back to article British boffin muzzled after cracking car codes

Here is a tale of two security research presentations, both looking at motor vehicle security in a world in which even the humblest shopping trolley now has more brainpower than a moonshot. Flavio Garcia, a University of Birmingham lecturer familiar with insecurity in car systems – here, for example, is a paper he co-authored …

COMMENTS

This topic is closed for new posts.
  1. Cliff

    security through obscurity

    If an academic paper isn't published then those bad guys will never work out how to start the car, right?

    This kind of head in the sand attitude causes problems. Instead of gagging people, get them working on the next generation of solutions!

    1. Shannon Jacobs
      Holmes

      Murder through obscurity

      No, it's much worse than that. How do you think Michael Hastings was murdered?

      Hint: Basically a two-part hack. (1) Disable brakes. (2) Initiate maximum acceleration.

      1. Matt Bryant Silver badge
        Facepalm

        Re: Murder through obscurity

        ".....How do you think Michael Hastings was murdered?....." Yeah, 'cos all those eye-witness reports of Hastings driving way too fast and out-of-control also speak of a CIA guy hanging off the open bonnet with a laptop plugged into the Mercedes' diagnostics port. Not.

        1. Destroy All Monsters Silver badge
          Holmes

          Matt in: "Hastings alive minutes before he died!"

          Matt, you need to work on your logic.

          > Hastings driving way too fast and out-of-control

          Yes. That's more or a less the point, see? Stay with us here, this is not Sun's ZFS that fires up your hindbrain into a dissing fit.

          http://whowhatwhy.com/2013/07/14/the-michael-hastings-wreck-video-evidence-offers-a-few-clues/

          The only reasonable explanation is suicide. Possible if he was depressed. But in these times, one may be on a disposition matrix presto, so...

          “I’ve seen military vehicles explode, but never quite like that. Look, here’s a reporter who brought down a general. He’s sending out emails saying he’s being watched. It’s four in the morning and his car explodes? Come on, you have to be naïve not to at least consider it wasn’t an accident.”

          1. Matt Bryant Silver badge
            FAIL

            Re: Destroyed All Braincells Re: Matt in: "Hastings alive minutes before he died!"

            "Matt, you need to work on your logic....." My logic is simple - look at the available evidence before leaping to unsupported allegations. You seem to just like leaping a lot.

            "......Yes. That's more or a less the point, see?....." No, it is a direct observation of the witnesses - he was driving too fast. He was not driving too fast with the windows down screaming for help, he was not trying to call anyone to say his car had gone nuts, he was simply driving too fast for quite a period before he crashed.

            "......“I’ve seen military vehicles explode, but never quite like that......" Which is typical conspiracy junkie bleating from wannabe Terry Hopkins. Apart from the differences in design between military vehicles and the average Mercedes, military vehicles blow up usually due to explosions blowing them up. And then we have to ask was Terry Hopkins actually anywhere near the accident and actually witness to the "explosion"? No, he was not. Does he have any engineering training, any training in crash investigation, or even any training as a fireman dealing with car accidents? No, he does not. He's just another "expert" feeding the conspiracy junkies what they want to hear.

            And then look at the scene, North Highland Avenue - a flat and straight four-lane highway with a few palm trees off on the verge. Not exactly the first choice for a cyberhacking "accident", it would seem to require a lot of skill to somehow make the Mercedes swerve off at exactly the right spot in exactly the right way to hit a tree, otherwise all they would have done was possibly give Hastings a scraped nose from the airbag. No, if you wanted to be sure, you'd wait until you had the chance to accellerate him to at least 60mph and into a wall headon. Plenty of chances for that in the city. Or wait until he was out of the city and on a road with a drop to the side, then make his car speed out over the edge. Much surer than chancing a hit with a palm tree. Oh sorry - much surer if you think LOGICALLY.

        2. Anonymous Coward
          Anonymous Coward

          Re: Murder through obscurity

          Cars have bluetooth and cell phone control now. You can send a signal to start your car up remotely from your phone with some models.

      2. Anonymous Coward
        Anonymous Coward

        @ Shannon

        Strangely it isn't normally in the specifications that the software supports a "disable brakes" instruction.

        In fact the inclusion of such would be an automatic fail to meet EU safety standards, which also mandate that there is a mechanical link in both the steering and braking systems of road vehicles.

        Further, for larger vehicles such as buses and trucks, they must be fitted with fail-safe braking systems. This means exactly what the name suggests: when they fail, they fail to a safe condition I.e. brakes applied.

        Maybe you should not bother commenting on topics that you don't know the first thing about?

        1. Pookietoo
          FAIL

          Re: it isn't normally in the specifications ... a "disable brakes" instruction

          How do you think ABS works?

    2. Anonymous Coward
      WTF?

      Re: security through obscurity

      So you don't think it is irresponsible and pouring petrol on the flames by publicly revealing to all and sundry the details of how to hack into a VW? Incredible what the world has come to.

      Any responsible person, academic or otherwise, would simply have gone to VW and perhaps other car manufacturers and told them there is a very significant issue which they need to deal with, helped them, etc, all quietly and responsibly.

      Instead this is purely about ego, and that's par for course in this age of Twatter, Farcebook and other egosh!te.

