Scientists Banned from Revealing Details of Car-Security Hack

The UK has banned researchers from revealing details of security vulnerabilities in car locks. In 2008, Phillips brought a similar suit against researchers who broke the Mifare chip. That time, they lost. This time, Volkswagen sued and won.

This is bad news for security researchers. (Remember back in 2001 when security researcher Ed Felten sued the RIAA in the US to be able to publish his research results?) We’re not going to improve security unless we’re allowed to publish our results. And we can’t start suppressing scientific results, just because a big corporation doesn’t like what it does to their reputation.

EDITED TO ADD (8/14): Here’s the ruling.

Tags: , , , , , , , , ,

Posted on August 1, 2013 at 6:37 AM47 Comments

Comments

Joe August 1, 2013 7:12 AM

There’s two types of security: one is the type that strives to be hypocritical just to flaunt it, and the other strives to provide security. The former is basic tyranny and extremely common. This ruling is an example of the former.

What is the oh so difficult math here?

The internet is anonymous. The NSA with all their great surveillance powers can’t make it otherwise. When some woman gets beat up in China by the cops, and someone videotapes this with their phone, they can put that online for the world to see and condemn.

People have been reversing locks since locks have been around. They can just as well post that information for the world to see, sell it on the underground, or use it without having to solicit the opinions of tyrants.

And this, they will do.

It is, after all, very expensive for Volkswagon to actually have to order all those faulty lock systems fixed.

Trying to cover up seems a much better idea to that sort of person.

Vadim Lebedev August 1, 2013 7:35 AM

Maybe security researchers need to publish they results immediately upon conclusion of research and not waiting for special occasions.
If anything this ruling will de-incentivate the practice of “Responsible disclosure” when the researcher first contact the manufacturer with his results and gives him time to fix the vulnerabilities before going public…

Arran Stewart August 1, 2013 7:39 AM

I think saying that “the UK” banned anything gives a misleading impression – the UK government was not involved in this particular lawsuit – but it’s an understandable mistake, as the media reports on the story have been pretty poorly written.

This was a private suit by Volkswagen and Thales against the researchers, and the claim was based on breach of confidentiality law. VW and Thales argued that Garcia and his colleagues obtained details of their cryptosystem under circumstances where they ought to have known it was confidential – and under British law, this can be enough for them to be bound to confidentiality as well.

Further details here for those that are interested:

Mike B August 1, 2013 7:46 AM

One would think if anyone could leak something without consequence it would be security researchers. As long as security researchers continue to put their own face above the science they will be vulnerable to these sorts of legal interventions. Get the information out first then claim credit later.

Eric Riley August 1, 2013 7:52 AM

“And we can’t start suppressing scientific results, just because a big corporation doesn’t like what it does to their reputation.”

You’ve evidently forgotten who’s in charge nowadays…

Jan August 1, 2013 7:56 AM

It is interesting to note that two of the researchers who did the hacking of the car security system also participated in the Mifare chip hack.

Dystopian August 1, 2013 8:09 AM

They have no plans on fixing this and are trying to bury it to prevent a fleet recall. Disturbingly on that same page was a call by the UK government to demand smartphones with a killswitch backdoor to prevent “theft”. More like the ability to mass kill phones during social unrest

andyinsdca August 1, 2013 9:48 AM

So, the UK banned publication. What if it gets published, say on a Chinese website? Icelandic? Russian? It’s cute how companies (and countries) think their word matters anymore.

Nick P August 1, 2013 10:19 AM

@ Bruce

I keep thinking that, in these cases, the people with the research should let themselves get “hacked.” Coordinate anonymously with some black[er] hats. They’re storing the papers in one of the online backup services. They accidentally configure it wrong or use their maiden name in a password question (who knew!?). Black hats grab the docs, publish them, and claim credit for the “hack.”

Total plausible deniability for the authors if set up right.

Spaceman Spiff August 1, 2013 10:25 AM

Obviously the judge(s) in this case have no clue how the internet works… Sigh!

Joe August 1, 2013 10:34 AM

@Aaren

If this was a case where the researchers had a NDA with the vendor, then this would be unethical and the results should be confined by a court of law. (This has happened before, several times, and this is bad, again, obviously.)

