Attacks/Breaches
7/30/2013
11:12 AM
50%
50%

How To Hack A Porsche Research Muffled

Court halts disclosure of research into exploitable vulnerabilities in late-'90s immobilizer technology still being used to secure cars made by Audi, Volkswagen and others.

But Radboud University Nijmegen has expressed frustration with the legal action and delays by Volkswagen and Thales over the "outdated" chip, despite their having been notified of the vulnerability some time ago.

"The researchers informed the chipmaker nine months before the intended publication ... so that measures could be taken," said a statement released Monday by the university. "The Dutch government considers six months to be a reasonable notification period for responsible disclosure. The researchers have insisted from the start that the chipmaker inform its own clients."

The researchers said they obtained all of the information in their paper from the public domain, meaning no significant obstacle would face anyone else who wants to find exploitable vulnerabilities in the immobilizers. "The paper reveals inherent weaknesses, on the basis of mathematical calculations, and is based on an analysis of publicly available information," said Radboud University Nijmegen. "The publication in no way describes how to easily steal a car, as additional and different information is needed for this to be possible."

Furthermore, the researchers said that exploiting the weaknesses they've identified wouldn't exactly be practical. An attacker would have to run a software program that would take, on average, two days to identify a working crypto crack. The software would need to be run fresh for every different immobilizer targeted.

Their talk, "Dismantling Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobilizer," is still listed on the website for this year's USENIX Security Symposium, to be held next month, although as of Tuesday it was labeled as being "presentation only," suggesting that the researchers will no longer demonstrate a working exploit of the vulnerability.

A spokeswoman for Volkswagen didn't immediately respond to an emailed request for comment about how the automobile manufacturer planned to mitigate the vulnerabilities identified in the Megamos Crypto system, or what might be required to correct the vulnerability in any vehicle with such a system.

It was unclear whether an English court's ban on publication would extend to a conference in the United States, but by Monday both of the institutions involved said their researchers would refrain from publishing their paper. "The University of Birmingham is disappointed with the judgment which did not uphold the defense of academic freedom and public interest, but respects the decision," said a spokeswoman via email, reported the BBC.

The researchers had argued that their right to publish their paper was protected by the European Convention on Human Rights, which includes freedom of speech protections by which Britain has agreed to abide. But the High Court judge nevertheless imposed an injunction, pending a full trial.

Attorney Tom Ohta at British law firm Bristows told the BBC that the manner in which the researchers had obtained the cryptographic details has so far proved to be their legal undoing. "An important factor here was that the academics had not obtained the software from a legitimate source, having downloaded it from an unauthorized website," he said. "This persuaded the court that the underlying algorithm was confidential in nature, and bearing in mind the public interest of not having security flaws potentially abused by criminal gangs, led to the injunction."

Despite that setback, this is far from the first time that computer scientists have set their sights on hacking car systems and detailing related flaws in a research paper. In 2010, for example, a team from Rutgers University demonstrated how tire pressure sensors in some cars could be remotely spoofed.

That research was followed by a group of Swiss scientists who successfully deactivated car immobilizers, unlocked doors and started engines by using wireless repeaters to amplify the signal from a wireless key fob from a target's home to their car.

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
RoyKelly2
50%
50%
RoyKelly2,
User Rank: Apprentice
8/1/2013 | 2:12:03 AM
re: How To Hack A Porsche Research Muffled
Let's look at all of the facts. first points from the article, then my take on each one

1.
The researchers said "They said they found a software program on the Internet, publicly available since 2009, that included the algorithm, which was created by French security group Thales."
2.
The researchers said they obtained all of the information in their paper from the public domain, meaning no significant obstacle would face anyone else who wants to find exploitable vulnerabilities in the immobilizers. "The paper reveals inherent weaknesses, on the basis of mathematical calculations, and is based on an analysis of publicly available information," said Radboud University Nijmegen.
3.
An attacker would have to run a software program that would take, on average, two days to identify a working crypto crack. The software would need to be run fresh for every different immobilizer targeted.
4.
The automaker also argued that the algorithm used to disable the car's immobilizer was confidential information.

5.
Attorney Tom Ohta at British law firm Bristows told the BBC that the manner in which the researchers had obtained the cryptographic details has so far proved to be their legal undoing. "An important factor here was that the academics had not obtained the software from a legitimate source, having downloaded it from an unauthorized website," he said. "This persuaded the court that the underlying algorithm was confidential in nature, and bearing in mind the public interest of not having security flaws potentially abused by criminal gangs, led to the injunction."

