HardOCP News
[H] News
- Joined
- Dec 31, 1969
- Messages
- 0
Neat hack but, let's be realistic, did this researcher really think the judge was going to rule in his favor? 
![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
Scientist Banned From Revealing Codes To Start Luxury Cars
- Thread starter HardOCP News
- Start date
JosiahBradley
[H]ard|Gawd
- Joined
- Mar 19, 2006
- Messages
- 1,791
Full disclosure always. There should be a patch for this and the company behind the security system should issue a recall. Shame to buy such an expensive car with such a flaw. 50k pounds is chump change to a high end criminal gang that can flip 2 cars to make up for the initial cost of this hack.
D
Deleted whining member 223597
Guest
Let's be real here. If you can afford a Lambo you most likely care more about how you look driving to dinner in Monte Carlo than you do about a flaw like this
The scientists wanted to publish their paper at the well-respected Usenix Security Symposium in Washington DC in August, but the court has imposed an interim injunction. Volkswagen had asked the scientists to publish a redacted version of their paper Dismantling Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobiliser without the codes, but they declined.
VW's request isn't too unreasonable, but it doesn't seem to come from concern for its customers, but from potential liability and costs to fix the problem. I imagine replacing the ignition security system will cost a whole lot per vehicle.
visionviper
[H]ard|Gawd
- Joined
- Jul 24, 2007
- Messages
- 1,222
If one guy can find it out, so can another. He should publish them. May sound terrible but I have a feeling the auto makers have known about the problem for awhile and have been slow to come up with a real solution.
Yeah, they'll push the patch out over the internet and the autoupdaters will have it all set by Tuesday.
I would be surprised if these could be patched that easily since it would defeat the secure nature of such devices. Regardless the dealerships don't have the throughput to do this overnight. And that's assuming these aren't closed boxes. This could be a hardware replace and the security system has tendrils running through the car which could lead to a very messy hackjob to having to tear out the vehicle's wiring and replace.
I believe this sufficiently 'made the world aware' and that actually releasing the code serves no greater benefit at this point except self-aggrandizement by the authors. Maybe they have the right to go forward, but they're dicks if they do.
sfsuphysics
[H]F Junkie
- Joined
- Jan 14, 2007
- Messages
- 15,994
Maybe he should publish a paper about the technique without giving away all the specifics then. Does he really benefits from publishing exact details and codes?
Besides hopefully those with luxury cars pay for full coverage insurance
SS_Wehrwolf
Gawd
- Joined
- Apr 5, 2005
- Messages
- 632
http://www.cs.ru.nl/~flaviog/publications/Gone_in_360_seconds_Hijacking_with_Hitag2_poster_2012.pdf
Im not sure if thats the paper in its entirety, but there is a schematic about the cipher
enjoy
Im not sure if thats the paper in its entirety, but there is a schematic about the cipher
enjoy
SS_Wehrwolf
Gawd
- Joined
- Apr 5, 2005
- Messages
- 632
That paper is also most likely what the new one was based on... NOT the current paper about VW...they took down the link from the new one as far as i can tell... just hit the deep web.. its there like everything else...
dandragonrage
[H]F Junkie
- Joined
- Jun 5, 2004
- Messages
- 8,298
Security researches should be legally barred from EVER demonstrating ANY kind of hack or distributing information enabling others to reproduce it. They should only be able to send such information to the manufacturer of the product, and should only talk about it in a very high level in public.
We don't have some fundamental right to be able to hack companies, especially when that means disclosing to the public how the hack is done.
I wouldn't have been upset if this guy were in further legal trouble for even TRYING to publicly disclose his hack.
We don't have some fundamental right to be able to hack companies, especially when that means disclosing to the public how the hack is done.
I wouldn't have been upset if this guy were in further legal trouble for even TRYING to publicly disclose his hack.
lilbabycat
2[H]4U
- Joined
- Jun 21, 2011
- Messages
- 3,810
According to my wiki'ing + googling, this would take a modern laptop a couple minutes and a dedicated piece of hardware a couple of seconds to brute force.
Why?
Should no one ever be able to learn from the security screw-ups of others? Speaking as a software engineer, my livelihood depends on knowing the details which make an app perform well and securely. Why should information which can help me make my code more secure be a classified secret?
Today's society is built upon the mistakes of others. Some of us tend to occasionally learn from those mistakes
dandragonrage
[H]F Junkie
- Joined
- Jun 5, 2004
- Messages
- 8,298
Why?
Should no one ever be able to learn from the security screw-ups of others? Speaking as a software engineer, my livelihood depends on knowing the details which make an app perform well and securely. Why should information which can help me make my code more secure be a classified secret?
Today's society is built upon the mistakes of others. Some of us tend to occasionally learn from those mistakes
So you think that any script kiddie calling himself a researcher should be able to exploit vulnerabilities in your code, publish source code and details of how to accomplish, and potentially put customers that rely on your code in danger of having data stolen? Just because the researcher thinks it might be a good thing in the long run? Or just because somebody else could figure the same hack out down the line ("you might be hacked later, so I'm going to hack you now instead")? Sorry but no. Security researchers are often a threat in and of themselves - they are just way too arrogant to realize it. To them, everyone else is the problem, but they're benevolent angels just trying to help developers write good code.
