English High Court Bans Publication of 0-Day Threat To Auto Immobilizers 168
An anonymous reader writes "The High Court — England's highest civil court — has temporarily banned the publication of a scientific paper that would reveal the details of a zero day vulnerability in vehicle immobilisers and, crucially, give details of how to crack the system. Motor manufacturers argued that revealing the details of the crack would allow criminals to steal cars. Could this presage the courts getting involved in what gets posted on your local Bugzilla? It certainly means that software giants who dislike security researchers publishing the full facts on vulnerabilities might want to consider a full legal route."
that settles it (Score:5, Insightful)
Re: (Score:2)
Re:that settles it (Score:5, Informative)
Keeping in mind; temporarily banned. Synopsis from another article by the Guardian:
Is this meant to be a temporary injunction until these auto companies resolve their problem, which seems to be the right thing to do? However, if it isn't temporary and turns out to be kind of permanent because they think these companies will save a lot of money by not having to deal with the problem, then they're deluding themselves. Someone into stealing cars already knows or now knows a solution exists and will soon know the algorithm in one way or another.
It would be nice if the method used to find the solution was eventually made public. Then someone might be able to create a defense to variations on the discovery and prevent this from being applied to other vehicles; a breach that may already exist, if not now, perhaps at a later time?
Re: (Score:2)
Keeping in mind; temporarily banned. Synopsis from another article by the Guardian:
Is this meant to be a temporary injunction until these auto companies resolve their problem, which seems to be the right thing to do? However, if it isn't temporary and turns out to be kind of permanent because they think these companies will save a lot of money by not having to deal with the problem, then they're deluding themselves. Someone into stealing cars already knows or now knows a solution exists and will soon know the algorithm in one way or another.
It would be nice if the method used to find the solution was eventually made public. Then someone might be able to create a defense to variations on the discovery and prevent this from being applied to other vehicles; a breach that may already exist, if not now, perhaps at a later time?
It can only be temporary. Cat's out of the bag anyway, and while they are banned to publish the details, any "Yep. still there" six months of now would pit owners and insurance companied vs manufacturers, with manufacturers losing for having known, and not acted upon, a problem with their car.
not even until fix, until a full hearing (Score:5, Insightful)
A temporary injunction is common in many types of cases and in no way indicates the court's opinion on the substantive issues. It's simply a recognition that they can't unpublish the information, so they need to wait until a decision is made before they publish. The same is often done with property disputes such as divorces. A temporary injunction orders both parties not to sell or otherwise dispose of the property until a decision is made as to ownership.
Ps - I don't care for the injunction. I would have preferred that the court hint at whether they think the case has merit, then let the researcher decide whether to release the information immediately, risking a successful suit for damages. The injunction, as a prior restraint on speech, is censorship. Still, it's best not to exaggerate the effect of the or intent of the injunction.
Re: (Score:3)
A temporary injunction is common in many types of cases and in no way indicates the court's opinion on the substantive issues.
Wrong. I was deeply involved in corporate legal stuff for a couple years and I have been in court cases like this. A temporary injunction does not mean the court will decide the same way in the full hearing, true. However, a temporary injunction is only granted if the court believes that the party seeking it has at least a reasonable chance to persist in the full hearing. As such, it does indicate the courts opinion, to some extent. If the court thought you're full of shit, it wouldn't grant the temporary i
Re: (Score:2)
You seem to think the world freezes in place while the court goes through the full hearing. That isn't the case and courts know that. Before issuing a temporary injunction, they will consider a) if the plaintiff has a chance to prevail and b) if he will take irreparable harm if he doesn't get the injunction. Those are the legal standards for a temporary injunction. And yes, they include an opinion. That is why many plaintiffs who get a temporary injunction rejected will also drop the full case.
Re: (Score:2)
How do they fix this? They can put a new firmware in cars easily enough, but the many already on the road have no auto-update capability, and the typical driver isn't even aware their car has firmware. Assuming it's something that can be updated - I wouldn't be surprised if this is handled by a chip that needs to be physically replaced by a garage.
Re: not even until fix, until a full hearing (Score:2)
Re: (Score:2)
Its most likely firmware, and as for the auto update capability, any car new enough to have this feature will have an update capability, because almost every car gets software updates.
Not all are applied, especially after the car is out of warranty, or resold, but most people have these updates applied at their next service. Very few people buy a new car and then never visit the dealership again.
Re: (Score:2)
Keeping in mind; temporarily banned.(...)
It can only be temporary. (...)
Yeah, just like the copyright is temporary... What is it these days, 50 years AFTER the death of the creator? I stopped checking because, for all practical purposes, you can just consider it "forever" and it will work...
Re:that settles it (Score:5, Informative)
The US income tax was a "temporary" measure. US copyrights are supposed to be "temporary".
In real life, the powers that be want the guy muzzled.
The lesson learned is to do one of three things if finding an exploit:
1: Release it far and wide anonymously. This puts people at risk, but when customers are being attacked, vendors will fix problems. However, this is a career killer, if one is found to do this, perhaps might run them afoul of the law in their area.
2: Release both a warning to the company anonymously, then release the exploit, both anonymously. Again, similar to #1, it can kill a career.
3: Have "escrow agents", and let the vendor know. If they attempt to shoo the problem under the rug, the "anonymous" posters from other countries will ensure it gets out even if the person who found the bug has disappeared.
Re: (Score:3)
In real life, the powers that be want the guy muzzled.
If the UK they use the courts to block the publication of the paper
In the US they use the CIA to murder the author [reuters.com]
Re: (Score:2)
US Const: I.8.8: To promote the Progress of Science and useful Arts, by securing for limited Times to Authors and Inventors the exclusive Right to their respective Writings and Discoveries.
US Const Am 16: The Congress shall have power to lay and collect taxes on incomes, from whatever source derived, without apportionment among the several States, and without regard to any census or enumeration.
The constitution is ab
Re: (Score:2)
US Const: I.8.8: To promote the Progress of Science and useful Arts, by securing for limited Times (...)
The constitution is about as non-temporary as you can get.
Care to explain in which way "limited Times" would be synonymous to "non-temporary" rather than to "temporary"?
Re: (Score:2)
The existence of copyright law is meant to be permanent. Copyrights themselves on each particular iten are meant to be of limited duration.
Re: (Score:2)
by securing for limited Times to Authors
Once it surpassed the author's death, the farce could no longer be denied. Fortunately for Congress, they're held to the Constitution in less than 1% of cases.
It's funny how some people still pretend it's the controlling law.
Re: (Score:2)
Copyrights with a theoretical duration of nearly 2 centuries (max human lifespan plus 70 years) is kinda stretching the definition of the word "temporary".
Re: (Score:2)
I agree with you. But GP was saying something about income tax as a temporary measure and that was the context on the copyright post.
Re: (Score:2)
The US income tax was a "temporary" measure. US copyrights are supposed to be "temporary".
In real life, the powers that be want the guy muzzled.
The lesson learned is to do one of three things if finding an exploit:
1: Release it far and wide anonymously. This puts people at risk, but when customers are being attacked, vendors will fix problems. However, this is a career killer, if one is found to do this, perhaps might run them afoul of the law in their area.
2: Release both a warning to the company anonymously, then release the exploit, both anonymously. Again, similar to #1, it can kill a career.
3: Have "escrow agents", and let the vendor know. If they attempt to shoo the problem under the rug, the "anonymous" posters from other countries will ensure it gets out even if the person who found the bug has disappeared.
You seem to use "anonymous" when referring to accessing the internet and publishing something damning as if it were the same magic spell that idiots use when invoking "encryption" with data protection. There are only a few sources that this info could come from (in most cases) to be seen as credible, and only a few places worthwhile to publish it and have effect. What makes you think the author would remain anonymous for very long? Certainly, not long enough for statues of limitation to run out on any legal
Re: (Score:2)
From TFA:
the two other authors Roel Verdult and Baris Ege, both of Radboud University Nijmegen are not in or from the UK so it’s not clear to me how effective the injunction would be against them if they opted to defy it.
