In the news:
A British-based computer scientist has been banned from publishing an academic paper revealing the secret codes used to start luxury cars including Porsches, Audis, Bentleys and Lamborghinis as it could lead to the theft of millions of vehicles, a judge has ruled…
The scientists wanted to publish their paper at the well-respected Usenix Security Symposium in Washington DC in August, but the court has imposed an interim injunction. Volkswagen had asked the scientists to publish a redacted version of their paper – Dismantling Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobiliser – without the codes, but they declined…
[The scienteists] argued that “the public have a right to see weaknesses in security on which they rely exposed”. Otherwise, the “industry and criminals know security is weak but the public do not”.
I’m no crypto expert, but my understanding of this is that:
a) This is really embarrassing for VW. Good cryptography doesn’t depend on people not knowing what your algorithm is, because if you can figure out how to make it, hackers are at least as smart as you are and can figure out how to unmake it. Good security, like the kind they have on credit cards, lets you tell everyone what your code is, and still nobody can break it in any reasonable amount of time without knowing what your key (password) is. It is a terrible idea to use a proprietary algorithm that will unlock all the doors you have made once someone reverse engineers it.
b) A temporary injunction on publishing the exact code is the right thing to do. Normally I would hate the idea of suppressing scientific publication, but the cat is out of the bag now that these codes can be broken, which means that it is only a matter of time before it’s open season on pinching fancy cars. It will presumably take VW some time to upgrade the security on this many existing customer’s cars.
For sure, rich people don’t make for the most sympathetic of victims here, nor are the insurance co’s, who would actually end up paying for the replacements, nor even VW (on whom lawsuits would inevitably try to pin the losses), but the main beneficiaries of a windfall of stolen luxury cars would likely be organized crime. Giving them such a large windfall of wealth is a not a great thing for society in general. That makes it worthwhile to delay publication of the exact details for cracking the algorithm. We know the locks are vulnerable, but lets give owners a fighting chance to replace them before we hand a master key to the local Mafia.