This is kind of case where the company is just trying to get what it can, because it can, even though it ultimately hurts the further reaching interests of the company. Just typical unthinking behavior.

Again, bad behavior, obviously.

Not the kind of law that is made to last, and while maybe someone out there is trumpeting this as a wise thing, the folly of it is inevitable to be proven to everyone — and very trivial to think out, if anyone bothered to. (Or had the capability to, which all evidence says, “They do not”. Pretty shameful. Which is why this is being regaled around the internet.)

Species5618 August 1, 2013 10:39 AM

I know picking I fight with the high court (or a company with a LOAD of money to build legal teams) can be dangerous, but how can they enforce a ban on such information,

Yes this researcher is British based, but not the fact a vulnerability exists is known, it wont be long before some parallel research in a different country or by an organisation who would ignore the courts gets it into the wild

and that is assuming the work has not been proof read by someone outside the UK.

Joe August 1, 2013 10:53 AM

on some responses:

Volkswagon has zero protection here. They can simply anonymously release the details. There does not have to be any trickery. Then they could say, “That was what we were going to present on”.

They may have people who have solicited them for their bugs already. These may be governments or criminals. They may want to hire their services or the information directly. Again, Volkswagon can do nothing about it.

If the researchers are just really the sort that want to see companies fix flaws (this is a real motive for researchers), then they might just anonymously release the details and in as “easy as a way to understand” format so it can be replicated.

Why might researchers do this?

It forces security to get done when things will not get done. It works. And it is satisfying to kick over big, evil dogs righteously.

People have been doing this for decades on all sorts of security issues: including where “security” means public health and physical safety. [Think of everything from seat belts to ‘cigarettes are dangerous’.]

It is so much easier to do this with software, by exposure on the internet.

Basically only way to force these big dogs to do what is right and fix the problem.

Calum August 1, 2013 10:59 AM

It is worth making the point that this is an interim injunction only: the intent is that if harm is occurring then it is stopped immediately rather than allowed to continue until a trial is resolved.

Fraibert August 1, 2013 11:07 AM

@Arran Stewart:
The UK courts are part of that nation’s government.

In recognition of this reality, I do not think a US court would issue the same injunction because the Constitution governs the powers of the courts and the injunction is a prior restraint in violation of the First Amendment.

Mailman August 1, 2013 11:26 AM

This court decision is excellent news. It ensures that the vulnerability will not only leak to the public, it will get noticed and reported by the media.

Alex August 1, 2013 12:14 PM

@Bruce

I think that your headline, tweet and commentary is seriously misleading. A judicial process had issued a temporary injunction concerning the release of what may or may not be misappropriated trade secrets. The UK government is not party to the case and the courts operate independently of government. I highly doubt that if a US federal court provided temporary injunctive relief in a trade secret case here (and there is plenty of case law to show they regularly do) you would state that ‘the US has banned’ anything.

Now the rights or wrongs of the temporary injunction (and any subsequent court decision) is a reasonable discussion, but it doesn’t need the hyperbole you’ve attached by suggesting state control.

Tony August 1, 2013 12:14 PM

What if a car company wants to do this right … can they find some security company to design a car locking system that won’t be hacked for the lifetime of that car (say 10-20 years)? Would such a company be willing to assume liability for a recall if somebody did hack the system? How much would such a design and indemnity cost?

Matthias Urlichs August 1, 2013 12:20 PM

The Guardian story does note that the publication block applies not to the hack itself, but to the specific secret numbers which have been recovered from that system.

“Volkswagen had asked the scientists to publish a redacted version of their paper – Dismantling Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobiliser – without the codes, but they declined.”

IMHO that request is reasonable. The scientific merit of their discovery is in no way diminished by withholding the actual codes. Just like how one doesn’t list specific passwords when reporting how one hacked into a website.

John Doe August 1, 2013 12:35 PM

Full disclosure creates a lot of up front pain for defenders, but ultimately responsible disclosure leaves our systems open to abuse for months to years after a flaw is discovered.