So it doesn't follow that just because the paper is released that the enjoined person released it. The injunction does not reach to Germany, nor does it reach to the peers in other countries that may have provided peer review.
The fact that the injunction was issued at all speaks to the judge's lack of knowledge as to who Barbra Streisand is, and why she is germane to this issue.
Re: (Score:2)
Re: (Score:2)
Sigh...
Why is it every report of a vulnerability of a system where any form of encryption is used always brings out some know-nothing speculation about rolling their own encryption? Are you sure you don't want to mention Faraday Cages and Gravity Wells while you are at it?
Immobilizers [wikipedia.org] are in the end, a physical system, which can just as easily be bypassed physically, and probably far easier than breaking its encryption.
Re:that settles it (Score:5, Insightful)
Re:that settles it (Score:5, Insightful)
Ok, so it wouldn't be your local thug on the corner, but there are some criminal groups that pride themselves on using the 'slick' methods.
Re:that settles it (Score:5, Insightful)
Not only that, but to have a claim against insurance when (not if) this blows.
It would certainly not be the first time that an insurance refuses a claim because "this can't happen". You have NO idea how long it took insurances to accept that certain locks can (despite any claims from manufacturers) be picked without damaging the lock. Manufacturer said it can't be, so people who made an insurance claim after being robbed actually had to face charges of insurance fraud.
It is VITAL that not only manufacturers but also insurances get this information!
They never fixed it so far (Score:4, Interesting)
Have a recent BMW? There is a known vulnerability where you can copy an actual key inside the car, using the data in the car's computer and the car's own transponder. BMW has not fixed this and won't fix it. The vulnerability is that BMW relied on being the only source of blank, programmable keys and having all the programming equipment in house. Once someone reversed the key system (the car itself contains unprotected, unencrypted key strings), they found out what electronics to put in the key and made blank keys and software to program them using the keys found in the car's computer. This is a massive problem that was out for probably at least a year before there was enough public attention to the enormous theft of BMWs with that system. I think that the number of BMWs stolen had quadrupled in that period. Right now, since BMW won't fix it, getting a BMW that suffers from this vulnerability is prohibitively expensive to insure, making their second hand value very low. It may be that insurers now require 3rd party alarm systems to be installed or something, I don't know, but the vendor didn't fix it and basically left their customers without a solution.
Right now, there's no indication that VW can and will fix this problem once it gets out. I highly doubt they will recall all vehicles and replace the parts that are vulnerable with a system that has the flaw removed. For all we know, that could cost thousands per vehicle and apply to all VAG cars from the last 10 years. That could be over 100M cars, worst case. Then again, if it'd only apply to a certain model and year and it is an affordable fix, they may actually do it, but I wouldn't count on them fixing anything.
Re: (Score:2)
I solved this problem by buying a 1982 Mercedes. Nobody wants to steal it.
Re:They never fixed it so far (Score:5, Informative)
erm. BMW did fix this, and upgraded the software in my car for free with the fix.
Re: (Score:2)
Note that "in house" actually ment "at every BMW dealership" rather than "only at BMW HQ in Munich". They may well have not made any of the parts of the system th
Re: (Score:2)
Moron. It's a feature. Bmw is the only that you can get a blank from the dealer from less than $30 and program it following instructions from the users manual.
Re:They never fixed it so far (Score:4, Informative)
Misinformation abounds...
This. Problem. WAS. fixed. Through a recall, and an update during routine service.
Disclosure: I work for BMW UK. The storm we had following watchdog didnt help.
Re: (Score:2)
I am sure that loss of one sale will hurt them really bad.
Re: (Score:2)
This is for the immobiliser, not the door locks, so you don't need to dabble in the delicate electronics of the engine control or fiddley RF line. Just put your relay in the cable that powers the solonoid coil for the starter (Do cars still use those, or have they gone solid-state now? Same idea) or power line to the ignition.
