Attacks/Breaches
7/30/2013
11:12 AM
Connect Directly
RSS
E-Mail
50%
50%

How To Hack A Porsche Research Muffled

Court halts disclosure of research into exploitable vulnerabilities in late-'90s immobilizer technology still being used to secure cars made by Audi, Volkswagen and others.

The Syrian Electronic Army: 9 Things We Know
(click image for larger view)
The Syrian Electronic Army: 9 Things We Know
A British high court has banned the publication of an academic paper set to detail exploitable vulnerabilities in a car-immobilizer system that dates from the late 1990s, which remains widely used in Audi, Bentley, Lamborghini, Porsche and Volkswagen cars, among other vehicles.

The three computer scientists who discovered the flaws, which relate to the Megamos Crypto algorithm that's used to verify the authenticity of a car-ignition key, were set to detail those vulnerabilities at an information security conference next month in Washington. They said they found a software program on the Internet, publicly available since 2009, that included the algorithm, which was created by French security group Thales.

After the High Court of Justice of England and Wales blocked the publication of their paper, however, the researchers -- Baris Ege and Roel Verdult, information security researchers at Radboud University Nijmegen in the Netherlands, and Flavio Garcia, a computer science lecturer at Britain's University of Birmingham -- this week said they would abide by the decision.

[ Auto makers envision cars that are more connected to the cloud. Read 5 Ways Big Data Can Improve Your Car. ]

Although the court-ordered publishing ban was handed down on June 30, it gained little attention until Britain's Guardian detailed the high court's ruling Tuesday. That triggered a furious public debate over whether the publication ban served the public's best interests.

The ban was requested by Thales and Volkswagen, which originally developed the Megamos Crypto system. The system involves a radio-frequency identification (RFID) transponder, built into car keys, which can be used to transmit an encrypted signal to a vehicle and disable its immobilizer. Unless disabled, the immobilizer prevents a car's engine from starting. The system is now used in cars sold by Cadillac, Honda, Mercedes, Mazda, Nissan, Toyota and Volvo cars, among many other automakers.

Volkswagen told the court that publishing information on the system could "allow someone, especially a sophisticated criminal gang with the right tools, to break the security and steal a car," reported the Guardian. The automaker also argued that the algorithm used to disable the car's immobilizer was confidential information.

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
RoyKelly2
50%
50%
RoyKelly2,
User Rank: Apprentice
7/30/2013 | 5:02:23 PM
re: How To Hack A Porsche Research Muffled
Hiding your algorithm or "Secrecy through obscurity" while using it daily to disable the immobilizer invites bad guys to attack your system. There have been numerous cases where an insecure algorithm was hidden and was broken easily - just ask Netscape. The story doesn't say where they got the information, just that it was publicly available. Maybe I should try to crack their algorithm using open source tools I have ;>)
Tedlschroeder
50%
50%
Tedlschroeder,
User Rank: Apprentice
7/30/2013 | 5:39:05 PM
re: How To Hack A Porsche Research Muffled
This approach doesn't help at all. It only means that someone who isn't a white hat is either currently figuring out the answer or already has. If the vulnerability is well understood something should have been done within the 9 month period to fix or mitigate the problem. This is the sort of thing that happens when non-technical people get involved in technical decisions.
bknabe
50%
50%
bknabe,
User Rank: Apprentice
7/31/2013 | 1:22:41 PM
re: How To Hack A Porsche Research Muffled
The article says they downloaded the information from "an unauthorized website." Regardless of what type of site it was, that tells us that, if they want it, the bad guys already have the software, may have had it for four years, and if they wanted to crack, likely already have. Preventing this publication to protect the public is passing legislation to that says:

"The hole in the dike shall immediately cease and desist transport of water through said dike."

