Two academics finally managed to get permission to publish a security research, which reveals the vulnerabilities in a wireless car locking system. Two years ago, Volkswagen, one of the carmakers using the fragile product, won a lawsuit that banned the publication.
Today, despite the court decision, Volkswagen has given permission to publish the vulnerability with minor variants. However, this case reveals the tension between security researchers and automakers.
While some Companies such as Facebook, Google and Microsoft offer financial rewards to those who discover bugs in their products or infrastructure, and others, such as Fiat Chrysler who claim that this activity is criminal and, just as Volkswagen did, go to court – while not addressing the problems that expose customers to risks.
The automotive industry may feel intimidated, but Volkswagen's approach through the legal road, which is essentially trying to keep the information inside the walls, looks like it closes its eyes in the hope that everything will go well.
Αυτό βέβαια όπως καταλαβαίνετε είναι ένα σοβαρό θέμα, που γίνεται ακόμα πιο σοβαρό με την εμπλοκή των δικαστηρίων. Σε κάθε περίπτωση, το Διαnetwork δεν έχει λίγο εθνικά σύνορα και έχουμε παρατηρήσει πολλές φορές να εμφανίζονται πληροφορίες, ανεξάρτητα από την απόφαση του δικαστηρίου.
We are talking about a new era, the information is running and there seems to be something that can stop it. In particular, information about the safety of the public should rather be approached by other judicial authorities.
From where everything started.
Megamos is a wireless key fob transponder. The encryption used by the Swiss company that built Megamos is so weak that an attacker only needs to listen two messages of the sound that the key emits, and can break it.
Vulnerability exists in the weak cryptographic methods used by the device, and the researchers found that they could very easily generate the 96-bit (!) Key used by the transceiver. So they can get every car that uses it in less than half an hour.
Vulnerability has been known by 2012; however, there have been no recall from dozens of companies such as: Audi, Porsche, Bentley, Lamborghini, Nissan and Volvo using the device.
RollJam is currently available (available online and costs 20 pounds) and can unlock many well-known car brands. It also opens garage doors and deactivates some of the alarm systems.
Academic freedom against the interests of industry
Researchers who now have the right to publish vulnerability, Roel Verdult and Barıs Ege from Radboud University in Netherlands and Flavoi D Garcia of the University of Birmingham approached the maker of May 2012, explaining that they intended to present the their findings at the USENIX 2013 conference, while giving him the time to solve the problem. However, Volkswagen has used court instruments to prevent the publication of the document, and has succeeded in banning the freedom of academic publishing.
Panel of affected models.
This sad story of the publication ban on academics, with a gag order, shows how "relevant" the internet and security was to the court's seat. Regardless of the enormous cost of recalling the defective product, which Volkswagen argued in order to win the disclosure ban, the court would have to take into account, public safety, freedom of speech, and in general the freedom of scientific publications.
All this seems to have been set aside for a financial cost… Of course we have seen similar ways of silencing on the part of governments, but this is another chapter.
Information from TNW