Re: (Score:2)
Immobilizers http://en.wikipedia.org/wiki/Immobiliser [wikipedia.org] interrupt two different circuits, typically fuel pumps and low-voltage supply.
So two small jumper clips bypasses the entire system if you know where to put them, and have physical access to the vehicle.
Re:that settles it (Score:5, Insightful)
It sure is a good thing that England controls the entire Internet
Not just the Internet - this action is curious because of jurisdiction. USENIX is in Washington, DC in a few weeks. Volkswagen is German. One of the authors is in the UK, but the other two are in the Netherlands.
So, the action must be specifically targeting this one author. Weird - it's an accepted paper and the other two authors were obviously planning to present. I guess they won't be going through Heathrow.
Re:that settles it (Score:5, Interesting)
Now here's a thought.
Many conferences have you submit at least a rough draft of your slides/paper early in the process. So, it's already been distributed to at least a few people. I wonder what the ramifications would be for the other authors to present anyways. Or if the conference CDs will contain the slide regardless.
Re: (Score:2)
I guess they won't be going through Heathrow.
The US is hardly a safe haven [infotoday.com].. I believe a place like Iceland would be the safest for these kinds of gatherings..
I understand there's also a nice hotel in the "flight side" of Moscow airport
Re: (Score:2)
The UK, Germany and the Netherlands are all in the EU.
so what? now, which country does censorship of trivial things like if some footballer had been fucking some girl/dude/whatever? the UK.
UK is of these countries one that pretends you can use courts to decide what people can speak about if they happen to know.
"Reasonable time" (Score:2)
Re: (Score:3, Funny)
It sure is a good thing that England controls the entire Internet and that no one anywhere will be able to publish this information now.
Yeah, next thing you know they'll be banning porn!
Re: (Score:3)
It sure is a good thing that England controls the entire Internet and that no one anywhere will be able to publish this information now.
I think this is the real reason behind Cameron's porn block [bbc.co.uk]. He starts off talking about porn but then when discussing details its suddenly about "illegal content". I'm pretty sure this will include things that the courts (and government departments) decide we shouldn't here
Re: that settles it (Score:2)
And I'm not even sure about that one...
Security through obscurity? (Score:3)
Re:Security through obscurity? (Score:5, Insightful)
Security through obscurity does work, not very effectively, but it does. Or at least, the obscure system is more secure than the same system that is open.
For example - let's say I keep a backup key to my house buried somewhere in the yard or in a flowerpot ( there are many flowerpots and I chose one at random). While this is not as secure as not having the backup key, it is more secure than placing a sign indicating where the key is.
Same thing here - while the system is not as as it would have been if the vulnerability did not exist, if the exploit was published, then everyone would know how to hack it, even those who would not be able to come up with the hack on their own.
My car is too old to have a computer in it, but I use an aftermarket security "system" - I have to push a button (the button is visible and usually has another function) before I try to start the engine or it would crank, but not start. Now this would not be a problem for a competent thief - he would figure out how to circumvent this, it's not that difficult. However, some drug addict or a drunk teenager may just conclude that the car is broken and steal some other car instead.
Re: (Score:2)
A false sense of security can be worse than just having the exploit exposed.
While obscurity will prevent widespread exploits for a while, there are other benefits: I want to be able to assess the risk myself, know how vulnerable my car is, and possibly upgrade the system if I decide it's inadequate.
Re: (Score:2)
Indeed. A false sense of security increases the risk, as then people will implement less risk-mitigation measures.
Re: (Score:2)
Security through obscurity does work, not very effectively, but it does. Or at least, the obscure system is more secure than the same system that is open.
I do not agree, and the whole crypto research community and secure software community does not agree either. What you forget is that this is not about physical goods, but software and algorithms. Once created, the product will be made into countless identical copies at basically zero cost per copy. Break one, and you have broken them all. The attack can be copied just as easily.
Your view has been discredited a long time ago. But there are a lot of idiots around that ignore history and established facts and
Re: (Score:2)
So, if the exploit was published, the cars would be more secure than now? I mean before the manufacturers could release a patch and all affected car owners install it.
Yes, if the car manufacturers published the details (schematics and source code) for the system when they created it, someone would have found this vulnerability sooner and (hopefully) would have informed the car manufacturers who then would be able to patch it hopefully before it was installed in a lot of cars.
Publishing the exploit would onl
Re: (Score:2)
It goes the other way round: If the exploit is not published, the security level will eventually sink very low for a very long time. If it is publishes, it is very low for a short time. But that is not the main effect. If the vulnerability is published, future car designs will be made more secure and manufacturers will actually listen to people finding vulnerabilities and be able and willing to do something about the problems.
Looking as a single incident and then at an isolated part of its future is _not_ a
Re: (Score:2)
The fundamental problem is that cars are kind of like American Android phones... consumers are mostly powerless to do *anything* to fix vulnerabilities, and carriers won't do anything they aren't forced to do by law. And the law itself is only slightly less castrated and toothless than consumers.
If a car suddenly becomes something you can't safely use (or at least leave unattended in a non-secure location), there's no meaningful immediate recourse for consumers, and that's a real problem with real consequen
Re: (Score:2)
Actually security through unique obscurity does work although not very efficiently on its own. This is actually used all the time in the form of hiding the internal structure of a local network for instance. This adds a level of difficulty to any attempt at penetrating as the attackers needs to find out the structure and the components and thus the possible attack vectors. If you for instance need a server to contact your evil server, messing with nameservers are a good idea, but then you need to either mod
Re: (Score:2)
You model is flawed. True, if that were a single, not important network and the structure were significantly different from other such networks, a temporary positive effect would be observable. But that is not the case. What happens instead is that the attackers adapt and build network mapper tools. They are quire advanced by now, just have a look into the literature. And then things get worse as they would have been without the obscurity: Attackers can easily get all the information they want, while people
Re: (Score:2)
Well, I can't say that I speak for the entire crypto and security community, but I do work in the field and I have thought about this a bit.
"No security by obscurity" isn't meant to inform how we approach the entire process of vulnerability disclosure. It just makes the point that relying on obscurity for security will give you no real security. This is what we need people owning, building and maintaining things with security requirements to understand.
When thousands or millions of fielded products are al
Re: (Score:2)
Sorry, replying to my own post, but I forgot to make the point I wanted to!
Obscurity definitely doesn't give you real security. But if all you have is obscurity, then it is better to have that than nothing.
It might confer no actual security, but taking the obscurity away straight away will definitely make no-one safer. The possibility exists that some people will be protected by the obscurity, at least in the short term. It just can't be relied upon.
Re: (Score:2)
Obscurity definitely doesn't give you real security. But if all you have is obscurity, then it is better to have that than nothing.
I strongly disagree. The problem is that incompetent people (management) routinely misunderstands this and expect that obscurity does give them real and strong security, and hence neglect to implement measures that actually work as they are "not needed" and the expenses can be saved (and funneled into bonuses, for example, or better "performance" numbers). Hence security by obscurity makes you significantly less secure in a very real sense in the typical case. The other thing is that obscurity is _very_ eas
Re: (Score:2)
I think we're actually in violent agreement. I completely agree that obscurity doesn't give you any real security, and yes people need to understand this.
But in the specific situation where something in widespread use turns out to have a security flaw, then disclosing the vulnerability until there has been a reasonable amount of time for a fix to be prepared doesn't make anyone safer.
If you agree with that, then you are also acknowleging that the obscurity may be providing very temporary security for some
Re: (Score:2)
But in the specific situation where something in widespread use turns out to have a security flaw, then disclosing the vulnerability until there has been a reasonable amount of time for a fix to be prepared doesn't make anyone safer.
If you agree with that, then you are also acknowleging that the obscurity may be providing very temporary security for some people. If you don't agree with that, then you seem to be saying that revealing vulnerablities immediately before a fix can be prepared does not weaken anyone's security...?
The problem here is the "reasonable mount of time". Many industry players take that to mean "forever" or "until the next major release or the one after that", and that is just not acceptable in most cases. The thing is that using unsuitable values for "reasonable amount of time" does establish precedent, and any time somebody goes along with such an unsuitable value makes _everything_ that is subject to security flaws less secure. This is about setting standards.
That said, if a vendor truly has problems fix
Re: (Score:2)
If the manufacturers are rational, you are certainly right, and the whole "responsible disclosure" school of thought agrees. The problem is that many people practicing responsible disclosure run into manufacturers that do absolutely nothing in their grace period except preparing to suppress the information. After having been subjected to that or having observed it, it becomes obvious that responsible disclosure does not work with a large part of the industry. As a result, people that want to disclose observ
Re: (Score:2)
It does work and does help out quite a bit...
If you take 2 products that does the same thing. The product-lifetime is ~3 years and new firmware is required every 3 months for it to continue working.
Product 1 have security features X,Y,Z and use obfuscation to make it extremely hard to actually do reverse-engineering on.
Product 2 have security features X,Y,Z.
(X,Y,Z is the same code implemented on both products)
What product do you think will be first to be attacked? If you make the reverse-engineering for the
Re: (Score:2)
It was a stillborn, but be honest, is that the first time people ride dead horses?
Re: (Score:3)
I taught this one died 10 years ago...
For whatever reason (whether it be power/gate constraints or sheer laziness) the state of 'security' in low power RF security systems (automotive keyless entry, MIFARE and friends payment and access control fobs, etc.) is maybe 10 years behind the (atrocious) state of security in general purpose software. On a good day.
Re: (Score:2)
I taught this one died 10 years ago...
It did a lot earlier than that...to anybody that is halfway competent in the area of IT security. These people have just exposed themselves as grossly incompetent and utterly greedy. Just like a lot of other manufacturing industries, they just want to go on selling their defective products for a few more years before they do anything about it which could cause them some reduction in profits.
Re: (Score:2)
Only if it's the only means of security you have.
If you already have reasonable security measures adding a layer of obscurity can make life a lot simpler.
For example, let's say you have a web application that's properly secured and only for internal use, but available externally because people need access to it. Would you put it on port 80? Or if you can, put it on another port, say 8181? People who need to use it know about it, and even if it's found accidentally, it s
Bottle - Genie? (Score:2)
So how is anyone, courts included, meant to unpublish something? Unless a security researcher is saying "in X days I'll release the details on vulnerability Y" how would you even know to get a court injunction against said person? Once the cat is out of the bag, that's it.
Of course, I can then see the "logical" progression that all vulnerability disclosure must be outlawed - think of the children!
Re: (Score:2)
So how is anyone, courts included, meant to unpublish something?
It's happened already.
Today I had a chance to read about zero day vulnerability in vehicles but passed on the article cause I've read it already. or similiar (BlueTooth). A link from a site that has handles current headline news. It's been removed from that site and the sites history.
Google has this but it links to a 404,
Full Hacker News - Svay ..... of a
svay.com/projects/FullHackerNews/?l=linux-kernel&m...q=raw?
18 hours ago - You can't manage this competition while sipping margaritas all day from your
Re: (Score:3)
If you follow the phrase "Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobiliser" you get:
That link I didn't post, it comes with the copy and paste kinda neat, kinda freaky. A self writing copy and paste so I don't get it wrong.
Enamored so by the self writing javascript I posted the wrong address
https://www.usenix.org/conference/usenixsecurity13/session/attacks [usenix.org] and what this ruling blocks.
Re: (Score:2)
Simple: "The law" has only a remote connection to reality, but it does ignore that fact consistently.They are doing significant damage here, as in the future, things like this will just get published anonymously.
ridiculous (Score:2)
Re: (Score:3)
What is now going public has been a known method for a while by criminals. There are already vehicle thefts going on of vehicles in the luxury segment in central/western Europe, and the vehicles finds their way to eastern Europe.
What immobilizers do are to deter joyriders and crackheads from stealing cars. The professionals already know how.
And knowing it can be done will just trigger the demand for cheap cracking devices for the mid group of thieves that steals cars for parting out.
How long have they known? (Score:5, Interesting)
It's standard practice, when publishing about security flaws, to alert the producer of the products affected before doing so openly, only publishing when a) the hole is patched, or b) if they are ignoring the issue and refusing (or at least taking too long) to fix it.
If they have not given the manufacturer a reasonable amount of time to fix the problem, I can understand why they're being censored - it's unnecessarily dangerous. However, if this is simply the manufacturer trying even harder to pretend the problem doesn't exist, I would of course object strenuously, and support publishing the hole because that will not only force them to get a fix out ASAP, but will punish them for taking so long.
And, while TFA doesn't say either way on the issue, I would expect the latter, not the former.
Re: (Score:2)
Its not standard practice, its a commonly requested nicety.
An awful lot of zero day exploits are so bad that people should know about them just as soon as manufacturers in order to defend themselves.
What's sick is that so many people in our day and age consider their cars, computers and everything else black boxes that should be managed from the outside instead of taking responsibility for them. I don't want auto manufacturers to fix the problem and distribute it slowly to people, I want people to realize
Re:How long have they known? (Score:4, Interesting)
This is a false dichotomy. The better answer is both.
I would prefer the manufacturer both distribute a fix and that vulnerability and mitigation information be made available openly and quickly to those who can benefit from it.
Re: (Score:3)
Actually, I would think the courts taking this route would simply encourage researchers to publish first, ask questions later, rather than risk being gagged.
It's standard practice, when publishing about security flaws, to alert the producer of the products affected before doing so openly, only publishing when a) the hole is patched, or b) if they are ignoring the issue and refusing (or at least taking too long) to fix it.
If they have not given the manufacturer a reasonable amount of time to fix the problem, I can understand why they're being censored - it's unnecessarily dangerous. However, if this is simply the manufacturer trying even harder to pretend the problem doesn't exist, I would of course object strenuously, and support publishing the hole because that will not only force them to get a fix out ASAP, but will punish them for taking so long.
And, while TFA doesn't say either way on the issue, I would expect the latter, not the former.
Re: (Score:2)
If the car industry is anything like the IT industry, it will be a ton of work to even reach someone who understands what the problem is.
These days, IT has finally learnt, but I still remember times where researchers had a hard time getting their 0-days to the attention of the manufacturer because corporations have a strong tendency to make it very, very hard to identify and contact anyone on the inside who's not in sales.
Re: (Score:2)
The big fish already knows how to get around the immobilizers, and the crackheads and joyriders won't care since they aren't willing to put money and effort into getting a device. The mid sector of criminals will now know that it's possible and there will be a demand on ready to use devices - provided by the big guys.
But am I vulnerable? (Score:2)
My car doesn't have power windows, or keyless entry or even remote start.
They may be able to impact my cassette player?
How will I know if I can't read the article?
Re: (Score:2)
Relax, you are not vulnerable to automotive theft by virtue of driving rusted Grand Caravan.
Re: (Score:2)
Guess again, just checked 2012 list of 10 most stolen cars in America (excludes SUV and trucks), 2000 Caravan is #5
Re: (Score:3)
That's nothing compared to Black Hat (Score:5, Interesting)
Take a look at this year's Black Hat presentations. [blackhat.com] These are just the ones on vulnerabilities in embedded systems.
this should be standard (Score:2)
It should be standard that you notify the company before releasing the flaw publicly, and it should also be standard that after some waiting period the bug should go public. Well, standard per product ... different products have different release cycles, I could see some wanting 2 months while others want 1 year. But it should be public information, that product X you should notify them first then you're allowed to report the bug publicly after n months. That waiting period should be part of the product
Re: (Score:3)
Why?
While it's certainly true that publishing an exploit does increase awareness among criminals on how to go about breaking the law, it also increases awareness among people who might be better in a position to try to mitigate how the exploit will affect them.
It also damn well puts a fire under the asses of people who need to get a fix out as quickly as possible... letting them dilly-dally around while they figure out just how high priority they need to treat the situation just leaves a lot of people
Re:this should be standard (Score:5, Insightful)
okay... (Score:2)
So, we don't need Knight Rider's KITT microlock? (Score:2)
So, we don't need Knight Rider's KITT microlock brakes anymore? Cool. Those were pretty cumbersome 1980s technology to deal with, anyway.
stupidity won again (Score:5, Insightful)
Yepp, the court fell for the oldest and most blatantely false argument of the full disclosure opponent.
The court assumes that bad guys don't already have this knowledge. From decades of experience in IT security we can conclude with near certainty that they do. What this provides is limited, short-term protection against those would-be thieves who don't, yet. Also, a false sense of security.
What would've happened if this had been published: The public would know, car manufacturers would (have to) scramble for a fix.
What will happen now: Nothing. The next model will be fixed, your current one will maybe get an update at the next maintainance cycle, but don't count on it.
The next years will be a great time to be a car thief.
Megamos RFID cracked (Score:3)
Which law? (Score:2)
What kind of law would allow a court to do this? I can't find any mention in TFA.
Also, can we get a copy of the court's decision document?
Re: (Score:2)
I suspect that there won't be an interesting judgment to read. This, from the sound of things, is a temporary injunction before the actual hearing. The companies are presumably claiming that there is some reason for which they are entitled to prevent publication (perhaps they are claiming that the scientists obtained confidential information - we don't know). Whether they win or lose, they are entitled to a hearing; and it would defeat the point of the hearing if the scientists could release the informatio
Ineptitude as well (Score:2)
This is the same VW that have failed to diagnose my faulty immobilizer 3 times now, is it? If I knew the exploit then at least I could disable the blasted thing myself and get moving again when it plays up!
Or maybe I'm being hacked remotely and don't know it...
FreeNet (Score:2)
Just publish there, or other anonymous ways that cant be taken down.
Laws and judgments like this should not be followed as they are anti-freedom.
Anti theft device (Score:2)
My car has an ingenious anti-theft device. I'm sure most thieves will not be able to overcome it in order to start my car.
Its a knob labeled "Choke" on the dashboard.
Re: (Score:2)
Yeah, that's just a percentage I made up, but it has definitely been shown that as long as someone knows it's possible, because someone else did it, it will be repeated, and often in only a fraction of the time and other resources it took for the first one to achieve it, even if the details are kept top secret.
Re: (Score:2)
Now that post is straying dangerously close to the concept of morphic resonance [wikipedia.org].
Re: (Score:2)
Re: (Score:2, Insightful)
Seriously, how do people this stupid become judges?
Seriously, how do people this stupid manage to find their way to /. to post a reply on a matter of which they have no understanding.
The Court imposed a temporary injunction presumably to either allow Volkswagen to address the security issue or allow Volkswagen to present its case for a permanent injunction or more likely to request sufficient time to correct the issue before the research paper is published. The judges acted in accordance with UK jurisprudence.
Re: (Score:2)
Seriously, how do people this stupid become judges?
That is by design. Judges are people tasked to interpret the law like it would apply to reality. It quite obviously does not in most instances, and hence judges have to be inherently stupid. Those that are not become lawyers (what they do is stupid, but at least they get rich), or never go into the study of law in the first place.
Re: (Score:3)
Do not announce !! SPiLL !! SPiLL !! SPiLL !!
Muw haha haha !!
It sounds harsh, but this whole injunction and others like it are why so many people are against responsible disclosure. If you put it on the internet, then by the time someone could issue an injunction it's too late.
Expect to see this leaked/rediscovered, and then the court to blame the researcher.
Re: (Score:2)