Useless.
RoyKelly2
50%
50%
RoyKelly2,
User Rank: Apprentice
8/1/2013 | 2:12:03 AM
re: How To Hack A Porsche Research Muffled
Let's look at all of the facts. first points from the article, then my take on each one

1.
The researchers said "They said they found a software program on the Internet, publicly available since 2009, that included the algorithm, which was created by French security group Thales."
2.
The researchers said they obtained all of the information in their paper from the public domain, meaning no significant obstacle would face anyone else who wants to find exploitable vulnerabilities in the immobilizers. "The paper reveals inherent weaknesses, on the basis of mathematical calculations, and is based on an analysis of publicly available information," said Radboud University Nijmegen.
3.
An attacker would have to run a software program that would take, on average, two days to identify a working crypto crack. The software would need to be run fresh for every different immobilizer targeted.
4.
The automaker also argued that the algorithm used to disable the car's immobilizer was confidential information.

5.
Attorney Tom Ohta at British law firm Bristows told the BBC that the manner in which the researchers had obtained the cryptographic details has so far proved to be their legal undoing. "An important factor here was that the academics had not obtained the software from a legitimate source, having downloaded it from an unauthorized website," he said. "This persuaded the court that the underlying algorithm was confidential in nature, and bearing in mind the public interest of not having security flaws potentially abused by criminal gangs, led to the injunction."

MY TAKE

1.
This tells me that the information is on the internet and can be found, and that the algorithm was created by Thales. I'm not sure where 2009 comes into play - was that when Thales created the algorithm or when the information was put on the web?
2.
The researchers say the algorithm is crackable, based on mathematics.
I know that any algorithm is crackable, but good ones take years to break (where breaking the algorithm means that someone could log in as someone else, or gain access to information they should not). Plus, the information is on the web, most likely open to anyone.
3.
Two days to hack a Porshe? That makes it almost worthwhile.... naw.... too long.
4.
If the algorithm is confidential information, then anybody knowing the algorithm is "unauthorized".
I also know that even secret algorithms can be discovered, given enough computing power and time. this is why hiding the algorithm and saying "I'm secure" is security suicide.
5.
The lawyer is saying that because the researcher did not get the algorithm from Thale or Volkswagen, the researchers "downloaded it from an unauthorized website." See my second part of 3, above.
proberts551
50%
50%
proberts551,
User Rank: Apprentice
7/30/2013 | 6:58:14 PM
re: How To Hack A Porsche Research Muffled
They said they found a software program on the Internet, publicly available since 2009, that included the algorithm, which was created by French security group Thales.
Thanks for this information. How many theives now know where to find it? unless it has been removed.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0619
Published: 2014-10-23
Untrusted search path vulnerability in Hamster Free ZIP Archiver 2.0.1.7 allows local users to execute arbitrary code and conduct DLL hijacking attacks via a Trojan horse dwmapi.dll that is located in the current working directory.

CVE-2014-2230
Published: 2014-10-23
Open redirect vulnerability in the header function in adclick.php in OpenX 2.8.10 and earlier allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the (1) dest parameter to adclick.php or (2) _maxdest parameter to ck.php.

CVE-2014-7281
Published: 2014-10-23
Cross-site request forgery (CSRF) vulnerability in Shenzhen Tenda Technology Tenda A32 Router with firmware 5.07.53_CN allows remote attackers to hijack the authentication of administrators for requests that reboot the device via a request to goform/SysToolReboot.

CVE-2014-7292
Published: 2014-10-23
Open redirect vulnerability in the Click-Through feature in Newtelligence dasBlog 2.1 (2.1.8102.813), 2.2 (2.2.8279.16125), and 2.3 (2.3.9074.18820) allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the url parameter to ct.ashx.

CVE-2014-8071
Published: 2014-10-23
Multiple cross-site scripting (XSS) vulnerabilities in OpenMRS 2.1 Standalone Edition allow remote attackers to inject arbitrary web script or HTML via the (1) givenName, (2) familyName, (3) address1, or (4) address2 parameter to registrationapp/registerPatient.page; the (5) comment parameter to all...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.