      1. lglethal Silver badge
        FAIL

        Re: security through obscurity

        Your making a rather large assumption that he didnt go to VW and Megros first.

        It is entirely possible (and I would think probable) that he contacted Megros and VW and told them of their gaping security holes, and instead of working with him to come up with a fix, they ignored him and buried there heads in the sand. Only now that he was planning to reveal to the world their incompetence, are they reacting. Andreacting badly.

        And by the way, I havent heard anything out of Megros or VW to say that they are going to do anything about their gaping security holes. Have you?

        1. Anonymous Coward
          Anonymous Coward

          Re: security through obscurity

          In all fairness to the original poster, you're talking about not making assumptions and then making several yourself.

          I am all for these things being shared with the companies so they can work together and resolve it. Releasing it publically however inevitably will hurt the end user too, not just the company. The company I have no issues with, they designed it and made their choices. Some poor person having their car nicked because of publicity hungry willy wavers and tight lipped car companies, not really on.

          Hopefully the publicity revealing there is a weakness will be enough to poke the car companies into action and ultimately the end user hopefully won't be effected anytime soon.

      2. John Smith 19 Gold badge
        FAIL

        @Frank 14

        "Any responsible person, academic or otherwise, would simply have gone to VW and perhaps other car manufacturers and told them there is a very significant issue which they need to deal with, helped them, etc, all quietly and responsibly."

        I would presume so to.

        And they "quietly and responsibly" got a gag order for him.

        Large bureaucracy behavior 1)Deny there is a problem 2)Attempt to suppress all knowledge of problem. 3)Admit there is a slight problem but it's a)very difficult to exploit and b) is an inconvenicnec 4)Issue an upgrade 5)State that "Our processes worked as planned and our customers are fully protected"

        Then do it all over again when the next hole is found.

        Fail for your failure to understand large corporations and their love of security by obscurity (which this is an example of).

      3. Anonymous Coward
        FAIL

        Re: security through obscurity

        @Frank 14.

        From BBC News.

        "The researchers informed the chipmaker nine months before the intended publication - November 2012"

        .

        The humble pie is over there, go gorge on it.

    3. Anonymous Coward
      Anonymous Coward

      Re: security through obscurity

      This is the UK. Everything must be censored until the corporate overlords decide it should be paid for.

  2. jake Silver badge

    Now ask me why ...

    ... I refuse to drive these monstrosities. I am the driver, not the car. This kinda shit is only asking for trouble over the long haul.

    It's also why I restore & drive late 1960s & earlier automobiles and motorcycles ;-)

    1. enerider

      Re: Now ask me why ...

      I prefer the easier starting on cold mornings rather than endless amounts of cranking and then dumping half a can of "Start Ya Bastard" into the carb just to get something to happen in the cylinders.

      The late '80s ECUs were not all that intelligent, a prime example being the fuel injection system on the Suzuki Swift GTI which is affectionately known as having all the brains of "a retarded gopher".

      The inputs were: Mass Air Flow sensor (hotwire type), throttle position sensor, RPM.

      The sum total of it's function? While the throttle was not heavily stomped on, the RPMs were below 4500, it would watch the resistance level of the hot wire to determine how much air the engine was inhaling and then fire alternate pairs of injectors - where it would just sip away at the fuel. If you booted the throttle it would open all the injectors to dump some more fuel in. If the RPMs went over 4500 with your foot down, then all injectors open and pour in the fuel! (with resulting throaty DOHC noises under the bonnet and a subsequent hoist in speed).

      My point is: refusing things that happen to have a small amount of circuitry in them to control some motor functions with a higher level of precision than what is capable mechanically because you're afraid you won't be in control seems a little extreme.

      I agree with not being in favour of systems that wrest control from the driver in circumstances where the car thinks "DANGER WILL ROBINSON!" and immediately activates (what it thinks) are life-saving manouvres. Thus why I liked the older Swift GTI: It was mechanical aside from the fuel system. No power steering, just rack and pinion. No ABS, you just had brakes that did their job unreservedly. Manual transmission (with a first gear to second gear step that was overly large by most accounts). It wasn't perfect by any stretch, but it was simple to fix when things broke as things tend to do when they get old and can't handle the (ab)use.

      1. jake Silver badge

        @enerider (was: Re: Now ask me why ...)

        "I prefer the easier starting on cold mornings rather than endless amounts of cranking"

        Mine start first crank, every time, regardless of weather. But then, I'm a wrench.

        " and then dumping half a can of "Start Ya Bastard" into the carb just to get something to happen in the cylinders."

        Diethyl ether eats rings, and is contraindicated. If you think you need it, either your vehicle or your starting procedure is b0rken. Badly. Fix it, before the problem gets worse.

        "the RPMs"

        That's "RPM". Unless you were measuring revolutions per minutes. And how many minutes was it, exactly? Pet peeve ...

        "Suzuki Swift GTI"

        No. Just no. The entire "Firefly", "Metro" et alia were atrocious.

        "My point is: refusing things that happen to have a small amount of circuitry in them to control some motor functions with a higher level of precision than what is capable mechanically because you're afraid you won't be in control seems a little extreme"

        My point is that I AM in control of the mechanical systems of my vehicles. And I intend to keep it that way.

