't grant the temporary i

            • How do they fix this? They can put a new firmware in cars easily enough, but the many already on the road have no auto-update capability, and the typical driver isn't even aware their car has firmware. Assuming it's something that can be updated - I wouldn't be surprised if this is handled by a chip that needs to be physically replaced by a garage.

              • that's Easy, Just Tell The Owners That Their floormats Cause The Problem, And Fix It While Those Are Being Replaced.
              • by icebike (68054)

                Its most likely firmware, and as for the auto update capability, any car new enough to have this feature will have an update capability, because almost every car gets software updates.

                Not all are applied, especially after the car is out of warranty, or resold, but most people have these updates applied at their next service. Very few people buy a new car and then never visit the dealership again.

          • by morcego (260031)

            Keeping in mind; temporarily banned.(...)

            It can only be temporary. (...)

            Yeah, just like the copyright is temporary... What is it these days, 50 years AFTER the death of the creator? I stopped checking because, for all practical purposes, you can just consider it "forever" and it will work...

        • Re:that settles it (Score:5, Informative)

          by Anonymous Coward on Sunday July 28, 2013 @12:59AM (#44404103)

          The US income tax was a "temporary" measure. US copyrights are supposed to be "temporary".

          In real life, the powers that be want the guy muzzled.

          The lesson learned is to do one of three things if finding an exploit:

          1: Release it far and wide anonymously. This puts people at risk, but when customers are being attacked, vendors will fix problems. However, this is a career killer, if one is found to do this, perhaps might run them afoul of the law in their area.

          2: Release both a warning to the company anonymously, then release the exploit, both anonymously. Again, similar to #1, it can kill a career.

          3: Have "escrow agents", and let the vendor know. If they attempt to shoo the problem under the rug, the "anonymous" posters from other countries will ensure it gets out even if the person who found the bug has disappeared.

          • by isorox (205688)

            In real life, the powers that be want the guy muzzled.

            If the UK they use the courts to block the publication of the paper

            In the US they use the CIA to murder the author [reuters.com]

          • by jbolden (176878)

            The US income tax was a "temporary" measure. US copyrights are supposed to be "temporary".

            US Const: I.8.8: To promote the Progress of Science and useful Arts, by securing for limited Times to Authors and Inventors the exclusive Right to their respective Writings and Discoveries.

            US Const Am 16: The Congress shall have power to lay and collect taxes on incomes, from whatever source derived, without apportionment among the several States, and without regard to any census or enumeration.

            The constitution is ab

            • by alexgieg (948359)

              US copyrights are supposed to be "temporary".

              US Const: I.8.8: To promote the Progress of Science and useful Arts, by securing for limited Times (...)

              The constitution is about as non-temporary as you can get.

              Care to explain in which way "limited Times" would be synonymous to "non-temporary" rather than to "temporary"?

              • by jbolden (176878)

                The existence of copyright law is meant to be permanent. Copyrights themselves on each particular iten are meant to be of limited duration.

            • by securing for limited Times to Authors

              Once it surpassed the author's death, the farce could no longer be denied. Fortunately for Congress, they're held to the Constitution in less than 1% of cases.

              It's funny how some people still pretend it's the controlling law.

            • Copyrights with a theoretical duration of nearly 2 centuries (max human lifespan plus 70 years) is kinda stretching the definition of the word "temporary".

              • by jbolden (176878)

                I agree with you. But GP was saying something about income tax as a temporary measure and that was the context on the copyright post.

          • The US income tax was a "temporary" measure. US copyrights are supposed to be "temporary".

            In real life, the powers that be want the guy muzzled.

            The lesson learned is to do one of three things if finding an exploit:

            1: Release it far and wide anonymously. This puts people at risk, but when customers are being attacked, vendors will fix problems. However, this is a career killer, if one is found to do this, perhaps might run them afoul of the law in their area.

            2: Release both a warning to the company anonymously, then release the exploit, both anonymously. Again, similar to #1, it can kill a career.

            3: Have "escrow agents", and let the vendor know. If they attempt to shoo the problem under the rug, the "anonymous" posters from other countries will ensure it gets out even if the person who found the bug has disappeared.