Complain as much as you want but responsible disclosure is only enabling the vendors to think that silencing the researcher is more effective then addressing the root cause.

sparkygsx August 1, 2013 1:18 PM

Since two of the researchers are dutch, and it would seem likely the UK court doesn’t have jurisdiction over them, they could still publish the results. VW could try suing the researchers in a Dutch court, but they previously denied a very similar claim about the MiFare hack.

Although I must say I’d agree that publishing the actual keys is irresponsible and largely unnecessary.

Martin Walsh August 1, 2013 2:40 PM

“I demand openness”
“I demand you tell me everything”
“The people deserve to know”
“Secrets are bad”
“You have no right to keep this information to yourself…it must be made public!”

….. unless it’s my shit.

Somebody August 1, 2013 3:44 PM

Two countries divided by a common language:

UK government = US administration

As far as I know UK English does not have a term equivalent to the way government is used in the US, as a collective for all three branches (Judiciary, Executive and Legislature). This is a security feature of UK English. Because you cannot name them collectively, those in power can deflect criticism by saying it’s not me, it’s the other guy.

nobodyspecial August 1, 2013 4:05 PM

@sparkygsx – it doesn’t work like that
If VW can show any damage in the UK they can sue in the UK.
That’s how libel tourism works, you prove a single person in the UK read the tweet and you can take advantage of the UK very plaintiff freindly libel laws

Clive Robinson August 1, 2013 4:37 PM

For all those who are saying it’s a tempory injunction etc you need to be a bit carefull.

The UK has a whole range of injunctions including “super injunctions” which as far as some UK Judges are concerned have “global applicability”. Further in the UK the courts involved with issuing the injunctions have a recent but very significant trend of taking as read anything the entity applying for the injunction says as factual –even when no evidence is presented– and making impossible to clear hurdles for those against whom the injunction is against. Worse if the injunction is breached by another person the court almost automaticaly assume that the person against whom the injuction has been taken is guilty, and they have the almost impossible task of proving that they were not complicit in the breach.

It is “not for nothing” that despots, tyrants, and most other “mafia style” hoodlums, human rights abusers, purvayors of quack medicines etc and those most would consider evil, who wish to portray social acceptance come flocking to the UK to get injunctions and other civil remidies as effective gagging methods against those who seak to reveal the true nature of these undesirables.

Unfortunatly as I’ve indicated befor the likes of the Met Police have been caught out giving/selling information on private individuals to the likes of major corporations, such that injunctions can be obtained against otherwise peacefull persons who might wish to excercise their otherwise quite lawfull right to protest. The Met Police and Politicos excuse this unlawfull passing of information on individuals information as “a matter of National Security” which can not be questioned by the individuals and the courts just nod it through…

Clive Robinson August 1, 2013 5:00 PM

Asside from the political / legal asspects of this gaging order there is an entirely seperate technical issue.

Basicaly these locks are “embedded systems” and as has been noted by @ Tony could easily have a very long “in the field” time of getting on for a quater to half a century (as can be seen with “Classic Cars” such as the E-Type Jag).

Crypto especialy “security by obscurity” algorithms don’t have a very good life expectancy (maybe five years). Even DES had a shorter life than many “junker cars” to be found commonly on US and other Western Nation streets.

Thus it could be simply argued that all such electronic locks should be designed for easy in the field upgrades, where broken algorithms and protocols etc can be quickly and conveniently replaced.

But… and it’s a big but, the manufactures need to design this easy upgrade ability in from day zero, otherwise they will face recal/replace costs in the several hundred dollar per vehical cost range. Currently the manufacturers appear to have gone for the “race to the bottom” “minimise cost” aproach which does not alow for easy upgrades.

Thus the manufacturers are with their very short sighted near term cost reduction thinking making a very large and costly rod for their own backs which at some point in the near future is going to cause them significant pain.

Oh and as I’ve indicated on a number of previous occasions it’s not just the likes of luxurary goods, but every day essentials such as medical implants and smart meters that suffer from this issue.

Steve August 1, 2013 8:49 PM

Even with good faith on both parts surely it’s inevitable that sometimes a security researcher and the vendor of a flawed system will have different ideas what constitutes responsible or acceptable disclosure, and might call on a court to decide the matter.