        Kids these days ...

        1. BlinkenLights
          WTF?

          Re: @enerider (was: Now ask me why ...)

          I've got some tinfoil hats you might like to buy...

        2. enerider

          Re: @enerider (was: Now ask me why ...)

          "Mine start first crank, every time, regardless of weather. But then, I'm a wrench."

          My cars start first crank every time, unless the Mrs accidentally leaves the inside light on in the car all night and the battery has gone dead. Being mechanically able or not has little bearing on this. Mechanical ability comes into play when things *don't* work first time - which is the point where you fix it yourself or someone you know who knows how to fix it gets involved.

          The hard starting scenario I was painting is a classic example when it is somewhere below zero, and the dual carbs have decided that they'd rather not haul in fuel just now, which was the case for a friends TE71 Corolla using the 2T DOHC. This issue was solved when the carbs were hauled out and heaved into the abyss and replaced with fuel injection, which also provided a performance boost into the bargain. (The 2T then achieving the designation 2T-GEU in Toyota parlance).

          The "Start Ya Bastard" part of that was a prime example of when attempting to start the lawnmower after the 50th pull and getting nowhere fast, as many lawnmower owners will attest to, especially when you've got better things to do than take apart the lawnmower to figure out what isn't working.

          I get the "RPM" versus "RPMs" nitpick, but you got exactly what I meant, right?

          Somehow you seem to think the circuitry in the ECU is going to decide that it won't take commands from you anymore and go on holiday without warning. Don't like what the electronic box of tricks from the manufacturer is doing? Then haul it out and find yourself a Megasquirt or other replacement EFI option.

          They are out there, and will happily take commands and adjustments from you to the letter. You can even adjust the figures and fine-tune it while driving! (by having someone in the passenger seat performing the adjustment via the serial cable, or having someone you know drive the vehicle while you perform the adjustments.) You can't do this with a carb. (unless you've got some manual knobs and switches to perform tiny adjustments from the drivers' seat)

          "No. Just no. The entire "Firefly", "Metro" et alia were atrocious."

          Oh good. Clearly they're too reliable / cheap to fix / cheap to run / simple as a bag of spanners for you.

          The Swift GTI was a good little pocket rocket and is still used in various levels of motorsport internationally including rallying, and is often used by racers who motorsport on a shoestring budget. The engines are not huge or heavy, and are not complicated to take apart and put together with the inside parts being clearly labelled as to what direction and order to assemble them in (which made learning how engines work a whole lot easier).

          "My point is that I AM in control of the mechanical systems of my vehicles. And I intend to keep it that way."

          As has been probably pointed out to you before I did, you can always haul out the manufacturer-provided options for one of your own that you can control to your hearts' content. The circuitry is no more self-aware than a lightswitch is. The ECU will do stupid shit if it is told to do stupid shit. Tune a carb wrong and it won't work correctly and there is no difference in this regard with an ECU - the difference is simply in the "how" you tune it. The ECU can be as "stupid" or as "smart" as you wish it to be. Avoiding ECUs altogether just appears to be the result of some irrational fear of circuit boards.

          1. Matt Bryant Silver badge
            Go

            Re: enerider Re: @enerider (was: Now ask me why ...)

            ".....As has been probably pointed out to you before I did, you can always haul out the manufacturer-provided options for one of your own that you can control to your hearts' content....." I had a petrolhead mate a few years back that used to do a nice sideline in "backdating" cars for students and the like that couldn't afford to keep buying replacement parts. He used to do things like taking out electric window mechs and replacing them with hand winders from the scrapyard, the winders lasting indefinitely whereas electric mechs would be problematic on the old cars students could afford. As a grad, one of the reasons I had an old Mini long after I could afford a "better" car was because there really was very little that could go wrong on a Mini, and very little I couldn't fix myself (I've even swapped the engine out of one in a friend's garage without any specialist tools).

            1. enerider
              Happy

              Re: enerider @enerider (was: Now ask me why ...)

              A good idea that too - which is why I enjoyed owning a Swift GTI or two as the only computer onboard was there for the fuel injection and nothing more! (which made diagnosis a relatively straightforward process as well)

              Everything else was manual, mechanical, and therefore easy enough to fix myself - a big plus when you were a student living on whatever the fast food job could provide.

    2. Anonymous Coward
      Anonymous Coward

      Re: Now ask me why ...

      "It's also why I restore & drive late 1960s & earlier automobiles and motorcycles"

      It's reasonable to drive late '60s vehicles because you enjoy them - but driving late '60s cars rather than modern ones because you feel there's a safety risk in someone surreptitiously applying nefarious blackhat tech in order to crash your car (or a safety risk in an obscure bug causing your vehicle to veer off a cliff) suggests either a profound lack of knowledge regarding progress in vehicle design, a fundamental misunderstanding of statistics, or both.

      1. jake Silver badge

        @David W. (was: Re: Now ask me why ...)

        In 2010, my network could talk to my neighbor's SYNC equipped Ford.

        Funny thing is I wasn't even trying ...

        The only question I have is why the fuck do people feel the need for this kind of shit in cars, for fsck's sake? 24/7 real-time connectivity isn't really useful, unless you're so insecure that you need constant ego-stroking ... in which case, seek help.

