In the US, Research on Vehicle Security Published; For the UK, Similar Research Suppressed

Photo credit: Igor Sokolov (breeze)/Shutterstock.com
Photo credit: Igor Sokolov (breeze)/Shutterstock.com

In the US, security researchers Charlie Miller and Chris Valasek will deliver the results of their research at Defcon this week in Las Vegas. It will demonstrate how a laptop can be used to take over the electronic control units (ECUs) functionality of the vehicle. In modern cars, ECUs control most aspects of the cars' functionality, including breaking, accelerating and steering. The cars tested were a Ford Escape and a Toyota Prius.

By connecting the laptop to the ECUs, the 'hackers' are able to take over control from the driver. "At the moment there are people who are in the know, there are nay-sayers who don't believe it's important, and there are others saying it's common knowledge but right now there's not much data out there," said Miller to the BBC.

A spokesman for Toyota told the BBC that since the laptop had to be connected to the ECUs, he did not consider it to be 'hacking.' "Altered control can only be made when the device is connected. After it is disconnected the car functions normally," he said.

However, contrast this to the separate work by Flavio Garcia, a lecturer in computer science at the UK's University of Birmingham. Together with two colleagues from the Dutch Stichting Katholieke Universiteit, he intended to publish a paper, "Dismantling Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobiliser" at Usenix Security Symposium in August. But a UK judge has now granted an injunction requested by Volkswagen suppressing its publication.

Megamos Crypto is the algorithm used to encrypt the codes sent between the vehicle's physical key and the vehicle itself. According to a report in The Guardian, Volkswagen complained that publication "could allow someone, especially a sophisticated criminal gang with the right tools, to break the security and steal a car." The cars in question include luxury models from Porsche, Audi, Bentley and Lamborghini.

Mr Justice Birss of the UK's High Court agreed. While he accepted the importance of the right for academics to publish, in this instance it would mean "that car crime will be facilitated."

Volkswagen offered to allow Garcia and his colleagues to publish a redacted version. They declined. According to The Guardian, "They argued that 'the public have a right to see weaknesses in security on which they rely exposed.' Otherwise, the 'industry and criminals know security is weak but the public do not.'"

What’s Hot on Infosecurity Magazine?