Yes, if there’s a problem with my car’s lock I want to know about it, but I don’t necessarily want world+dog to know how to steal my car, tomorrow. Likewise even if VW are willing to fix the problem (I have no idea whether they are or not), they weren’t necessarily able to have to get them all fixed by Black Hat.

So, even if VW were good guys they might call on a court to delay publication. Unfortunately once a dispute happens, both sides will call on whatever law they think might pertain, in this case a purported confidentiality. So even initial good faith tends to become no-holds-barred bad faith once in court.

Whenever a court rules against the researcher (at least temporarily), then sure, the court has banned something. That’s what courts do: they aren’t there so that everyone can do exactly what they would have done had the court not existed.

Perhaps the moral here is that security researchers cannot do their jobs if they sign NDAs (or otherwise fall under duties of confidentiality — I don’t know the details of how this particular trap was sprung).

Note that (unlike with US military classification of information), English courts usually do not grant or prolong injunctions which are ineffective. So if the information is published anonymously, then the court is very likely to lift the injunction. And if that leak could be attributed to the researchers, then they might find themselves financially liable for the consequences (i.e. bankrupt). So while they can of course get the information out by that route, I’d imagine their lawyers will advise them not to.

Or then again, the researchers might win the case and be free to publish in due course.

If we believe in confidentiality, ever, then we have to accept sometimes it will delay or prevent the publishing of something interesting. If we don’t believe in confidentiality, ever, then we don’t have the right to tell people things in confidence, or to accept confidences from others. Perhaps security researchers should walk around with a neon sign saying, “no, I cannot keep a freaking secret, if you don’t like that then don’t speak to me”.

A Nonny Bunny August 2, 2013 12:34 AM

@Alex
“The UK government is not party to the case and the courts operate independently of government.”

Ever heard of the concept of trias politica? The three branches of government: legislature, executive, judiciary.
As was said before, the courts are part of the government, the judiciary part. They may operate independently of the other two parts (as ought to be true of each branch), but that doesn’t mean they’re not part government.

JeffH August 2, 2013 3:16 AM

From what I’ve read, it sounds like VW argued the information is confidential i.e. ‘you hacked stuff you weren’t supposed to’ because the researchers downloaded the information from an anonymous source on the internet (VW believed the information to be securely held within the company), and the judge ruled that to release the information would enable greater car crime.

In other words, you’re damned if you do and damned if you don’t. If you obtain the chip info legitimately under NDA, the company has full rights to prevent disclosure. If you just obtain the stuff in the public domain, whether or not it was supposed to be there, the company argues you didn’t have rights to access it.

To be precise on the whole ‘court separation of powers’ thing, UK courts cannot overturn primary legislation passed by Parliament (Acts of Parliament). They can rule on or overturn matters of secondary legislation, that is decisions reached by government based on powers granted by Acts of Parliament. This is why Acts of Parliament, especially badly worded ones, are a very big deal. In matters of criminal law, the Crown prosecutes. In matters of civil law (which this appears to be) the Crown is instructed to take no sides & apply the principles of civil law to the case.

In this particular case, the judge appears to have believed that releasing vulnerability information aids crime when the company in question has already clearly failed to handle the security of their software, because it turned up on the Internet. Sigh.

Vinzent August 2, 2013 4:15 AM

@Matthias Urlichs: Your comparison with releasing actual passwords is fllawed: Unless there’s a built-in master key, there are no “codes” which could be published apart from the algorithm itself (which should have been open in the first place). After all those years one would think that at least the bigger companies get the idea that cooking your own “unbreakable” algorithm and then ensuring its security properties first by secrecy and then by law usually doesn’t work out so well.

And well, considering that – even according to VW – the hack would “allow someone, [i]especially a sophisticated criminal gang with the right tools[/i], to break the security and steal a car”, a working attack is probably not that easy to accomplish. Certainly not as easy as using some “codes”.

So, no, I don’t think it’s a “reasonable” decision.

Tim#3 August 2, 2013 5:41 AM

VW do have history of this approach of hiding problems instead of fixing them. On their van range, for one long term persistent problem (search LT35 2.8 cutting out) they have spent fair more time and effort in denying it that they could have spent fixing it.

