
Scientist banned from revealing codes used to start luxury cars - justincormack
http://www.guardian.co.uk/technology/2013/jul/26/scientist-banned-revealing-codes-cars
======
moocowduckquack
They should try and publish it with the cambridge lot who write the light blue
touchpaper blog.

[http://www.lightbluetouchpaper.org/](http://www.lightbluetouchpaper.org/)

They ran into a similar situation with the banks and answered with one of the
best academic slap downs I have ever read.

[http://www.cl.cam.ac.uk/~rja14/Papers/ukca.pdf](http://www.cl.cam.ac.uk/~rja14/Papers/ukca.pdf)

~~~
mathetic
Cambridge CompSci here, Dr. Anderson, apart from his academic work, is known
to be a very powerful and influential scholar in Cambridge. He also
orchestrated a campaign against university so that the scholars can own their
intellectual property rather than the university and was very successful in
his campaign. So it is no surprise that his response to such a phony request
is glorious.

~~~
amirmc
I'm not sure that's accurate. There are a bunch of rules etc about 'IP' in
general. I've no doubt Ross was involved in the process but 'orchestrating a
campaign' seems a bit grandiose.

[http://www.admin.cam.ac.uk/offices/research/research/ipr.asp...](http://www.admin.cam.ac.uk/offices/research/research/ipr.aspx)

~~~
fanf2
See
[http://www.cl.cam.ac.uk/~rja14/ccf.html](http://www.cl.cam.ac.uk/~rja14/ccf.html)

~~~
amirmc
Thank you, I stand corrected. I was aware of the copyright issues (where the
University tried to say it was theirs) but knew less about the general IP
'land grab' that University undertook. More background is at the link below.

[http://www.cl.cam.ac.uk/~rja14/Papers/ccf-
campaign.html](http://www.cl.cam.ac.uk/~rja14/Papers/ccf-campaign.html)

------
revelation
This thread perfectly demonstrates why injunctions on free speech are evil. We
could be reading their paper now instead of contemplating what this piece of
low-effort journalism could have possibly meant.

The rash of high tech car robberies, I think, used the OBD port to reprogram
the car to recognize their fake key. Like a dealer would. So they didn't break
the actual crypto, as is claimed here.

The software that is referenced here could be the software VW distributes to
dealerships to reprogram the car when a customer lost their key. So thats
certainly one possible way to find out how the crypto system works, by the
interaction of the software with the car.

The article also mentions decaping the actual ICs that do the crypto. Thats a
very time intensive way to find out how a crypto system works, but it may be
the only one when you are dealing with fixed master keys and propietary
algorithms. If the keys alluded to here are actually master keys, burned into
every car, then they should certainly be published along with the other
results, since they are an integral part of the system.

~~~
vacri
If I found out your bank account details, would you be happy for me to publish
them?

~~~
DJN
A poor analogy but in general terms, if it is in the public's interest, yes.

Security by obscurity is flawed.

~~~
vacri
So freedom of speech is only morally necessitated if it's deemed to be in the
public interest? That sounds like you're setting a restriction on speech.

~~~
crumblan
That's not what you asked, you asked "would you be happy".

~~~
vacri
Yes, it was a rhetorical question meant to illustrate that there are some
things for which it's not evil to publish. Another example would be the names
and locations of victims of spousal abuse that are in refuges.

In any case, if you're being that pedantic, why didn't you notice that I
actually asked revelation that question, and not DJN?

------
mindstab
Um isn't this the explanation for the rash of high tech car robberies we've
been witnessing ALREADY? This seems old news to the thieves. This is really
just preventing the owners of the cars from reading in the paper that their
car is freely stealable. It is regardless of weather the owners know it or now
tho.

Shameful now they'll move to try and blame these guys when they probably
botched the security in the first place.

~~~
acqq
Do you think it's good when every thief-kiddie gets an easy recipe to open
most of the cars soon after some academics used some advanced high tech to
analyze the physical structure of the chip and reverse engineer the circuits?

Leaving "bad guys" having to repeat the feat until they can use the weakness
should buy some time for everybody.

~~~
rwmj
No, I think it's good when manufacturers recall the cars and fix their
exploitable entry systems.