MY TAKE

1.
This tells me that the information is on the internet and can be found, and that the algorithm was created by Thales. I'm not sure where 2009 comes into play - was that when Thales created the algorithm or when the information was put on the web?
2.
The researchers say the algorithm is crackable, based on mathematics.
I know that any algorithm is crackable, but good ones take years to break (where breaking the algorithm means that someone could log in as someone else, or gain access to information they should not). Plus, the information is on the web, most likely open to anyone.
3.
Two days to hack a Porshe? That makes it almost worthwhile.... naw.... too long.
4.
If the algorithm is confidential information, then anybody knowing the algorithm is "unauthorized".
I also know that even secret algorithms can be discovered, given enough computing power and time. this is why hiding the algorithm and saying "I'm secure" is security suicide.
5.
The lawyer is saying that because the researcher did not get the algorithm from Thale or Volkswagen, the researchers "downloaded it from an unauthorized website." See my second part of 3, above.
bknabe
50%
50%
bknabe,
User Rank: Apprentice
7/31/2013 | 1:22:41 PM
re: How To Hack A Porsche Research Muffled
The article says they downloaded the information from "an unauthorized website." Regardless of what type of site it was, that tells us that, if they want it, the bad guys already have the software, may have had it for four years, and if they wanted to crack, likely already have. Preventing this publication to protect the public is passing legislation to that says:

"The hole in the dike shall immediately cease and desist transport of water through said dike."

Useless.
proberts551
50%
50%
proberts551,
User Rank: Apprentice
7/30/2013 | 6:58:14 PM
re: How To Hack A Porsche Research Muffled
They said they found a software program on the Internet, publicly available since 2009, that included the algorithm, which was created by French security group Thales.
Thanks for this information. How many theives now know where to find it? unless it has been removed.
Tedlschroeder
50%
50%
Tedlschroeder,
User Rank: Apprentice
7/30/2013 | 5:39:05 PM
re: How To Hack A Porsche Research Muffled
This approach doesn't help at all. It only means that someone who isn't a white hat is either currently figuring out the answer or already has. If the vulnerability is well understood something should have been done within the 9 month period to fix or mitigate the problem. This is the sort of thing that happens when non-technical people get involved in technical decisions.
RoyKelly2
50%
50%
RoyKelly2,
User Rank: Apprentice
7/30/2013 | 5:02:23 PM
re: How To Hack A Porsche Research Muffled
Hiding your algorithm or "Secrecy through obscurity" while using it daily to disable the immobilizer invites bad guys to attack your system. There have been numerous cases where an insecure algorithm was hidden and was broken easily - just ask Netscape. The story doesn't say where they got the information, just that it was publicly available. Maybe I should try to crack their algorithm using open source tools I have ;>)
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-5395
Published: 2014-11-21
Multiple cross-site request forgery (CSRF) vulnerabilities in Huawei HiLink E3276 and E3236 TCPU before V200R002B470D13SP00C00 and WebUI before V100R007B100D03SP01C03, E5180s-22 before 21.270.21.00.00, and E586Bs-2 before 21.322.10.00.889 allow remote attackers to hijack the authentication of users ...

CVE-2014-7137
Published: 2014-11-21
Multiple SQL injection vulnerabilities in Dolibarr ERP/CRM before 3.6.1 allow remote authenticated users to execute arbitrary SQL commands via the (1) contactid parameter in an addcontact action, (2) ligne parameter in a swapstatut action, or (3) project_ref parameter to projet/tasks/contact.php; (4...

CVE-2014-7871
Published: 2014-11-21
SQL injection vulnerability in Open-Xchange (OX) AppSuite before 7.4.2-rev36 and 7.6.x before 7.6.0-rev23 allows remote authenticated users to execute arbitrary SQL commands via a crafted jslob API call.

CVE-2014-8090
Published: 2014-11-21
The REXML parser in Ruby 1.9.x before 1.9.3 patchlevel 551, 2.0.x before 2.0.0 patchlevel 598, and 2.1.x before 2.1.5 allows remote attackers to cause a denial of service (CPU and memory consumption) a crafted XML document containing an empty string in an entity that is used in a large number of nes...

CVE-2014-8469
Published: 2014-11-21
Cross-site scripting (XSS) vulnerability in Guests/Boots in AdminCP in Moxi9 PHPFox before 4 Beta allows remote attackers to inject arbitrary web script or HTML via the User-Agent header.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?