I won’t buy VW again. A company’s quality is not just measured by its outputs, but also by how it responds to its errors. I had an issue with some new HP servers, their fault resolution process was fantastic & gave me total confidence to buy from them again.

Vinzent August 2, 2013 6:01 AM

@Mike: Thanks for the link. This confirms my suspicion, that those so called “codes” are not actually keys (as some people liked to interprete it), but indeed the (flawed) algorithm.

Z.Lozinski August 2, 2013 6:13 AM

The UK Office for National Statistics reports that between 1995 and 2011/12 vehicle crime has dripped from 20 per 100 households to 5 per 100 households. (They defined vehicle crime as stealing the car, or from the car).

http://www.ons.gov.uk/ons/rel/crime-stats/crime-statistics/focus-on-property-crime–2011-12/sty-property-crime.html

This seems to be because modern locks, immobilisers and alarms have made the low-skill crime of hot-wiring essentially impossible. Joy-riding in the UK (taking and driving away) has ceased.

Of course, there are smart bad guys and they have figured out you need to attack the technology. This has been going on since at least 2004 and the major manufacturers must be aware of the problem. (Juergen Schrempp, Daimler Chrysler CEO had a brand new, new model Mercedes S600 Guard stolen from outside a restaurant in Stuttgart on 26 Oct 2004).

http://www.bloomberg.com/apps/news?pid=newsarchive&sid=aRaEXeRubjHc

There is also the Radko Souček case from Czech Republic in 2005/6. He was arrested with a laptop containing the unlock codes for a large number of cars. There is a nice summary here:

http://gizmodo.com/481630557

Original news article on Souček’s arrest from The Prague Post:

http://www.praguepost.com/archivescontent/1529-car-thief-brags-of-prolific-success.html

There was an article on the UK Daily Telegraph’s web site yesterday, saying that now the thefts of cars in the UK are now predominantly (9/10) high-end German cars (BMW and Mercedes). No hard statistics quoted, though. It makes sense if you consider the crime from a purely business sense, as you want to maximise the profit/theft.

So, it seems that the risk from high tech thieves has been clear since 2004/5. What isn’t clear is how well the manufacturers have understood or responded to the threat.

A question for this audience: how should a manufacturer respond to this new threat model?

Joe August 2, 2013 7:39 AM

John Doe, etc
Full disclosure creates a lot of up front pain for defenders, but ultimately responsible disclosure leaves our systems open to abuse for months to years after a flaw is discovered.
Complain as much as you want but responsible disclosure is only enabling the vendors to think that silencing the researcher is more effective then addressing the root cause.

Not entirely sure what you are saying, you seem to be saying “defender” is the vendor in whose software security bugs are found, and that this is a different person then one who finds software security bugs.

How, exactly is that?

After all, shouldn’t the main defender be the ones who work for these vendors finding security bugs in the first place? Or are they guys and gals who sit around and just wait for someone else to come along and do their work for them?

There are many defenders who do not know how to find security bugs. They can keep very busy. However, if you produce software and do not have someone who can find security bugs, then you are negligent in your production of software.

Believe it or not, but software companies tend to be negligent in these areas. It is the same thing in every other industry, where you either hire people to find problems or you skimp on that and do not. And what happens? You have problems discovered because: people are suddenly poisoned around your factory and someone puts two and two together — it is your company that is doing it. You have food products that are causing people to die. You have vehicles that are unsafe.

On and on and on.

Companies tend to think of the monetary bottomline. They are not in the business of insurance or public safety (security). The same is true in every industry.

If they can get away with not putting money into insurance or public safety, they do.

As for companies getting hacked “because” someone finds a security bug in it: this is when there actually is not responsible disclosure going on. Which is induced when vendors refuse to fix bugs reported to them by bug finders. They have no other recourse but to make their bugs public.

More FYI, who do you thinks makes a lot of your security products? Very often, security bug finders. If you are making security products and can not find security bugs, you really are not testing your software nor building it for a good attack model at all.

Who do you think secures your infrastructure? Guys who run tools? They can help. But you have guys and gals who find security bugs, as well. If you did not, your infrastructure would be wide open.