Why?
Should no one ever be able to learn from the security screw-ups of others? Speaking as a software engineer, my livelihood depends on knowing the details which make an app perform well and securely. Why should information which can help me make my code more secure be a classified secret?
Today's society is built upon the mistakes of others. Some of us tend to occasionally learn from those mistakes
This info is already available if you have a legal need for it, hence it's out there in the criminal world already. The author is looking for his 15 minutes.
Unlike Windows, you can't replace your car every 30 days for security reasons.
Ur_Mom
Fully [H]
- Joined
- May 15, 2006
- Messages
- 20,689
You must be using it wrong...
I'd say release it. The auto manufacturers have known about it, they were given notice and haven't fixed the problem. I see these researches as the good guys. Say he doesn't release it. How fast do you think the auto manufacturers are going to fix the problem? It will take a while because it's not a priority. Put the information out there, and it gets fixed a lot faster. I think the auto manufacturers have a responsibility to make this a priority.
Microsoft has gone years without fixing a known flaw and got a lot of shit about it. The auto makers should be getting the same flak.
Much better to leave your head in the sand letting users thinking you have a secure system. What an idiotic way to look at a problem.
dandragonrage
[H]F Junkie
- Joined
- Jun 5, 2004
- Messages
- 8,298
Security researchers aren't some special existence which can simply be trusted and allowed access to anything. A hacker is a hacker, and they're all people illegally accessing systems for gain of some kind (even if the researcher isn't looking for money, he's at least looking for fame). And I specifically called out the act of shaming a company for not responding to you. A company doesn't respond the way you want so you think it's okay to put all of their customers at risk just to force them to respond? I'm sorry but that's not how the world works. Security researchers aren't some righteous force out to do good. Many are barely better than the hackers they claim to be above.
If you happen to find a hole in a product, sure, let them know. But no matter how they respond, NEVER make the details of how to do the hack possible. Doing so should be and IS illegal.
Grimlaking
2[H]4U
- Joined
- May 9, 2006
- Messages
- 3,245
I think it is only wrong to publish the "hole" that you find if you sold the problem with the code to the developer in question. Then you can only sell it if the developer in question is in breach of contract.
That is the only way that makes sense to handle this.
Yes companies that make exploitable product should have a grace period enforced by the overriding body in question. I agree with that. But they should not be allowed to sit on a problem either and pretend it does not exist. That is equally bad and in my opinion criminally negligent on their part.
Unfortunately for consumers there is not overriding body to force a company to correct it's vulnerability or exploitable quality. The ONLY people with that power at this time are the consumers. Do you propose that consumers NOT be given the ability to.
1. Find the vulnerability.
2. Report the Vulnerability.
3. Confirm the vulnerability is fixed.
Any one of those not happening is relying on the maker of the product to tell us all is well. And that doesn't cut it.
Maybe he should publish a paper about the technique without giving away all the specifics then. Does he really benefits from publishing exact details and codes?
Besides hopefully those with luxury cars pay for full coverage insurance
Publishing exact details FORCES the auto makers to actually take action, rather than just pretend its not out there. Which is what they were seemingly doing. You can't tell me a multibillion dollar industry doesn't have researchers scouring the internets to see how thieves are trying to break into their cars.
Grimlaking
2[H]4U
- Joined
- May 9, 2006
- Messages
- 3,245
Actually I will tell you this right now. They DO NOT have researchers scouring the internet to see how thieves are breaking into their cars. They simply do not care. These systems are purchased from third parties. IF the system fails and it falls to the auto manufacturer to fix they pass this cost to the systems manufacturer to correct who go's to the coding source they contracted out to find out how this came to be and holds them accountable.
Porche, Lamborgini or whomever could give two shits about this other than the PR. The cost to them is negligible.
They buy systems with assurance of function and security from 3rd parties that they incorporate into their systems. That is all there is to that. (In most cases.)
dandragonrage
[H]F Junkie
- Joined
- Jun 5, 2004
- Messages
- 8,298
No, it's a childish attempt by the hackers at becoming famous. They're not going to recall every car with the system, even if this jackass were allowed to release his hack. All it would do is teach the thieves to steal the cars. Something they may have eventually figured out without him, sure. But you don't understand how the world works at all if you really think that this guy was out only to do good, and that he's right about that (good being done).
It doesn't matter if he publishes how he did it, the how is rarely important in technology, all humans really need to know is that something can be done and from that people will try and figure it out just to do it even if they have no intention of using it. Why? Why not...
dgz
Supreme [H]ardness
- Joined
- Feb 15, 2010
- Messages
- 5,838
VW and concern for customers are completely opposite things. No other company has the nerve to sell cars without basic necessities. They charge for everything. I guess the Porsche just need more money in order to survive. Poor billionaires.