Researcher’s paper banned for containing luxury car security codes
STANDFIRST: High court imposes injunction on Flavio Garcia, who has cracked security system of cars including Porsches and Bentleys
A British-based computer scientist has been banned from publishing an academic paper revealing the secret codes used to start luxury cars including Porsches, Audis, Bentleys and Lamborghinis as it could lead to the theft of millions of vehicles.
The high court imposed an injunction on the University of Birmingham’s Flavio Garcia, a lecturer in computer science, who has cracked the security system by discovering the unique algorithm that allows the car to verify the identity of the ignition key.
The UK injunction is an interim step in a case launched by Volkswagen’s parent, which owns the four luxury marques, against Garcia and two other cryptography experts from a Dutch university.
It complained that the publication could “allow someone, especially a sophisticated criminal gang with the right tools, to break the security and steal a car”. The cars are protected by a system called Megamos Crypto, an algorithm which works out the codes that are sent between the key and the car.
The scientists wanted to publish their paper at the well-respected Usenix Security Symposium in Washington DC in August, but the court has imposed an interim injunction. Volkswagen had asked the scientists to publish a redacted version of their paper – Dismantling Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobiliser – without the codes, but they declined.
Volkswagen told the court that the technology they examined was used in a number of its vehicles and other mass market cars manufactured by itself and others.
Garcia and his colleagues from the Stichting Katholieke Universiteit, Baris Ege and Roel Verdult, said they were “responsible, legitimate academics doing responsible, legitimate academic work” and their aim was to improve security for everyone, not to give criminals a helping hand at hacking into high-end cars that can cost their owners £250,000.
They argued that “the public have a right to see weaknesses in security on which they rely exposed”. Otherwise, the “industry and criminals know security is weak but the public do not”.
It emerged in court that their complex mathematical investigation examined the software behind the code. It has been available on the internet since 2009.
The scientists said it had probably used a technique called “chip slicing” which involves analysing a chip under a microscope and taking it to pieces and inferring the algorithm from the arrangement of the microscopic transistors on the chip itself – a process that costs around £50,000. The judgment was handed down three weeks ago without attracting any publicity, but has now become part of a wider discussion about car manufacturers’ responsibilities relating to car security.
The scientists said they examined security on everything from Oyster cards to cars to enable manufacturers to identify weaknesses and improve on them.
Finding in Volkswagen’s favour, Mr Justice Birss said he recognised the importance of the right for academics to publish, but it would mean “that car crime will be facilitated”. A Volkswagen spokesman declined to comment on the interim injunction.
[Image: “Portrait Of Happy Couple Sitting In Convertible Car With Man Showing Keys” via Shutterstock]