Joe August 2, 2013 7:53 AM

Z.Lozinski, et al (several have posed questions on ‘how should this be done’)
A question for this audience: how should a manufacturer respond to this new threat model?

It looks like their best model would be to have lock systems which are expecting to have flaws found in them. So, they need to plan ahead for this, and they need a system that can be easily updated.

This has to be carefully designed.

Another poster pointed out the problem (as he sees it), of how “it is the bug finders fault” when someone finds and reports to the public security bugs… how it is their fault when these software systems then remain unfixed for months and years.

That is a huge problem. It is a problem serious bug finders have long sought to address. That is bug finders who actually care about security. The main problem is simply another security bug: You own the software, you can ensure it gets updated.

A lot of companies have done this badly. Few companies have done this very well. For whatever reason, they get some kind of arrogant complex. Some refuse to update pirated or out of date systems, though bug fixes are available for them. Others have updated their update system to make it very quick to update, but they have it so it requires a lot of end user interaction and it operates like a nag screen.

Update systems are prone to security bugs themselves, as we have seen with, for instance, some US government hacks. That is another issue.

Basically, your update system should be considered as the heart of your immune system for your software. It has to be deeply thought out, well designed, and its’ own self well adapted by end user complaints and comments.

Volkswagon would never have gone to court had they an easy way to update their locking system. They could then say, “We have fixed the bug”. They could even say, “We appreciate these clever bug finders for finding these bugs, and we immediately, within three days, closed the hole and fixed everyone’s car”.

This is obviously not so easy of a problem for them. At the least, one would have to go into the shop. As things get more connected so they could make the fix more easy, then they could be updated without the end user having to lift a finger.

As it stands, they could have a system that updates via, say blue tooth, from people’s phones. For instance.

Joe August 2, 2013 8:12 AM

Martin Walsh • August 1, 2013 2:40 PM
“I demand openness”
“I demand you tell me everything”
“The people deserve to know”
“Secrets are bad”
“You have no right to keep this information to yourself…it must be made public!”
….. unless it’s my shit.

Strawman arguments. If anybody was saying all of the above, they would be made of straw.

The world is full of strawmen… strawwomen.

“Some say the world will end in fire,
Some say in ice.
From what I’ve tasted of desire
I hold with those who favor fire.”

Robert Frost

Reality is: everyone knows the world is ending in fire.

John Utteridge August 2, 2013 9:44 AM

It’s worth reminding yourself of all the other things Thales are tasked with securing – a few stolen VW’s is small beer…

John Doe August 2, 2013 9:59 AM

@Joe “Defender” as in the defender or victim of a particular hack/vulnerability. I couldn’t follow anything you said after you assumed the defender was the vendor.

In this case anyone with a vulnerable car lock would be the defender. If they disclose how to defeat the lock to the world anybody who owns the lock is exposed because there is public documentation available on how to defeat the lock. This is what I meant by “upfront pain for defenders”.

However buy not knowing the details of the vulnerability defenders cannot take reasonable precautions (based on risk tolerance) to ensure that nobody takes advantage of the vulnerability. On top of that: defenders being unaware of the issue removes most the motivation for vendors to address the issue. Which in turns greatly increases the amount of time the defender is exposed to a vulnerability.

From a legal perspective I would love to see case law around a lock maker suing a security researcher for full public disclosure after the fact.

Its easy for the judge to ask for a temporary gag order while investigating the plaintiffs claims, but a lot harder for the vendor to prove that the security researcher is the the party responsible or any damage resulting from a security flaw in the vendors design.

ChristianO August 2, 2013 12:25 PM

In Air Strip One Freedom of Speech is only there for the good of the people! Where would we be if anyone could tell and publish what he likes.

In a world of extreme conservatives and ultra conservatives we may soon will get discussions on how people may be tortured and which people are allowed vigilantism.

Alex August 2, 2013 12:42 PM

@A Nonny Bunny

Yes I have and I think you’re applying US English to the UK which is unhelpful. In the UK, the Government would be understood to be the executive (indeed the devolved Scottish Executive was renamed the Scottish Government a few years back). The courts regularly rule against the government is regular British English parlance.

Anyway that’s almost besides the point. My point was that Bruce was being deliberately misleading and somewhat hyperbolic in his statements. If this were in the US and a circuit judge (court of first instance) issued a temporary injunction in a trade secrets case would you feel that “USA bans X” was an appropriate headline?

Alex August 5, 2013 12:51 PM

Does anyone know if such a vulnerability exists in Mercedes-Benz cars? One of our company cars (2012 Mercedes S550) was broken into at the airport with no visible trace of forced entry which I could see. My Google-fu isn’t giving me any leads and the local dealership, while helpful, is clueless.

Brian Lee August 6, 2013 6:37 PM

@Alex If a federal circuit judge here in the US had issued a ruling with similar effects, then yes, “USA bans X” would be a perfectly appropriate headline. Especially when used in a blog described as: “A blog covering security and security technology”.

The action taken by the official acting on behalf of the government is very unfortunate and sets an unwelcome precedent. This is not fundamentally different than the case of someone discovering a vulnerability in a website or any other piece of software, embedded or otherwise. For a government to step in and protect the interests of the producer of the flaw is not in the best long term interests of the citizen customers.

fajensen April 8, 2015 8:22 AM

@Alex –

Check what the remote does with an oscilloscope. Even “top brand”, factory installed, alarm systems are more surprisingly often cheap, useless crap.

My car was broken into with a hole drilled in the front door, right below where the key goes into the handle – but – that is not exactly how they did the deed because the alarm would still have gone off on opening the door:

Investigating the remote one finds that it simply sends the same 16-bit code over and over, so, what they probably did was to hack a 416 MHz transmitter to send all 2^16 possible codes; this would take at most 20 minutes at the transmission rate of the remote. They could also have grab & store the code but this equipment would be more complicated. The hole was a decoy, I think.

The Brits are really good at breaking into cars – If I went to Reading or Oxford, I would just drive the old Toyota with AM-radio and rust on the sides. Taking the nice care, it would be burgled for sure out of principle; like hyena’s marking their territory with pee it was. To be able to use the nice car, I made a cover plate for the radio that had authentic (bought at a scrap yard) wiring looms hanging out from it, making the car look like someone ripped the radio already. That gadget seemed to do the trick, presenting the car as “marked” kept the feral louts away.

Oldie April 8, 2015 8:32 AM

Stealing the cars alarmsystem would have been more fun, not for its value but to make a point
– Oldie

Angus S-F April 28, 2015 1:57 PM

It has gotten worse, but there is now a PDF detailing this attack: https://eprint.iacr.org/2010/332.pdf

If you have the keyless fob that unlocks your Prius as you walk up to it …

Thieves using a $17 device to break into cars with keyless systems
http://www.networkworld.com/article/2909589/

Keeping Your Car Safe From Electronic Thieves – NYTimes.com
http://www.nytimes.com/2015/04/16/style/keeping-your-car-safe-from-electronic-thieves.html?

He explained it like this: In a normal scenario, when you walk up to a car with a keyless entry and try the door handle, the car wirelessly calls out for your key so you don’t have to press any buttons to get inside. If the key calls back, the door unlocks. But the keyless system is capable of searching for a key only within a couple of feet.

Mr. Danev said that when the teenage girl turned on her device, it amplified the distance that the car can search, which then allowed my car to talk to my key, which happened to be sitting about 50 feet away, on the kitchen counter. And just like that, open sesame.

“It’s a bit like a loudspeaker, so when you say hello over it, people who are 100 meters away can hear the word, ‘hello,’ ” Mr. Danev said. “You can buy these devices anywhere for under $100.” He said some of the lower-range devices cost as little as $17 and can be bought online on sites like eBay, Amazon and Craigslist.

New York Times columnist falls prey to signal repeater car burglary | Ars Technica
http://arstechnica.com/cars/2015/04/15/new-york-times-columnist-falls-prey-to-signal-repeater-car-burglary/

In the PDF:

… This corresponds to the scenario where the key is e.g., in the owner’s pocket in the supermarket, and the car is at the supermarket parking lot. We tested 10 recent car models from 8 manufacturers and show that their PKES systems are vulnerable to certain types of relay attacks …

Might need to get a pocketable Faraday cage for your fob so your fob is hidden when you’re shopping or at work …

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.