            You seem to use "anonymous" when referring to accessing the internet and publishing something damning as if it were the same magic spell that idiots use when invoking "encryption" with data protection. There are only a few sources that this info could come from (in most cases) to be seen as credible, and only a few places worthwhile to publish it and have effect. What makes you think the author would remain anonymous for very long? Certainly, not long enough for statues of limitation to run out on any legal

            • by icebike (68054)

              From TFA:

              the two other authors Roel Verdult and Baris Ege, both of Radboud University Nijmegen are not in or from the UK so it’s not clear to me how effective the injunction would be against them if they opted to defy it.

              So it doesn't follow that just because the paper is released that the enjoined person released it. The injunction does not reach to Germany, nor does it reach to the peers in other countries that may have provided peer review.

              The fact that the injunction was issued at all speaks to the judge's lack of knowledge as to who Barbra Streisand is, and why she is germane to this issue.

        • by hairyfeet (841228)

          I hate to say it but this kind of crap is why its stupid to be a white hat. you just watch the car manufacturers won't do a damned thing about this weakness and if he says shit, hell even if he doesn't they will probably sue him for "giving those black hats ideas" which of course they would NEVER have had if it weren't for this guy.

          Too many times we have seen those that try to do the right thing in this field told to muzzle it or even having companies go for the classic shoot the messenger, from companies

    • Re:that settles it (Score:5, Insightful)

      by gagol (583737) on Saturday July 27, 2013 @11:33PM (#44403809)
      Not only that, if I had a recent vehicle, I would want to get the exploit public so the car manufacturer have an incentive to ACTUALLY FIX the problem.
      • Re:that settles it (Score:5, Insightful)

        by meerling (1487879) on Saturday July 27, 2013 @11:59PM (#44403903)
        I suspect the criminals don't want that. They probably want to keep the info under wraps for as long as possible so the manufacturer has little incentive to fix it while they continue to use it for their illicit advantage.

        Ok, so it wouldn't be your local thug on the corner, but there are some criminal groups that pride themselves on using the 'slick' methods.
      • Re:that settles it (Score:5, Insightful)

        by Opportunist (166417) on Sunday July 28, 2013 @01:22AM (#44404183)

        Not only that, but to have a claim against insurance when (not if) this blows.

        It would certainly not be the first time that an insurance refuses a claim because "this can't happen". You have NO idea how long it took insurances to accept that certain locks can (despite any claims from manufacturers) be picked without damaging the lock. Manufacturer said it can't be, so people who made an insurance claim after being robbed actually had to face charges of insurance fraud.

        It is VITAL that not only manufacturers but also insurances get this information!

      • by dutchwhizzman (817898) on Sunday July 28, 2013 @03:54AM (#44404749)

        Have a recent BMW? There is a known vulnerability where you can copy an actual key inside the car, using the data in the car's computer and the car's own transponder. BMW has not fixed this and won't fix it. The vulnerability is that BMW relied on being the only source of blank, programmable keys and having all the programming equipment in house. Once someone reversed the key system (the car itself contains unprotected, unencrypted key strings), they found out what electronics to put in the key and made blank keys and software to program them using the keys found in the car's computer. This is a massive problem that was out for probably at least a year before there was enough public attention to the enormous theft of BMWs with that system. I think that the number of BMWs stolen had quadrupled in that period. Right now, since BMW won't fix it, getting a BMW that suffers from this vulnerability is prohibitively expensive to insure, making their second hand value very low. It may be that insurers now require 3rd party alarm systems to be installed or something, I don't know, but the vendor didn't fix it and basically left their customers without a solution.

        Right now, there's no indication that VW can and will fix this problem once it gets out. I highly doubt they will recall all vehicles and replace the parts that are vulnerable with a system that has the flaw removed. For all we know, that could cost thousands per vehicle and apply to all VAG cars from the last 10 years. That could be over 100M cars, worst case. Then again, if it'd only apply to a certain model and year and it is an affordable fix, they may actually do it, but I wouldn't count on them fixing anything.

        • by drinkypoo (153816)

          I solved this problem by buying a 1982 Mercedes. Nobody wants to steal it.

