Car key immobiliser hack revelations blocked by UK court

  • Published
Megamos Crypto component
Image caption,

Megamos Crypto transponders are built into car keys to disable the vehicles' engine immobilisers

A High Court judge has blocked three security researchers from publishing details of how to crack a car immobilisation system.

German car maker Volkswagen and French defence group Thales obtained the interim ruling after arguing that the information could be used by criminals.

The technology is used by several car manufacturers.

The academics had planned to present the information at a conference in August.

The three researchers are Flavio Garcia, a computer science lecturer at the University of Birmingham, and Baris Ege and Roel Verdult, security researchers at Radboud University Nijmegen in the Netherlands.

"The University of Birmingham is disappointed with the judgement which did not uphold the defence of academic freedom and public interest, but respects the decision," said a spokeswoman.

"It has decided to defer publication of the academic paper in any form while additional technical and legal advice is obtained given the continuing litigation. The university is therefore unable to comment further at this stage."

Radboud University Nijmegen said it found the ban "incomprehensible".

"The publication in no way describes how to easily steal a car, as additional and different information is needed for this to be possible," said a spokeswoman.

"The researchers informed the chipmaker nine months before the intended publication - November 2012 - so that measures could be taken. The Dutch government considers six months to be a reasonable notification period for responsible disclosure. The researchers have insisted from the start that the chipmaker inform its own clients."

Neither VW nor Thales was able to provide comment.

The ruling was issued on 25 June, but the case only gained public attention following an article in the Guardian, external.

Two-day hack

The presentation - entitled Dismantling Megamos Crypto: Wirelessly Lock-picking a Vehicle Immobiliser - is still listed on the website, external of the Usenix Security Symposium, which will be held in Washington next month.

Megamos Crypto refers to a transponder built into car keys which uses RFID (radio-frequency identification) to transmit an encrypted signal to the vehicles. This deactivates a system which otherwise prevents their engines from starting.

VW introduced the technology in the late 1990s and it is also used by Honda and Fiat among others.

The researchers said they had obtained a software program from the internet which contained the algorithm devised by Thales to provide the security feature. They said it had been on the net since 2009.

Image caption,

VW has used the security tech in its Audi cars among other brands

The researchers said they had then discovered a weakness in the code meaning that it could be compromised, and added that there was a strong public interest that the information be disclosed to ensure the problem was addressed.

However, VW and Thales argued that the algorithm was confidential information, and whoever had released it on the net had probably done so illegally. Furthermore, they said, there was good reason to believe that criminal gangs would try to take advantage of the revelation to steal vehicles.

The researchers argued that this risk was overblown since car thieves would need to run a computer program for about two days to make use of the exploit in each case.

They said that removing the sections which VW and Thales wanted expunged would mean their paper would have to be peer reviewed a second time, and they would miss their slot at the conference as a consequence. And they argued that their right to publish was covered by freedom of speech safeguards in the European Convention on Human Rights.

However, the judge ruled that, pending a full trial, the details should be withheld.

Tom Ohta, an associate at the law firm Bristows - which was not involved in the case - said the way the researchers discovered the flaw proved their undoing.

"An important factor here was that the academics had not obtained the software from a legitimate source, having downloaded it from an unauthorised website," he said.

"This persuaded the court that the underlying algorithm was confidential in nature, and bearing in mind the public interest of not having security flaws potentially abused by criminal gangs, led to the injunction."

Related internet links

The BBC is not responsible for the content of external sites.