~~~
acqq
The level of exploitability changes immensely if the codes are published,
since it was far from trivial to get them: the capability to analyze the
silicon chips is far from everywhere. Not giving codes buys some time to all
the owners of all the cars, probably counting millions.

~~~
rwmj
Whatever. My car (which is definitely not high end) has a key fob which has
been known exploitable for _years_ , and Toyota have done absolutely nothing
at all in that time to recall, help or even inform me. Manufacturers don't
give a damn. It's time they took this seriously.

~~~
ceol
Why do you think VW would do anything when you admit your own car manufacturer
hasn't done anything, despite that information being out for years?

------
femto
One way to read this article is as a call for a chip slicing method for the
masses.

It would seem quite a tractable problem for a keen hobbyist. Build a robot,
something like a 3D printer in reverse, to alternately remove thin layers from
a chip and image the newly exposed layer, until the chip is gone. Use a
program to assemble the images into a 3D representation and extract the
circuit.

In fact, such a project would be a relatively simple way to start gaining the
knowledge required for the reverse process, of building a chip.

~~~
mdaniel
Excuse my inexperienced query, but wouldn't a high resolution MRI-esque device
be much better for that task? It seems that physical deconstruction of
something as intricate as an IC would be fraught with peril. I know there was
a similar technique used on a frozen brain to obtain 1mm(?) slices, and I'm
sure that's good for biology but my mental model of an IC is that the
interesting and encased materials differ more sharply than in biology.

~~~
femto
I'd guess MRI would lack the necessary spatial resolution, as the wavelength
of the emitted radio waves would be larger than the typical feature size on a
chip. For that matter, optical imaging might not be up to it either.

The physical deconstruction would be fraught with peril for the chip, which
would end up as powder! I'm not sure what the best technique would be. Maybe a
grinding wheel, if it could be controlled well enough? Maybe a flat plate with
abrasive paste, or a diamond coated nail file? That would probably be easy to
control, albeit time consuming. Laser ablation? Heat the chip to slowly and
continuously evaporate it, whilst videoing the evaporation process?

One would have to conduct an experiment to see whether it is best to slice the
packaged IC, or remove the encapsulation first. The encapsulation can be
removed with nitric acid and acetone, or even a blast with a hot flame [1].
I'd guess it would be worth removing the encapsulation.

If I had to pick a technique from above, I'd first try removing the
encapsulation then using a diamond coated nail file.

[1] [http://makezine.com/2009/07/08/how-to-dissolve-ic-
packages/](http://makezine.com/2009/07/08/how-to-dissolve-ic-packages/)

------
aneth4
I am surprised not to find a single response supporting restraint from
publishing these codes. Is this community really that foolish? First, of
course if there is a flaw, it should be studied and fixed inasmuch as
possible. Reasonable people can debate whether it's appropriate to publish
methods and flaws, though the free speech question is more murky here. However
publishing the actual keys - as opposed to the methods - is madness.

Let's consider parallel situations not involving protecting rich peoples'
luxury posessions, which seems to be clouding everyone's judgement here.

Some examples where an encryption key is discovered or reverse engineered, and
a scientist wants to publish them:

\- a key which can shut down every ventilator

\- a key which can remotely control the throttle on high speed train

\- a key which can explode a nuclear warhead

\- the key to your bitcoin stash

\- the google master ssl private certificate

There are an infinite number of such examples. I'm shocked and disappointed
that the HN community finds publishing keys, as opposed to systematic flaws,
acceptable.

Presumably the cognitive dissonance arises from a distaste for rich people.
However even if this mostly results in mere car theft, it could also easily
result in the innocent being harmed.

Free speech, even under the US first amendment, rather clearly does not apply
to publishing private encryption keys, particularly ones that can cause grave
harm.

Shame on the HN community.

What if the headline were:

