Tuesday, October 15, 2013

A Blow To Computer Security Research

Early this summer, a British court in London ordered computer security researchers to withdraw their scientific paper "Dismantling Megamos Security: Wirelessly Lockpicking a Vehicle Immobilizer," which was to be presented at the 22nd USENIX Security Symposium in August in Washington D.C.

The work presented in the paper was carried out in the Digital Security research group of professor Bart Jacobs of the Radboud University Nijmegen (Netherlands). Flavio Garcia, Roel Verdult and Baris Ege, the three authors of the paper, in 2012 discovered a serious weakness in the algorithm of a cryptography-based car immobilizer (an electronic security device that prevents the engine from running unless the correct key or token is presented) known under the name "Megamos Crypto." The research paper describes both the algorithm and the weakness within it.

The algorithm was created in the mid-1990s by Thales, a French multinational that designs and produces electrical systems. Thales licensed the algorithm to the Swiss firm EM Microelectronic to build it into a microprocessor. EM sold the microprocessor to Troy, MI-based Delphi Automotive, and Delphi manufactured and sold a complete immobilizer to the German car company Volkswagen, as well as to many other car manufacturers. Volkswagen says it has installed the immobilizer in millions of cars, particularly in vehicles in Volkswagen’s luxury car brands, including Porsche, Audi, Bentley, and Lamborghini.

Read the rest of my article on the website of the ACM (Association for Computing Machinery)

London-verdict in the ‘Megamos Crypto’ case:
Video of the presentation by Roel Verdult at USENIX 2013:
Detailed analysis of the English High court judgement in the ‘Megamos Crypto’ case by Robert Carolina and Kenneth Paterson:
Volkswagen Code of Conduct: