My former PhD student Flavio Garcia, and my colleagues Roel Verdult and Baris Ege at the Radboud University have been banned from publishing their research on the insecurity of the Megamos Vehicle Immobiliser. Volkswagen, who owns some of the car brands that use Megamos immobilisers and that are affected by this research, filed the request. Our university is appealing the injunction imposed by a UK high court.
This is an important case. It's a fight for academic freedom, and against security by obscurity.
Years ago, we were involved in a similar fight. After showing that the Mifare Classic used a very insecure cryptographic algorithm that could be broken in seconds, NXP (the company manufacturing the Mifare chips) tried to stop us from publishing our results as well. Luckily, the Dutch judge had more sense than the English judge. In his ruling he stated that (my loose translation)
In so far as damages are concerned, these contribute little in the weighing of the interests, because the chance of damage occurring is caused by the production and use of chips with intrinsic weaknesses, which is the sole responsibility of NXP and not of the Radboud University who merely revealed the existence of these weaknesses.
Volkswagen is now trying to do the same, and has succeeded in its first step. I am happy to see my university fight this decision, and take a stand for academic freedom. This is a brave attempt, and a bit like David against Goliath, if we compare the legal and financial resources of both parties.… Which is I guess one of the reasons why Volkswagen brought the case to a UK court.
Volkswagen's actions do nothing to increase the security of car owners that currently own a car with the insecure immobiliser. The weakness is there, ready for anyone to exploit. Note that (according to the Guardian) the software of the immobiliser has been available on the Internet since 2009. Anybody else can scrutinise this code and find the same flaws my colleagues have found. Who knows, maybe someone already did, and was smart enough not to tell anybody... Volkswagen's actions actually decrease the security of individual car owners: instead of publicly informing them of the problem, and fixing the problem as soon as possible, they leave them unaware of the problem (and thus give them no chance to fix their very real security problem).
According to Kerckhoffs' principle
The design of a system should not require secrecy and compromise of the system should not inconvenience the correspondents.
Kerckhoffs (while investigating military security in the 19th century) realised that any means of communication could fall in the hands of the enemy and could subsequently be investigated and broken. In other words: no security by obscurity. Design your system in the open, and only rely on the secrecy of the key material for the security of the overall system.
I sincerely hope that the ruling gets overturned. Not purely for the sake of my colleagues (although I off course would love them to be able to publish their nice results), but rather for the sake of our society at large. Large companies should not be allowed to hush up when they screw up. With our increasing reliance on internet and computer technology, their security is a concern of us all, and we should be well informed about it.
Have you thought about starting a campaign to get members of the public to demand Volkswagon to disclose the security flaw in the immobiliser?
Not yet. What would be a good way to start such a campaign successfully?
Possibly posting on facebook on a few car related threads. Maybe BBCs TopGear would be interested too.