Scientist banned from revealing codes used to control school bus brakes

~~~
count
You shouldn't be so quick to cast aspersions against the community, and when
the vast majority of people agree with something, take a second to question
why that might be. There is, in fact, a flaw. It's a very significant flaw,
and has been studied, etc. for years (in the article it mentions, since
2009!). Volkswagen has done _nothing_ to address the flaw in the past few
years.

In many cases, without publishing the keys to make it PAINFULLY obvious to
everyone that the vulnerability exists, large companies can spread
disinformation and influence public perception that the vulnerability is
minimal or doesn't really exist outside of a special case/etc.

In this case, VW is very obviously not planning on updating things, fixing the
vulnerability, or addressing things. The vulnerability and the codes have been
available on the internet for YEARS without a proper response from VW or a
bulletin or other addressing of the issue (and obviously no 'fix' either).

This is one of the key points of the 'responsible disclosure' debate: many
companies DONT CARE unless they have to, and will just sit on things
indefinitely. With all this publicity, I bet VW addresses this pretty
significant vulnerability sooner rather than never now.

Do you disagree with free speech being used to publish de-css or the blu-ray
decryption keys? If your security depends entirely on a single key being not
discovered and re-used (because you have no way of changing it, for example),
you really have a horrible security model. If you're selling that security to
people, and it's really not effective at all for it's purpose, then how much
different is that from false advertising or even fraud (given that you KNOW
that it's not effective, or has already been easily subverted).

~~~
aneth4
The argument you are making - that the keys are already available - is not
being made elsewhere here and is probably untrue. If it were true, there would
be no reason to ban this publication nor would it be anything other than
folly.

Given that Volkswagen spent significant effort to block the publication, I
have to presume you are just making shit up.

Even if what you say is true, the argument being made here on HN is that the
keys should be published regardless of whether they are available already -
which is, quite simply, ethically indefensible.

~~~
count
I'm not making the argument that the keys are available already - I'm making
the argument that the vulnerability has been previously disclosed, and that VW
has done nothing about it. In fact, they have discounted it.

It's easily ethically defensible - there is no moral imperative to keep the
knowledge of something secret which may cause injury to others by being kept
secret. In fact, just the opposite. _VW_ is in an ethically indefensible
position, as they are in the position of selling vehicles with systems
marketed specifically as 'secure' that are, in fact, not secure at all; a fact
which has been known to a smaller community (and VW) for over 4 years. THAT is
ethically indefensible.

Sometimes, publishing details in a painfully easy to reproduce manner is the
only way to get a company to FIX the problem, which is the point in all of
this. For a great physical analog, see the 'pen and u-bolt lock' trick. It
wasn't until a Youtube video appeared showing just how ridiculously easy that
lock was to break that the company updated it's design and fixed things.

~~~
aneth4
So your making the argument that enough time has elapsed in which the car
maker could have fixed the problem. In other words, you are not making an
argument supporting publishing freely and immediately. You are implicitly
supporting restraint for at least as long as some subjectively determined time
it should take for the manufacturer to fix the issue, and support publishing
as a method to pressure the manufacturer. This is entirely different from
supporting free speech at any cost.

You then go on to say there is no ethical imperative to withhold information
that may harm others, which is both wrong and contrary to your prior
implication - that publishing is ok after a window has passed for the issue to
be resolved.

This reasoning is contradictory and flawed.

------
jlgaddis
This is a "UK injunction" to prevent the scientists from publishing their
paper "in Washington DC in August". How does that work?

It seems quite "not right" to me that my own government could legally prohibit
me from doing something in another country (jurisdiction).

~~~
driverdan
I can't speak for the UK but in the USA our laws technically apply no matter
where a citizen is. US law trumps foreign laws and you could be prosecuted
when you return.

~~~
nknighthb
No, they don't. One of the canons of statutory construction is a presumption
against extraterritorial application of laws. Congress has to intend for a law
to apply beyond US borders, and it's assumed they don't without evidence to
the contrary.

In some cases they have done this, such as in the PROTECT Act of 2003 which
contains a prohibition on child sex tourism. But there is no general
assumption that US law applies everywhere.

------
jrockway
When I get off a plane, the first thing I do is check if the country I'm
deplaning in has prior restraint and mandatory Internet censorship. If it
does, I know I'm in the third world.

~~~
mathetic
So you consider UK as a third world country?

~~~
beedogs
Seems to be one to me.

------
cube13
I don't get it. Why not publish the method used the crack it without the
codes? That's the important research here, and what should be public to
further crypto knowledge.

The actual codes are worthless for that.

~~~
nicholassmith
From the article it does sound like Volkswagen asked them to redact the codes
and they said no, whether they asked for further redactions is unclear. If it
was a simple case of asking them not to publish the unlock codes and they said
no, that sounds a bit odd, you don't need the codes to show there's a flaw in
the system.

~~~
AnthonyMouse
>If it was a simple case of asking them not to publish the unlock codes and
they said no, that sounds a bit odd, you don't need the codes to show there's
a flaw in the system.

It's not odd when you consider the need of researchers to allow other
researchers to reproduce their results for peer review.

~~~
cpncrunch
You don't need the codes to replicate the results. The codes just let you
bypass spending the $50k to replicate the experiment.

~~~
AnthonyMouse
In other words not providing the codes would increase the cost of replicating
the experiment by $50,000 for each team of researchers who chooses to
replicate it. Is that really what you want scientists spending their research
funding on?

~~~
cpncrunch
The point is, you're not actually replicating it if you don't follow all the
stages of the experiment. You are (probably) just stealing cars.

~~~
AnthonyMouse
> The point is, you're not actually replicating it if you don't follow all the
> stages of the experiment.

Disassembling the chip isn't part of the experiment, it's a precursor. You
don't have to build your own particle accelerator just to replicate a
subsequent experiment that was originally conceived based on data from the
large hadron collider.

------
ams6110
I'd be interested to know if this is another case of a software vendor
"inventing their own crypto" and making a hash of it.

Maybe it will open some eyes in industry that you need to hire experts for
that sort of thing, or at least demand external expert auditing of the
software.

~~~
DanBC
This is an attack against Megamos. Here's some more information, but I'd
welcome some experts chiming in.

([https://www.escar.info/fileadmin/Datastore/2010_escar_Vortra...](https://www.escar.info/fileadmin/Datastore/2010_escar_Vortraege/09_Immobilizer-
Security_escar2010.pdf))

([http://securityevaluators.com/content/case-
studies/tiris/ind...](http://securityevaluators.com/content/case-
studies/tiris/index.jsp))

------
rlpb
Nobody else seems to have noted that this is an _interim_ injunction, not a
permanent ban. It seems like legal enforcement of responsible disclosure to
me, giving manufacturers an opportunity to fix the problem.

I don't see a problem with this per se, in cases where there would be severe
harm (like significant crime) without such a ban, provided that the ban is
time limited to the minimum time required to fix the problem in the wild.

This means, IMHO, that the injunction should come with a requirement that the
manufacturer fix vulnerable systems quickly, even if that costs them quite a
bit.

If this is done, then I don't see this as a bad thing. "The manufacturer's
security is so bad that they had to get a court order to stop people from
explaining how while they fixed it" is a pretty good incentive, I think.

------
qq66
This is why you publish first, in whatever raw form you have. Cats don't go
back into bags.

~~~
cpncrunch
And then perhaps get sued into oblivion.

------
nonchalance
Is it better for them to publish the codes or to sell them to some thieves?
I'd imagine the latter is worse ...

~~~
rustynails77
The car makers seem to be under the impression that only 1 person would be
able to crack the code.

------
jgrahamc
More interesting than the specific codes would be to understand the security
of the algorithm used. For example, if the secret code in the Megamos system
is changed but the algorithm is not is it susceptible to reverse engineering
from listening to the challenge/response when the key is activated.

------
cameron_hayne
Not sure, but I suspect that the Guardian article should have said "code" not
"codes". I.e. I think perhaps the ban was on including the algorithm in the
scientific paper.

------
Ecio78
Uhm, due to the value of these cars I think that "sophisticated criminal gang"
could think about kidnapping one of these scientists and force them to reveal
their research.. :/

------
peterkelly
These guys could make a _lot_ of money selling the info directly to people who
would make use of it to steal cars on mass.

Would the high court prefer that, or a legitimate academic publication that
allows us all to learn the lessons from this vulnerability?

I should add of course, that in the spirit of responsible disclosure, that
this should only be done after the car manufacturers have had adequate time to
fix the problem.

------
eksith
Remember when the AACS crypto key was leaked a few years back and everyone was
getting cease & desist letters? People began taking it down, Digg was
scrubbed, no one paid any attention to it whatsoever. It totally worked and
every one forgot about the key, 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88
C0 and went about their business as usual.

...Oh wait.

------
smsm42
Now that the cat (or at least the fact that the cat exists) is out of the bag,
I wonder how long before owners of stolen autos start suing automakers for
negligence and false advertising that led to their cars being stolen?

------
rdl
As an Audi owner, I wonder if I have standing to sue VAG for not allowing this
to be published and thus fixed.

------
piratebroadcast
Motherfuckers lying, gettin' me pissed.