        • by Cederic (9623) on Sunday July 28, 2013 @10:00AM (#44405865) Journal

          erm. BMW did fix this, and upgraded the software in my car for free with the fix.

        • by mpe (36238)
          Have a recent BMW? There is a known vulnerability where you can copy an actual key inside the car, using the data in the car's computer and the car's own transponder. BMW has not fixed this and won't fix it. The vulnerability is that BMW relied on being the only source of blank, programmable keys and having all the programming equipment in house.

          Note that "in house" actually ment "at every BMW dealership" rather than "only at BMW HQ in Munich". They may well have not made any of the parts of the system th
        • by nazsco (695026)

          Moron. It's a feature. Bmw is the only that you can get a blank from the dealer from less than $30 and program it following instructions from the users manual.

        • by nosferatu1001 (264446) on Sunday July 28, 2013 @01:07PM (#44406997)

          Misinformation abounds...

          This. Problem. WAS. fixed. Through a recall, and an update during routine service.

          Disclosure: I work for BMW UK. The storm we had following watchdog didnt help.

    • Re:that settles it (Score:5, Insightful)

      by bill_mcgonigle (4333) * on Saturday July 27, 2013 @11:50PM (#44403869) Homepage Journal

      It sure is a good thing that England controls the entire Internet

      Not just the Internet - this action is curious because of jurisdiction. USENIX is in Washington, DC in a few weeks. Volkswagen is German. One of the authors is in the UK, but the other two are in the Netherlands.

      So, the action must be specifically targeting this one author. Weird - it's an accepted paper and the other two authors were obviously planning to present. I guess they won't be going through Heathrow.

      • Re:that settles it (Score:5, Interesting)

        by EmperorArthur (1113223) on Sunday July 28, 2013 @12:21AM (#44403981)

        Now here's a thought.

        Many conferences have you submit at least a rough draft of your slides/paper early in the process. So, it's already been distributed to at least a few people. I wonder what the ramifications would be for the other authors to present anyways. Or if the conference CDs will contain the slide regardless.

    • Under English law 'a reasonable time' is usually 14 days. So unless the court put a date on it, the injunction will expire quite soon.
    • Re: (Score:3, Funny)

      by sabri (584428)

      It sure is a good thing that England controls the entire Internet and that no one anywhere will be able to publish this information now.

      Yeah, next thing you know they'll be banning porn!

    • by Chrisq (894406)

      It sure is a good thing that England controls the entire Internet and that no one anywhere will be able to publish this information now.

      I think this is the real reason behind Cameron's porn block [bbc.co.uk]. He starts off talking about porn but then when discussing details its suddenly about "illegal content". I'm pretty sure this will include things that the courts (and government departments) decide we shouldn't here

  • by gagol (583737) on Saturday July 27, 2013 @11:34PM (#44403815)
    I taught this one died 10 years ago...
    • by Pentium100 (1240090) on Sunday July 28, 2013 @12:36AM (#44404041)

      Security through obscurity does work, not very effectively, but it does. Or at least, the obscure system is more secure than the same system that is open.

      For example - let's say I keep a backup key to my house buried somewhere in the yard or in a flowerpot ( there are many flowerpots and I chose one at random). While this is not as secure as not having the backup key, it is more secure than placing a sign indicating where the key is.

      Same thing here - while the system is not as as it would have been if the vulnerability did not exist, if the exploit was published, then everyone would know how to hack it, even those who would not be able to come up with the hack on their own.

      My car is too old to have a computer in it, but I use an aftermarket security "system" - I have to push a button (the button is visible and usually has another function) before I try to start the engine or it would crank, but not start. Now this would not be a problem for a competent thief - he would figure out how to circumvent this, it's not that difficult. However, some drug addict or a drunk teenager may just conclude that the car is broken and steal some other car instead.

      • A false sense of security can be worse than just having the exploit exposed.

        While obscurity will prevent widespread exploits for a while, there are other benefits: I want to be able to assess the risk myself, know how vulnerable my car is, and possibly upgrade the system if I decide it's inadequate.

        • by gweihir (88907)

          Indeed. A false sense of security increases the risk, as then people will implement less risk-mitigation measures.

      • by gweihir (88907)

        Security through obscurity does work, not very effectively, but it does. Or at least, the obscure system is more secure than the same system that is open.

        I do not agree, and the whole crypto research community and secure software community does not agree either. What you forget is that this is not about physical goods, but software and algorithms. Once created, the product will be made into countless identical copies at basically zero cost per copy. Break one, and you have broken them all. The attack can be copied just as easily.

        Your view has been discredited a long time ago. But there are a lot of idiots around that ignore history and established facts and

        • So, if the exploit was published, the cars would be more secure than now? I mean before the manufacturers could release a patch and all affected car owners install it.

          Yes, if the car manufacturers published the details (schematics and source code) for the system when they created it, someone would have found this vulnerability sooner and (hopefully) would have informed the car manufacturers who then would be able to patch it hopefully before it was installed in a lot of cars.
          Publishing the exploit would onl

          • by gweihir (88907)

            It goes the other way round: If the exploit is not published, the security level will eventually sink very low for a very long time. If it is publishes, it is very low for a short time. But that is not the main effect. If the vulnerability is published, future car designs will be made more secure and manufacturers will actually listen to people finding vulnerabilities and be able and willing to do something about the problems.

            Looking as a single incident and then at an isolated part of its future is _not_ a

            • The fundamental problem is that cars are kind of like American Android phones... consumers are mostly powerless to do *anything* to fix vulnerabilities, and carriers won't do anything they aren't forced to do by law. And the law itself is only slightly less castrated and toothless than consumers.

              If a car suddenly becomes something you can't safely use (or at least leave unattended in a non-secure location), there's no meaningful immediate recourse for consumers, and that's a real problem with real consequen

        • by xenobyte (446878)

          Actually security through unique obscurity does work although not very efficiently on its own. This is actually used all the time in the form of hiding the internal structure of a local network for instance. This adds a level of difficulty to any attempt at penetrating as the attackers needs to find out the structure and the components and thus the possible attack vectors. If you for instance need a server to contact your evil server, messing with nameservers are a good idea, but then you need to either mod

          • by gweihir (88907)

            You model is flawed. True, if that were a single, not important network and the structure were significantly different from other such networks, a temporary positive effect would be observable. But that is not the case. What happens instead is that the attackers adapt and build network mapper tools. They are quire advanced by now, just have a look into the literature. And then things get worse as they would have been without the obscurity: Attackers can easily get all the information they want, while people

        • Well, I can't say that I speak for the entire crypto and security community, but I do work in the field and I have thought about this a bit.

          "No security by obscurity" isn't meant to inform how we approach the entire process of vulnerability disclosure. It just makes the point that relying on obscurity for security will give you no real security. This is what we need people owning, building and maintaining things with security requirements to understand.

          When thousands or millions of fielded products are al

          • Sorry, replying to my own post, but I forgot to make the point I wanted to!

            Obscurity definitely doesn't give you real security. But if all you have is obscurity, then it is better to have that than nothing.

            It might confer no actual security, but taking the obscurity away straight away will definitely make no-one safer. The possibility exists that some people will be protected by the obscurity, at least in the short term. It just can't be relied upon.

            • by gweihir (88907)

              Obscurity definitely doesn't give you real security. But if all you have is obscurity, then it is better to have that than nothing.

              I strongly disagree. The problem is that incompetent people (management) routinely misunderstands this and expect that obscurity does give them real and strong security, and hence neglect to implement measures that actually work as they are "not needed" and the expenses can be saved (and funneled into bonuses, for example, or better "performance" numbers). Hence security by obscurity makes you significantly less secure in a very real sense in the typical case. The other thing is that obscurity is _very_ eas

              • I think we're actually in violent agreement. I completely agree that obscurity doesn't give you any real security, and yes people need to understand this.

                But in the specific situation where something in widespread use turns out to have a security flaw, then disclosing the vulnerability until there has been a reasonable amount of time for a fix to be prepared doesn't make anyone safer.

                If you agree with that, then you are also acknowleging that the obscurity may be providing very temporary security for some

                • by gweihir (88907)

                  But in the specific situation where something in widespread use turns out to have a security flaw, then disclosing the vulnerability until there has been a reasonable amount of time for a fix to be prepared doesn't make anyone safer.

                  If you agree with that, then you are also acknowleging that the obscurity may be providing very temporary security for some people. If you don't agree with that, then you seem to be saying that revealing vulnerablities immediately before a fix can be prepared does not weaken anyone's security...?

                  The problem here is the "reasonable mount of time". Many industry players take that to mean "forever" or "until the next major release or the one after that", and that is just not acceptable in most cases. The thing is that using unsuitable values for "reasonable amount of time" does establish precedent, and any time somebody goes along with such an unsuitable value makes _everything_ that is subject to security flaws less secure. This is about setting standards.

                  That said, if a vendor truly has problems fix

          • by gweihir (88907)

            If the manufacturers are rational, you are certainly right, and the whole "responsible disclosure" school of thought agrees. The problem is that many people practicing responsible disclosure run into manufacturers that do absolutely nothing in their grace period except preparing to suppress the information. After having been subjected to that or having observed it, it becomes obvious that responsible disclosure does not work with a large part of the industry. As a result, people that want to disclose observ

        • by pakar (813627)

          It does work and does help out quite a bit...

          If you take 2 products that does the same thing. The product-lifetime is ~3 years and new firmware is required every 3 months for it to continue working.
          Product 1 have security features X,Y,Z and use obfuscation to make it extremely hard to actually do reverse-engineering on.
          Product 2 have security features X,Y,Z.
          (X,Y,Z is the same code implemented on both products)

          What product do you think will be first to be attacked? If you make the reverse-engineering for the

    • It was a stillborn, but be honest, is that the first time people ride dead horses?

    • I taught this one died 10 years ago...

      For whatever reason (whether it be power/gate constraints or sheer laziness) the state of 'security' in low power RF security systems (automotive keyless entry, MIFARE and friends payment and access control fobs, etc.) is maybe 10 years behind the (atrocious) state of security in general purpose software. On a good day.

    • by gweihir (88907)

      I taught this one died 10 years ago...

      It did a lot earlier than that...to anybody that is halfway competent in the area of IT security. These people have just exposed themselves as grossly incompetent and utterly greedy. Just like a lot of other manufacturing industries, they just want to go on selling their defective products for a few more years before they do anything about it which could cause them some reduction in profits.

    • by tlhIngan (30335)

      I taught this one died 10 years ago...

      Only if it's the only means of security you have.

      If you already have reasonable security measures adding a layer of obscurity can make life a lot simpler.

      For example, let's say you have a web application that's properly secured and only for internal use, but available externally because people need access to it. Would you put it on port 80? Or if you can, put it on another port, say 8181? People who need to use it know about it, and even if it's found accidentally, it s

  • So how is anyone, courts included, meant to unpublish something? Unless a security researcher is saying "in X days I'll release the details on vulnerability Y" how would you even know to get a court injunction against said person? Once the cat is out of the bag, that's it.

    Of course, I can then see the "logical" progression that all vulnerability disclosure must be outlawed - think of the children!

    • So how is anyone, courts included, meant to unpublish something?

      It's happened already.

      Today I had a chance to read about zero day vulnerability in vehicles but passed on the article cause I've read it already. or similiar (BlueTooth). A link from a site that has handles current headline news. It's been removed from that site and the sites history.

      Google has this but it links to a 404,

      Full Hacker News - Svay
      svay.com/projects/FullHackerNews/?l=linux-kernel&m...q=raw?
      18 hours ago - You can't manage this competition while sipping margaritas all day from your ..... of a

    • by gweihir (88907)

      Simple: "The law" has only a remote connection to reality, but it does ignore that fact consistently.They are doing significant damage here, as in the future, things like this will just get published anonymously.

  • i would much prefer that they can be released to the public and subsequently FIXED than have a researcher sell it to criminals or use it himself to steal cars.
    • by Z00L00K (682162)

      What is now going public has been a known method for a while by criminals. There are already vehicle thefts going on of vehicles in the luxury segment in central/western Europe, and the vehicles finds their way to eastern Europe.

      What immobilizers do are to deter joyriders and crackheads from stealing cars. The professionals already know how.

      And knowing it can be done will just trigger the demand for cheap cracking devices for the mid group of thieves that steals cars for parting out.

  • by gman003 (1693318) on Saturday July 27, 2013 @11:55PM (#44403881)

    It's standard practice, when publishing about security flaws, to alert the producer of the products affected before doing so openly, only publishing when a) the hole is patched, or b) if they are ignoring the issue and refusing (or at least taking too long) to fix it.

    If they have not given the manufacturer a reasonable amount of time to fix the problem, I can understand why they're being censored - it's unnecessarily dangerous. However, if this is simply the manufacturer trying even harder to pretend the problem doesn't exist, I would of course object strenuously, and support publishing the hole because that will not only force them to get a fix out ASAP, but will punish them for taking so long.

    And, while TFA doesn't say either way on the issue, I would expect the latter, not the former.

    • Its not standard practice, its a commonly requested nicety.

      An awful lot of zero day exploits are so bad that people should know about them just as soon as manufacturers in order to defend themselves.

      What's sick is that so many people in our day and age consider their cars, computers and everything else black boxes that should be managed from the outside instead of taking responsibility for them. I don't want auto manufacturers to fix the problem and distribute it slowly to people, I want people to realize

      • by RandomFactor (22447) on Sunday July 28, 2013 @02:05AM (#44404325)

        I don't want auto manufacturers to fix the problem and distribute it slowly to people, I want people to realize how much of a problem this is so they can take their manufacturer to task.

        This is a false dichotomy. The better answer is both.

        I would prefer the manufacturer both distribute a fix and that vulnerability and mitigation information be made available openly and quickly to those who can benefit from it.

    • by eth1 (94901)

      Actually, I would think the courts taking this route would simply encourage researchers to publish first, ask questions later, rather than risk being gagged.

      It's standard practice, when publishing about security flaws, to alert the producer of the products affected before doing so openly, only publishing when a) the hole is patched, or b) if they are ignoring the issue and refusing (or at least taking too long) to fix it.

      If they have not given the manufacturer a reasonable amount of time to fix the problem, I can understand why they're being censored - it's unnecessarily dangerous. However, if this is simply the manufacturer trying even harder to pretend the problem doesn't exist, I would of course object strenuously, and support publishing the hole because that will not only force them to get a fix out ASAP, but will punish them for taking so long.

      And, while TFA doesn't say either way on the issue, I would expect the latter, not the former.

    • by Tom (822)

      If the car industry is anything like the IT industry, it will be a ton of work to even reach someone who understands what the problem is.

      These days, IT has finally learnt, but I still remember times where researchers had a hard time getting their 0-days to the attention of the manufacturer because corporations have a strong tendency to make it very, very hard to identify and contact anyone on the inside who's not in sales.

    • by Z00L00K (682162)

      The big fish already knows how to get around the immobilizers, and the crackheads and joyriders won't care since they aren't willing to put money and effort into getting a device. The mid sector of criminals will now know that it's possible and there will be a demand on ready to use devices - provided by the big guys.

  • My car doesn't have power windows, or keyless entry or even remote start.

    They may be able to impact my cassette player?

    How will I know if I can't read the article?

    • by sinij (911942)

      Relax, you are not vulnerable to automotive theft by virtue of driving rusted Grand Caravan.

      • by iggymanz (596061)

        Guess again, just checked 2012 list of 10 most stolen cars in America (excludes SUV and trucks), 2000 Caravan is #5

    • "cassette player" I heard that 8 track players are in demand again with the over 70s nostalgia crowd...
  • by Animats (122034) on Sunday July 28, 2013 @12:31AM (#44404015) Homepage

    Take a look at this year's Black Hat presentations. [blackhat.com] These are just the ones on vulnerabilities in embedded systems.

