If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(Guardian)   Computer lecturer banned from revealing a secret algorithm that can turn any Lamborghini, Bentley or Porsche into Herbie. There goes the science (Not safe for work images in sidebar)   (guardian.co.uk) divider line 60
    More: Obvious, algorithms, subscribers, luxury cars, University of Birmingham, computing  
•       •       •

7632 clicks; posted to Geek » on 29 Jul 2013 at 1:13 PM (37 weeks ago)   |  Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



60 Comments   (+0 »)
   
View Voting Results: Smartest and Funniest
 
2013-07-29 12:02:04 PM
i.cdn.turner.com

HERBIE IS MAGIC, ASSHOLE!
 
2013-07-29 12:04:42 PM
Well it's a good thing they banned the paper, now there is no way nefarious individuals will get their hands on it and the car companies can continue business as usual.
 
2013-07-29 12:27:24 PM
I'm all for open research and freedom and all that, but couldn't the dudes just black out the code in the paper until a fix can be put in? Maybe a fix isn't even possible, I don't know. That would be one hell of a recall.
 
2013-07-29 12:40:48 PM
In America, they could publish it without (much) fear.   Crime Facilitating Speech is mostly legal in the US.  First Amendment, and all that.
 
2013-07-29 12:43:40 PM
*adjusts foil fedora*
Does it work on Mercedes too?
 
2013-07-29 12:53:17 PM
Obscurity is the new security
 
2013-07-29 12:54:10 PM
COOTYS RAT SEMEN
 
2013-07-29 01:20:03 PM
Thanks for the NSFW picture on the right side bar about the film Nymphomaniac.
 
2013-07-29 01:23:01 PM

dahmers love zombie: COOTYS RAT SEMEN


MY SOCRATES NOTE
 
2013-07-29 01:33:45 PM

bdub77: dahmers love zombie: COOTYS RAT SEMEN

MY SOCRATES NOTE


SETEC ASTRONOMY
 
2013-07-29 01:44:48 PM
NSFW image on that page, fyi
 
2013-07-29 01:46:34 PM

show me: bdub77: dahmers love zombie: COOTYS RAT SEMEN

MY SOCRATES NOTE

SETEC ASTRONOMY


www.starwarped.net
 
2013-07-29 01:54:07 PM

bdub77: show me: bdub77: dahmers love zombie: COOTYS RAT SEMEN

MY SOCRATES NOTE

SETEC ASTRONOMY


TOO MANY SECRETS
 
2013-07-29 01:54:56 PM
Remember the good ol' days when someone could steal your Honda with a screwdriver?
 
2013-07-29 01:55:26 PM

EvilEgg: Well it's a good thing they banned the paper, now there is no way nefarious individuals will get their hands on it and the car companies can continue business as usual.


I'm kind of reminded of the recent paper about how to make a better (read: more deadly and more contagious) flu virus.  On the one hand, this sort of research is necessary*.  On the other hand, maybe we shouldn't publish these things to just everybody.

*Apparently, it's a royal PITA to make a new flu vaccines, so if they can make vaccines in advance for "This flu will kill you and your family" flus, this is good.
 
2013-07-29 02:00:06 PM

sno man: *adjusts foil fedora*
Does it work on Mercedes too?


I don't think foil fedoras work on any car.
 
2013-07-29 02:00:30 PM
 
2013-07-29 02:16:23 PM

dittybopper: In America, they could publish it without (much) fear.   Crime Facilitating Speech is mostly legal in the US.  First Amendment, and all that.


Too bad he's in a country without freedom of speech.
 
2013-07-29 02:27:24 PM
Mobile site does not have nsfw image

/not subby
 
2013-07-29 02:31:33 PM
Is this really over the crypto algorithm the cars use like the article seems to suggest? Or is it actually private key codes that were extracted, and the author is confused?

If it's the algo, then that company is utterly incompetent, and should lose all their business immediately and forever. And the car manufacturers who were dumb enough to buy from them should suffer the cost of recalls to fix it. Any crypto system that relies on a secret algorithm should be assumed to be broken. Never trust cryptography that isn't open source and thoroughly vetted by cryptanalysts.
 
2013-07-29 02:32:31 PM

tricycleracer: Remember the good ol' days when someone could steal your Honda with a screwdriver?


But nothing of value was lost in those cases.
 
2013-07-29 02:35:12 PM

Nem Wan: dittybopper: In America, they could publish it without (much) fear.   Crime Facilitating Speech is mostly legal in the US.  First Amendment, and all that.

Too bad he's in a country without freedom of speech.


That.

They have "freedom to not be offended by others' speech" instead.

/Which personally I get, but I think it's stupid to apply the "sexual harassment problem" (that what I think is offensive is not what you think is offensive, and when I'm making the action and it's your opinion that gets me punished for that action (with no clear concrete rules to determine offensiveness beyond your opinion as of the time of the action), I'm screwed) to all speech.
//And yeah, there's some obvious stuff, but around the margins gets really iffy.
 
2013-07-29 02:43:22 PM

tricycleracer: Remember the good ol' days when someone could steal your Honda with a screwdriver?


I can still steal your Honda with the proper application of a screwdriver.

Step 1. Stab you in the lungs with a screw driver.
Step 2. Take your keys.
Step 3. Profit.
 
2013-07-29 03:15:17 PM

Because People in power are Stupid: Obscurity is the new security


The companies still know the flaw so they can fix it. According to TFA all they want banned from the publication are the actual universal codes. They get to publish the method so people everywhere will still know what to do to (steal/prevent stealing of) a car.