        We've all gone mad. Mad, I tell you ...

        By way of reference, see:

        http://forums.theregister.co.uk/forum/containing/716293

        1. Anonymous Coward
          Anonymous Coward

          Re: @David W. (was: Now ask me why ...) @jake 04:34

          Seems to me that the biggest case of ego stroking here is you making all your posts an excuse to tell us how great you are. Not sure whether to classify it as narcissism or hubris, but you're the one that needs help, grandpa. The grandpa bit, of course, assuming that your claims of your age are true. Not that we have any evidence for your veracity in anything you say. Or the means to even do a quick lookup of anything, given your choice of a nickname which might as well be anonymous.

          1. jake Silver badge

            @AC 07:43 (was: Re: @David W. (was: Now ask me why ...)

            I'm sharing life experience.

            Yourself? Maybe not so much.

            1. mad_dr
              Happy

              Re: @AC 07:43 (was: @David W. (was: Now ask me why ...)

              @ David W

              Assuming you're referring to Jake's previous posts, why would you have ANY reason to doubt that he's a wealthy, horse-ranching, aircraft-owning, world-travelling, real-bullet-shooting, racecar-driving, lock-smithing, internet-building, arctic-survival-trained, yoof-camp-running, multiple-doctorate-holding, Stanford-MBA-achieving, data-center-building, 60's car-restoring, cider-making, network-security-expert?

              Just because he appears to have done more stuff that Kim Jong Il, doesn't mean he's making it up! I'm amazed though, that he finds time to post here with all that going on! :)

              1. Anonymous Coward
                Anonymous Coward

                Re: @AC 07:43 (was: @David W. (was: Now ask me why ...)

                You missed out:

                Dog breeding (Sighthounds)

                Farming; both arable and pastoral

                Cooking

                1. John Smith 19 Gold badge
                  Happy

                  Re: @AC 07:43 (was: @David W. (was: Now ask me why ...)

                  You missed out:

                  And has never seen porn on the 'net.

                  1. Solmyr ibn Wali Barad

                    Re: porn

                    Actually, that's somewhat plausible when you're dealing with geeks.

                    So quoth ESR:

                    "interest in spectator sports is low to non-existent; sports are something one does, not something one watches on TV."

                    http://www.catb.org/jargon/html/physical.html

        2. rh587 Silver badge

          Re: @David W. (was: Now ask me why ...)

          In Canada there's a very good reason - getting the vehicle pre-heated in winter without leaving the keys in the ignition being one. Remote start from your phone whilst leaving the doors locked and transmission locked off is in principle an extremely useful idea. Of course systems exist that allow you to start the car and remove the key, which immobilises the transmission (such as the Police use so they can leave the engines running to drive the lights/radios/on board computers without any risk of some oik jumping in and going for a joyride), but that involves actually going outside, coming back in, changing your footwear so you don't track snow back inside, etc.

          Of course if the system then refuses to put it in gear even after you've got in and inserted the key then you're stumped, but no more so than if your car gets nicked off the drive because you've left it idling to warm up, or if your engine block freezes - lets have no rose-tinted views of what getting cars going in the old days were like!

          Syncing with iTunes in the house is a decidedly less practical/time-saving use however, and you'd want all the entertainment to be completely separated from actual driving sub-systems. It's not good if the entertainment system becomes a vulnerable gateway into more critical systems...

    3. Amorous Cowherder
      Facepalm

      Re: Now ask me why ...

      I love you people, "Things were better the old days! Todays music/cars/films/chocolate/children/books are smaller, worse, never work and are full of poodle urine!".

      Sorry but given the huge advances in vehicle safety, time-saving gadgets and incredible engine efficiency in the last 45 years I'll stick with my 4 year old Honda CRV and swap it for something new in a few years time. It may have a computer on board that's possibly more powerful than the first PC I owned and my car would be dead in the water if it goes wrong. However all those amazing advancements are probably the reason I was able to simply get out of my car about 2 seconds after some twat smacked into it at 30mph, without any ill effects and also allowed me to turn the air blue for 15 seconds having a go at the other driver!

    4. Anonymous Coward
      Anonymous Coward

      Rise of the Neo-Luddites

      My car needs more manual hand cranking than your car

    5. Anonymous Coward
      Anonymous Coward

      Re: Now ask me why ...

      Jake, if you refer to the heap of junk scrap metal that the US call cars, then feel free to restore them.

      The rest of the world moved on from live axels sometime ago.

      BTW I built and owned a kit car using a tuned Ford Cortina lump, but even i used electronic ignition and a basic ECU to get over shitty points and damp start issues.

      Mine rarely started 1st time, but extreme tuned engines with twin 45's tend not to (car was producing double the bhp of the stock build), but without the ecu, I'd be lucky if it started 10th time.

  3. Anonymous Coward
    Anonymous Coward

    How to stop this happening again

    Just jail the directors of the companies who allow such security breaches. Perhaps they will start taking security seriously then.

    1. djack

      Re: How to stop this happening again

      I almost agree. However, it is unreasonable to prosecute just for the presence of security issues. In such an environment, no one could risk producing anything. We have to accept that imperfections are inevitable in any nontrivial system. It is especially unfair when systems use third party components.