    • Compromising Industrial Facilities From 40 Miles Away
    • Energy Fraud and Orchestrated Blackouts: Issues with Wireless Metering Protocols (wM-Bus)
    • Exploiting Network Surveillance Cameras Like a Hollywood Hacker
    • Fact and Fiction: Defending your Medical Devices
    • Hacking, Surveilling, and Deceiving victims on Smart TV
    • Home Invasion v2.0 - Attacking Network-Controlled Hardware
    • Honey, I'm home!! - Hacking Z-Wave Home Automation Systems
    • Implantable Medical Devices: Hacking Humans
    • Let's get physical: Breaking home security systems and bypassing buildings controls
    • Out of Control: Demonstrating SCADA device exploitation
    • The SCADA That Didn't Cry Wolf- Who's Really Attacking Your ICS Devices- Part Deux!
  • It should be standard that you notify the company before releasing the flaw publicly, and it should also be standard that after some waiting period the bug should go public. Well, standard per product ... different products have different release cycles, I could see some wanting 2 months while others want 1 year. But it should be public information, that product X you should notify them first then you're allowed to report the bug publicly after n months. That waiting period should be part of the product

    • by mark-t (151149)

      Why?

      While it's certainly true that publishing an exploit does increase awareness among criminals on how to go about breaking the law, it also increases awareness among people who might be better in a position to try to mitigate how the exploit will affect them.

      It also damn well puts a fire under the asses of people who need to get a fix out as quickly as possible... letting them dilly-dally around while they figure out just how high priority they need to treat the situation just leaves a lot of people

    • by frovingslosh (582462) on Sunday July 28, 2013 @02:10AM (#44404359)
      On the other hand, as these researchers learned, if you notify the company, they can get a court order against you. If you let the cat out of the bag without notifying them them, they can't really stop you. And if you figured it out, there is a good chance that the company knows about it already anyway. They simply don't have any incentive to correct it unless they know that the general public knows about it too.
  • So tell the auto makers then wait 24 hours then tell everyone. Then it's one day.
  • So, we don't need Knight Rider's KITT microlock brakes anymore? Cool. Those were pretty cumbersome 1980s technology to deal with, anyway.

  • by Tom (822) on Sunday July 28, 2013 @02:33AM (#44404449) Homepage Journal

    Yepp, the court fell for the oldest and most blatantely false argument of the full disclosure opponent.

    The court assumes that bad guys don't already have this knowledge. From decades of experience in IT security we can conclude with near certainty that they do. What this provides is limited, short-term protection against those would-be thieves who don't, yet. Also, a false sense of security.

    What would've happened if this had been published: The public would know, car manufacturers would (have to) scramble for a fix.

    What will happen now: Nothing. The next model will be fixed, your current one will maybe get an update at the next maintainance cycle, but don't count on it.

    The next years will be a great time to be a car thief.

  • by dutchwhizzman (817898) on Sunday July 28, 2013 @04:05AM (#44404783)
    Any car that uses the megamos RFID chip to identify the key, will be vulnerable. To fix this, the manufacturer will have to replace all keys and the receiver and reprogram all computers in the cars infected. VAG here has a problem with most recent Volkswagens, Audis, SEATs, Skodas, Bentleys, Lamborghini's and Porsches. Other manufacturers that rely on this system are probably affected too. Chances that VAG will proactively call back all these vehicles are extremely slim. A temporary injunction serves no purpose, unless VAG can prove without a doubt that they can and will fix this within a very short time frame. Mind you, designing a new system, testing it for security, mass producing it and recalling all cars will probably take well over a year before they can even start recalling and cost tens of billions to implement for VAG.
  • What kind of law would allow a court to do this? I can't find any mention in TFA.

    Also, can we get a copy of the court's decision document?

    • by Kijori (897770)

      I suspect that there won't be an interesting judgment to read. This, from the sound of things, is a temporary injunction before the actual hearing. The companies are presumably claiming that there is some reason for which they are entitled to prevent publication (perhaps they are claiming that the scientists obtained confidential information - we don't know). Whether they win or lose, they are entitled to a hearing; and it would defeat the point of the hearing if the scientists could release the informatio

  • This is the same VW that have failed to diagnose my faulty immobilizer 3 times now, is it? If I knew the exploit then at least I could disable the blasted thing myself and get moving again when it plays up!

    Or maybe I'm being hacked remotely and don't know it...

  • Just publish there, or other anonymous ways that cant be taken down.

    Laws and judgments like this should not be followed as they are anti-freedom.

  • My car has an ingenious anti-theft device. I'm sure most thieves will not be able to overcome it in order to start my car.

    Its a knob labeled "Choke" on the dashboard.

Put no trust in cryptic comments.

Working...