Two years ago, a trio of researchers were preparing to present the findings of their investigation into the security of car immobilisers used by luxury cars.
The way these devices are supposed to work is like this:
You sit in your car, and push the “Start” button. The engine should remain immobilised, and refuse to start, unless a cryptographic algorithm on the key’s RFID transponder correctly verifies the identity of the key being used to start the motor.
If you don’t have the right key on you, the car should refuse to start. The car thief, hopefully, walks away in frustration.
The researchers, a lecturer in Computer Science at the University of Birmingham in the UK, and two colleagues from the Radboud University in the Netherlands, found a problem with the Megamos Crypto system used on some cars, and believed that the public had a right to know about the security weakeness.
The research paper planned for presentation at the USENIX Security Symposium in August 2013, would describe both the algorithm and the weakness within it.
However, their hopes of making the flaws public were dashed by the UK’s High Court of Justice, who ordered that the talk should not be presented and that key parts of their research must not be published.
The court’s concern was that the research by Flavio Garcia, Baris Ege and Roel Verdult would mean “that car crime would be facilitated”, as criminals could exploit the security weakness to steal expensive cars such as Audis, Bentleys, Porsches, and Lamborghinis.
And who had asked the court to silence the researchers? Car manufacturing giant Volkswagen and French defence group Thales.
Now, in August 2015, the researchers’ paper is finally being presented at the USENIX security conference in Washington DC, two years later than originally planned, detailing how the Megamos Crypto system – an RFID transponder that uses a Thales-developed algorithm to verify the identity of the ignition key being used to start their motors – can be subverted.
Via Frederic GOUTH, Thierry Evangelista