      Where I would support jail is for failure to react to the discovery of issues in a professional and timely manner.

      1. An0n C0w4rd

        Re: How to stop this happening again

        @djack

        I agree, partly. My caveat is around the "it's secret, therefore it must be secure" mindset some companies have. Mifare comes to mind as one example.

        Publish the crypto algorithms and code for 3rd party scrutiny, or face the possibility of crippling jail and/or fines. Don't have to open source them for world+dog to use, but for $DIETYs sake get some people who know what they're doing to validate that you're not a complete muppet.

        If your device or application is used often enough or in high value target, bad people will find out exactly how sh*t your security is, and possibly before the good people.

        IMHO if you insist that your security is "good enough" and don't take steps to validate this, then you deserve everything you get.

    2. Keith_C
      Joke

      Re: How to stop this happening again

      Seems reasonable to me.

      We could even take it further - if you were to be burgled then we should throw you in jail, not the thief, as clearly you didn't take security seriously enough. It's a flawless plan: deter people from owning anything in case it is stolen and theft will automatically drop to zero!

    3. Tom 13

      Re: How to stop this happening again

      Actually I'd opt for making the reimburse the owners of stolen vehicles for losses from their own pockets. That'll get their attention real fast. Doesn't need the reasonable response time loophole either.

  4. Anonymous Coward
    Anonymous Coward

    I actually doubt it's head in the sand situation for VW; it's probably more like they haven't a bloody clue how to fix the problem, and even if they did, they haven't a clue how to (a) spin it to their advantage, and/or (b) issue a recall without breaking the bank.

    So, in the final analysis, this one would appear to be all about PR and money.

    Sad, but not much of a surprise, really.

    1. Philip Lewis
      Headmaster

      I remember many years ago reading how a car manufacturer, upon discovering a potentially fatal flaw in a component, simply calculated the cost of law suits, dead bodies and bad press expected over the life of the vehicles with the flaw versus the cost of a recall, and concluded it was cheaper to let a few customers expire than fix it.

      Big numbers, actuaries and bean counters.

      1. Arthur 1

        "I remember many years ago reading how a car manufacturer, upon discovering a potentially fatal flaw in a component, simply calculated the cost of law suits, dead bodies and bad press expected over the life of the vehicles with the flaw versus the cost of a recall, and concluded it was cheaper to let a few customers expire than fix it."

        Probably happened more than once, but was famously exposed in the Ford Pinto case. What they didn't calculate in was the cost of people finding out they had done the calculation and getting abused for it. I believe nowadays fines are set up to make this choice uneconomical in any case.

        It's also worth noting that the famous Ford Pinto Memo didn't actually say exactly that, and may not have even been about the Pinto specifically, but rather was a particularly callous cost-benefit submitted to a government regulator. Still, not a shining moment for Ford.

        1. Anonymous Coward
          Anonymous Coward

          "Probably happened more than once, but was famously exposed in the Ford Pinto case. What they didn't calculate in was the cost of people finding out they had done the calculation and getting abused for it"

          The document in question wasn't an internal memo, it was a document submitted to the National Highway Traffic Safety Administration (NHTSA). At the time the document was drawn up and submitted to the NHTSA Ford were already recalling Pinto's to improve the cushioning of the fuel tanks.

      2. Anonymous Coward
        Anonymous Coward

        I remember that film. Its called "Class Action" and starred Gene Hackman and Mary Elizabeth Mastrantonio.

        1. Cliff

          I remember that film.

          >>I remember that film.

          More latterly, fight club gave it a nod.

      3. Velv

        Big numbers, actuaries and bean counters

        Balancing the costs of deaths against fixes happens every day, and not just in the car industry. The FAA and other world aviation bodies agree on the mandated fixes based on the cost implement against the cost of a crash. Assume a $5million payout to 200 passengers - does the fix cost more, it's not going to happen.

        Life is hard, and one way or another you ain't getting out alive

      4. John Smith 19 Gold badge
        Unhappy

        "I remember many years ago reading how a car manufacturer, upon discovering a potentially fatal flaw in a component, simply calculated the cost of law suits, dead bodies and bad press expected over the life of the vehicles with the flaw versus the cost of a recall, and concluded it was cheaper to let a few customers expire than fix it."

        I'm sure this could be several incidents but the one that comes to mind was the Ford Pinto. The fix cost $55 a car and the bean counters looked at likely frequency and set let them burn.

        They did.

        Until a child of about 11 or 12 survived the fuel tank explosion and the 3rd degree burns. The jury awarded punitive damages for knowing it could happen and playing roulette with their customers lives and bodies.

      5. ShrekD'Ogre

        The Ford Pinto

    2. Captain DaFt

      " I actually doubt it's head in the sand situation for VW; it's probably more like they haven't a bloody clue how to fix the problem, and even if they did, they haven't a clue how to (a) spin it to their advantage, and/or (b) issue a recall without breaking the bank. "

      So just normal ' head up their arse' business management then.

    3. Tom 13

      re: haven't a bloody clue how to fix

      You're probably right. But since it's observationally no different than "head in the sand" and "head in the sand" is quicker to type, I think we should stick with that for ease of use purposes.

  5. Anonymous Coward
    Anonymous Coward

    There's not much left anymore.

    They monitor everything you do on the internet, and censor what you're allowed to see. They capture everything you say on your mobile, and process it for keywords. They know everyone you have called. They monitor your movements with automated camera systems, and store the data for future use against you.

    They tell you what you can do where, what you should and shouldn't do. What you should and shouldn't eat, drink, smoke. They keep trying to introduce rules about what they'll do for you (or won't do) if you don't comply with their 'recommendations'.

    This controlling things some people dislike, has become so popular even the private groups have started to get in on the act, they're going to censor what you can see on shop shelves now.

    So no one should be surprised that academic research can be censored to suit private interests... it's only one more small freedom the people of Britain no longer have...

    The only amusing aspect is that they all believe they can pass negative comments about countries like Russia, and China, whilst they oversee the conversion of their own country to something which resembles East Berlin of the early 1980s.

    1. Anonymous Coward
      Anonymous Coward

      Yes, good old George O. was right all along and Mr. C is doing his best to keep the ball rolling in the desired direction.

      1. Steve Davies 3 Silver badge
        Coat

        You mean George Osborne?

        Ok, I'm out of here....

    2. Anonymous Coward
      Anonymous Coward

      Don't forget think! They're telling us what we may and may not think, too.

      Having to live in the UK is making me very suicidal at the moment.

    3. Anonymous Coward
      Thumb Up

      Have A Virtual One On Me

      Well said and right on the nail.

  6. Don Jefe

    Presentation

    I don't quite understand. Was the plan to publish the paper at the conference or was it just going to be a presentation of findings in the paper?

    1. Tom 13

      Re: Presentation

      IIRC the paper was to be published in parallel with the conference presentation. Last I checked both were prevented by the temporary restraining order.

  7. Chairo

    News?

    connect a laptop to the diagnostic ports of a Prius and a Ford Escape, and from there, show that the laptop can issue instructions to the vehicles' ECU (electronic control unit), including steering, acceleration, braking and the horn

    Since when is this news? The diagnostics protocol is highly standardized. Everything is well documented. As for the active interventions, those are generally used by other controllers. Mainly the ESP. Tuners know this for ages. You can buy "Tuning" sets for the diagnostics port since quite a while. Basically all they do is check how much you accelerate and then tell the ECU to accelerate a bit more. So the driver feels the car is more responsive. Quite simple and quite dangerous - the ECU has a lot of fail-safe mechanisms built in to make sure it is not calculating bollocks. Same cannot be said about these "tuning kits".

    It could become critical, if someone would hook up the diagnostics bus to the Internet. But hey, why would anyone want do something like that (/sarcasm/).

    1. Don Jefe

      Re: News?

      A lot of them also just lean the mixture out a lot for small performance gains. It's pants for the integrity of the valves/engine and gas mileage though.

      1. Chairo

        Re: News?

        A lot of them also just lean the mixture out a lot for small performance gains

        AFAIK those don't plug in the OBD connector, however. Usually they come as a ominous looking box, containing some simple electronics that is plugged in between the wiring harness and some sensor.

        Such a kit at least changes something in the engine behaviour. They usually also reduce the engine life by a huge margin, doing so.

        IMHO the ones working on the OBD interventions are the really dangerous ones, as far as unwanted acceleration, etc. goes.

    2. Frankee Llonnygog

      Re: News?

      "It could become critical, if someone would hook up the diagnostics bus to the Internet. But hey, why would anyone want do something like that?"

      So you can have your car driven by the wisdom of crowds?

      1. FIA Silver badge

        Re: News?

        "So you can have your car driven by the wisdom of crowds?"

        Where do you want to go today?

    3. Anonymous Coward
      Anonymous Coward

      Re: News?

      You an do things like much with fuel mix, but you can't start the car, rev, brake, steer work the horn etc in any of the "tuning" situations you're referring to like ECU remaps and the dodgy resistor bypass jobbies.

      It's a very different beast to that.

  8. Jerry

    And the others

    In the search for a cheap replacement key for my car I've discovered that Philips ID46 chips can be easily cloned. This mean effectively that the entire car immobiliser system can be compromised by possession of a legitimate transponder key for a couple of minutes.

    ID46 chips are used in the SMARTRA3 immobilisation system used in a wide variety of modern car immobilisers - including my Hyundai. Here is a video of a Chinese duplicator in operation cloning an ID46 chip

    http://www.youtube.com/watch?v=aQmXfR9Y_dI

  9. Trevor_Pott Gold badge

    You're all going to jail for discussing the Emperor's wardrobe choices.

    1. jake Silver badge

      @Trevor_Pott

      You think of yourself as judge & jury, Mr. Pott?

      Sad, that.

      1. frank ly

        Re: @Trevor_Pott

        Come on jake, even a grumpy old cynical git like me can see that Trevor was making a jokey comment with very pertinent undertones and relevance to the article. He gets an upvote from me. You get a request to be my mentor, so I can progress to the next level.

        1. jake Silver badge
          Pint

          @frank ly (was: Re: @Trevor_Pott)

          Trevor is a kid who hasn't quite grasped the big picture yet. He will. Even if he hates me for it.

          You want me as a mentor? You'll get bruised ... But have a homebrew :-)

          1. John Smith 19 Gold badge
            Meh

            Re: @frank ly (was: @Trevor_Pott)

            "Trevor is a kid who hasn't quite grasped the big picture yet. He will. Even if he hates me for it.

            You want me as a mentor? You'll get bruised ... But have a homebrew :-)"

            I must say you do have quite the way with words.

            Somehow your comments never disappoint.

      2. Daniel B.
        Alert

        Re: @Trevor_Pott

        Your sarcasm detector is broken or has ran out of batteries. :)

  10. Kanhef

    A bit of a difference

    Garcia's work is about gaining access to a vehicle you otherwise can't get into, which usually means breaking into someone else's car. Miller and Valasek's work requires that you are already able to get into and start the vehicle; their paper doesn't tell you how to steal a car by itself, but Garcia's potentially does. That is why they're being treated differently, not the U.S. vs. U.K. legal jurisdiction.

    1. Frankee Llonnygog

      Re: A bit of a difference

      They're on our side. Time after time, an industry reckons they've developed uncrackable encryption and therefore any liability for breaches must be the customer's fault.

      Along comes some pesky mathematician or computer scientist to prove them wrong and the industry reaction is always to muzzle them.

      They never learn

      1. Tom 13

        Re: therefore any liability for breaches must be the customer's fault.

        I've weighed both sides of the full disclosure debate. On the basis of only the arguments surrounding the disclosure proper, time to fix, and time to implement, I'd be inclined to give the vendors the argument.

        HOWEVER, the truth of your statement about liability shifting means I can't just consider it on that basis. And given that additional truism, I have to come down on the side of the full disclosure advocates.

        1. Solmyr ibn Wali Barad

          Re: therefore any liability for breaches must be the customer's fault.

          Yes, liability shifts may be quite dangerous.

          Fine example of this is a German court deciding that WEP-encrypted network is a secure network, and therefore owner is liable any crimes conducted on the network. And there's a mountain of evidence against WEP "security". With better crypto, paid experts and supressed research it would be even harder to fend off such charges. Uphill both ways.

    2. Charlie Clark Silver badge

      Re: A bit of a difference

      Yep, though I think the judge is probably using the MPAA inspired legislation to take the correct legal decision. Of course, this kind of discovery cannot be kept under wraps for long but vehicle immobilisation technology has been one of the main factors in the significant reduction in car crime over the last decade.

  11. This post has been deleted by its author

  12. TeeCee Gold badge

    Unfixable.

    1) Build new car electronics, design in latest and greatest in electronic security.

    2) Add 10 years of computer and l33t d00d h4x0r sk1llz development.

    I'm pretty sure that anything being put together now with double-salted, 2048 bit encrypted bum-covering is going to look a lot like low-hanging fruit to a miscreant with a quantum computer come 2025....

  13. Anonymous Coward
    Anonymous Coward

    From an article I read elsewhere, it seems that VW were happy for him to present his findings on the insecurity, but that they did not want the actual keys published. Hence asking for a redacted version, which the researcher refused.

    Sounds sensible - give sufficient details of the problem to show the issue exists and how to fix it, but don't give the entire information which could immediately facilitate car theft.

  14. BornToWin

    This ain't rocket science

    There is no doubt that the more information that is disseminated on hacking, the worse the problem is going to get so I support the ban on this disclosure. Those who actually need to know this info. will be able to obtain it. There is no doubt that a number of white hats by day are black hats at night. Hopefully they burn in Hell for their crimes.

    1. Anonymous Coward
      FAIL

      Re: This ain't rocket science

      > Hopefully they burn in Hell for their crimes.

      Which crime is that? Stealing cars or possessing knowledge?

      More and more these days, it seems that people are talking about the latter.

      You'd do well in the middle ages, where they burned people and stripped off their skin for having the audacity to possess knowledge.

      These days, you can be jailed for:

      - looking at pictures

      - looking at documents

      - studying warfare

      - studying electronic objects

      - uttering words

      Pretty soon, it will be pretty much impossible to live life without breaking a few laws every day. Just the thing for keeping the populous under control.

      1. M Gale

        Re: This ain't rocket science

        "Pretty soon, it will be pretty much impossible to live life without breaking a few laws every day. Just the thing for keeping the populous under control."

        You mean it isn't that way already?

        1. Solmyr ibn Wali Barad

          Re: This ain't rocket science

          It is certainly going that way. Already killed one great civilization - Republic of Rome - and may kill again. Actually, there are other examples of societies, where everybody was assumed to be guilty of something, but this is never a good thing.

    2. hplasm
      FAIL

      Re: This ain't rocket science

      No Hell, no crimes, sorry.

      Not much Win either, yet again.

    3. John Smith 19 Gold badge
      FAIL

      Re: This ain't rocket science

      "Those who actually need to know this info. will be able to obtain it. T"

      They did not "obtain" it.

      It was given to them. They did nothing with it.

      "There is no doubt that a number of white hats by day are black hats at night. "

      And you know this because you've been reading their emails perhaps?

      Always good to hear the voice of reason from the Fort Meade sub basements. I feel so much safer now.

  15. M Gale

    A warning to future security researchers:

    Don't tell people what you're going to reveal, especially not people who would rather get an injunction out than fix the problem. Just publish the data and be done with it.

    1. Richard 12 Silver badge
      Facepalm

      Re: A warning to future security researchers:

      Indeed, and that's what scares me.

      It certainly appears that security researchers are better off if they sell their results to the highest bidder, instead of privately disclosing to the manufacturer, waiting several months then publishing.

      Which of those approaches is better for the consumer?

  16. Gwaptiva

    Probably a rhetorical question

    Considering this study wasn't a solo effort by Mr Garcia, but was co-executed/authored by a member of staff and a student of Nymegen University in the Netherlands, what is to stop them publishing it in the Netherlands? Or did I miss the bit that says that the Dutch have to care about UK court rulings?

  17. Anonymous Coward
    Anonymous Coward

    Re. A warning to future security researchers

    This sort of approach will just make things worse.

    Imagine if instead of this being a relatively easy to fix car security bug it had been a serious design flaw in say the battery firmware of a commonly available laptop that caused the battery to overcharge and ignite?

    Publishing the "Incendiary 0day" would result in a catastrophe, and probably result in even more of a crackdown.

    Similarly, the existence of 0day flaws in SCADA systems is also know about and quietly patched, the few exceptions are well known such as the unfortunate *ran S*e*ens centrifuge controller incident.

    Should this sort of information be published it would certainly come under terrorism and generate a justified response against the !d!0ts responsible for causing a train overspeed and derailment etc.

    Sometimes it is better to tell people that a flaw exists, and it is being dealt with.

    Either someone will find it by brute force (I have two different ideas here) or the manufacturers will release a fix or workaround.

    1. Richard 12 Silver badge

      Re: Re. A warning to future security researchers

      He got the source code from an "unspecified online source" dated around 2009, then rapidly found several flaws in it.

      The judge took that to mean "must suppress for good of the people", which can only mean the judge isn't competent to rule on technical security matters and should be recused.

      The only thing that shouldn't be published is the key itself. The design of the lock for your house is public knowledge, how is that any different to the one on your car?

      Sorry to be so blunt, but the fact is, the cat was out if the bag years ago, and publishing why will only make future designs better and remind the likes of VW that security through obscurity is no security at all.

      I do wonder if VW car insurance premiums just went up because of their legal action?

    2. fajensen
      Flame

      Re: Re. A warning to future security researchers

      This sort of approach will just make things worse.

      "Worse" depends rather a lot on ones situation; Sure, *maybe* some more cars will be nicked e.t.c. until pressure rises from customers, insurance companies and (eventually) lawmakers that WW fix their crap.

      Later, maybe, fewer cars will be nicked e.t.c. which supposedly is Better for society and Worse for WW shareholders who has to pay 0.03 EUR more to produce a car.

      In the meantime we get a peek at what facilities manufacturers "hand over" to the Three-Letter-Agencies and common crooks - which is also Good for us and Worse for them, i'd think. The point of the gag orders and the Secrecy Cloaked in Responsibility is NOT to "silently patch", since this did not happen! It must then be to preferably "Keep Online" the "Service", at the most change the access protocol, and carry right on as before.

      I think that: "Throw it on bit-torrent immediately, before THEY can stop it", must be the behaviour most beneficial to society at large. Sadly.

      1. Anonymous Coward
        Anonymous Coward

        The company is called Volkswagen.

        See title.

  18. Scott Pedigo
    Coat

    He's not allowed to spill the Beetle Juice.

  19. Dagg Silver badge
    Mushroom

    Another reason NOT to buy a Volkswagen

    With this and the complete lack of support from volkswagen with VWs just dying in Australia there is no way that I will ever go near a VW.

    1. tomban
      FAIL

      Re: Another reason NOT to buy a Volkswagen

      This affects VW (VAG group; VW, Audi, Skoda, Seat) and also Ford (Volvo), Fiat, Toyota and Honda etc...

  20. Anonymous Coward
    Anonymous Coward

    What would stop...

    ... someone attaching a mini wi-fi adapter (raspberry pi, etc) with serial port to the console and then following in a car behind?

    Actually, you could probably connect a 3G dongol and do it all from home..

    Did I say that out loud?... Is that a black helicopter I can see?!?!?

  21. Anonymous Coward
    Anonymous Coward

    Their way may be faster, but i can do it too.

    The researchers may have a faster way of accessing a VAG group car but simpler methods can achieve the same results, Audi's twinslot keys are vulnerable to decoding see the video here for decoding and cutting a key in about 3 mins https://www.youtube.com/watch?v=uEbcy-WDqW4

    Then as any fule, who has priced up a new 125KHz reader coil for an Audi because their immo has stopped working and seen the eyewatering pisstakingly expensive price for a replacement, will know you can patch the eeprom in the ecu to turn off the immo so it no longer cares about the chip in the key and just starts.

    Well it works on older Audi's with crappy unreliable RFID coils at least :)

    So not entirely practical, but doable, make key on the fly and then pop the bonnet and swap to the Blue Peter style ECU you prepared earlier, ignition on for a few seconds then off (it seemed to need this to repair with the dash or something, I don't really know I never looked into it further once the car was fixed) then start the car and rejoice at one less bit of electronics to go wrong on your car.

This topic is closed for new posts.