How To Hack A Porsche Research Muffled

Court halts disclosure of research into exploitable vulnerabilities in late-'90s immobilizer technology still being used to secure cars made by Audi, Volkswagen and others.
But Radboud University Nijmegen has expressed frustration with the legal action and delays by Volkswagen and Thales over the "outdated" chip, despite their having been notified of the vulnerability some time ago.

"The researchers informed the chipmaker nine months before the intended publication ... so that measures could be taken," said a statement released Monday by the university. "The Dutch government considers six months to be a reasonable notification period for responsible disclosure. The researchers have insisted from the start that the chipmaker inform its own clients."

The researchers said they obtained all of the information in their paper from the public domain, meaning no significant obstacle would face anyone else who wants to find exploitable vulnerabilities in the immobilizers. "The paper reveals inherent weaknesses, on the basis of mathematical calculations, and is based on an analysis of publicly available information," said Radboud University Nijmegen. "The publication in no way describes how to easily steal a car, as additional and different information is needed for this to be possible."

Furthermore, the researchers said that exploiting the weaknesses they've identified wouldn't exactly be practical. An attacker would have to run a software program that would take, on average, two days to identify a working crypto crack. The software would need to be run fresh for every different immobilizer targeted.

Their talk, "Dismantling Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobilizer," is still listed on the website for this year's USENIX Security Symposium, to be held next month, although as of Tuesday it was labeled as being "presentation only," suggesting that the researchers will no longer demonstrate a working exploit of the vulnerability.

A spokeswoman for Volkswagen didn't immediately respond to an emailed request for comment about how the automobile manufacturer planned to mitigate the vulnerabilities identified in the Megamos Crypto system, or what might be required to correct the vulnerability in any vehicle with such a system.

It was unclear whether an English court's ban on publication would extend to a conference in the United States, but by Monday both of the institutions involved said their researchers would refrain from publishing their paper. "The University of Birmingham is disappointed with the judgment which did not uphold the defense of academic freedom and public interest, but respects the decision," said a spokeswoman via email, reported the BBC.

The researchers had argued that their right to publish their paper was protected by the European Convention on Human Rights, which includes freedom of speech protections by which Britain has agreed to abide. But the High Court judge nevertheless imposed an injunction, pending a full trial.

Attorney Tom Ohta at British law firm Bristows told the BBC that the manner in which the researchers had obtained the cryptographic details has so far proved to be their legal undoing. "An important factor here was that the academics had not obtained the software from a legitimate source, having downloaded it from an unauthorized website," he said. "This persuaded the court that the underlying algorithm was confidential in nature, and bearing in mind the public interest of not having security flaws potentially abused by criminal gangs, led to the injunction."

Despite that setback, this is far from the first time that computer scientists have set their sights on hacking car systems and detailing related flaws in a research paper. In 2010, for example, a team from Rutgers University demonstrated how tire pressure sensors in some cars could be remotely spoofed.

That research was followed by a group of Swiss scientists who successfully deactivated car immobilizers, unlocked doors and started engines by using wireless repeaters to amplify the signal from a wireless key fob from a target's home to their car.