Personally I don't disagree with the judge. People would be pissed if someone published a detailed schematic of their front door key, so why not be pissed at someone publishing your car key? And while that person could change their lock, it isn't really an option to recall every single car using this particular system.
 
2013-07-29 03:17:11 PM

4of11: Never trust cryptography that isn't open source and thoroughly vetted by cryptanalysts.


What does Superman have to do with this?
 
2013-07-29 03:35:46 PM

DerAppie: People would be pissed if someone published a detailed schematic of their front door key, so why not be pissed at someone publishing your car key?


People should be pissed at a car-maker that evidently installs software made by Baby's First Cryptography Playset.  If I am paying fark you and your little dog Toto too dollars/pounds/euros/yen/yuan for a car, I want Super Ultra Mega Platinum security, not Lousy Half-Assed Sorta Meh Rusted Iron security.  "He published something proving my car can be taken over by a Speak-n-Spell" is not the problem;  the car manufacturer installed security that can be taken over by a Speak-n-Spell" is the problem
 
2013-07-29 03:43:18 PM

phalamir: DerAppie: People would be pissed if someone published a detailed schematic of their front door key, so why not be pissed at someone publishing your car key?

People should be pissed at a car-maker that evidently installs software made by Baby's First Cryptography Playset.  If I am paying fark you and your little dog Toto too dollars/pounds/euros/yen/yuan for a car, I want Super Ultra Mega Platinum security, not Lousy Half-Assed Sorta Meh Rusted Iron security.  "He published something proving my car can be taken over by a Speak-n-Spell" is not the problem;  the car manufacturer installed security that can be taken over by a Speak-n-Spell" is the problem


There's 2 possible ways this could be interpreted, and it depends on which paper the guy wrote:

1) Here's a schematic of the key to your front door.
2) Here's a fairly trivial way to use a hairpin to pick the lock on your super-expensive "pick-proof" front door.

#1 is his problem (and honestly "I got my hands on the master key" isn't much of a paper unless he did it in some odd way that is in and of itself a security hole) and phalamir is correct.
#2 is the car maker's problem that their "super-duper" security could be defeated by the computer equivalent of a lockpick and DerAppie is correct.
 
2013-07-29 03:45:38 PM

ThatBillmanGuy: bdub77: show me: bdub77: dahmers love zombie: COOTYS RAT SEMEN

MY SOCRATES NOTE

SETEC ASTRONOMY

TOO MANY SECRETS


COTE MANY TOSSER
 
2013-07-29 03:58:56 PM

meyerkev: phalamir: DerAppie: People would be pissed if someone published a detailed schematic of their front door key, so why not be pissed at someone publishing your car key?

People should be pissed at a car-maker that evidently installs software made by Baby's First Cryptography Playset.  If I am paying fark you and your little dog Toto too dollars/pounds/euros/yen/yuan for a car, I want Super Ultra Mega Platinum security, not Lousy Half-Assed Sorta Meh Rusted Iron security.  "He published something proving my car can be taken over by a Speak-n-Spell" is not the problem;  the car manufacturer installed security that can be taken over by a Speak-n-Spell" is the problem

There's 2 possible ways this could be interpreted, and it depends on which paper the guy wrote:

1) Here's a schematic of the key to your front door.
2) Here's a fairly trivial way to use a hairpin to pick the lock on your super-expensive "pick-proof" front door.

#1 is his problem (and honestly "I got my hands on the master key" isn't much of a paper unless he did it in some odd way that is in and of itself a security hole) and phalamir is correct.
#2 is the car maker's problem that their "super-duper" security could be defeated by the computer equivalent of a lockpick and DerAppie is correct.


The meta-issue, though, is that we have no idea which one it is because the guy isn't allowed to publish.
 
2013-07-29 04:10:20 PM

DerAppie: Because People in power are Stupid: Obscurity is the new security

The companies still know the flaw so they can fix it. According to TFA all they want banned from the publication are the actual universal codes. They get to publish the method so people everywhere will still know what to do to (steal/prevent stealing of) a car.

Personally I don't disagree with the judge. People would be pissed if someone published a detailed schematic of their front door key, so why not be pissed at someone publishing your car key? And while that person could change their lock, it isn't really an option to recall every single car using this particular system.


The information has been available on the Internet since 2009. Banning the paper doesn't protect Volksagen's customers; only themselves. Personally, I would like to know what car thieves know, because that allows me to figure out if Volkswagen is actually doing anything about it.
 
2013-07-29 04:15:31 PM

meyerkev: phalamir: DerAppie: People would be pissed if someone published a detailed schematic of their front door key, so why not be pissed at someone publishing your car key?

People should be pissed at a car-maker that evidently installs software made by Baby's First Cryptography Playset.  If I am paying fark you and your little dog Toto too dollars/pounds/euros/yen/yuan for a car, I want Super Ultra Mega Platinum security, not Lousy Half-Assed Sorta Meh Rusted Iron security.  "He published something proving my car can be taken over by a Speak-n-Spell" is not the problem;  the car manufacturer installed security that can be taken over by a Speak-n-Spell" is the problem

There's 2 possible ways this could be interpreted, and it depends on which paper the guy wrote:

1) Here's a schematic of the key to your front door.
2) Here's a fairly trivial way to use a hairpin to pick the lock on your super-expensive "pick-proof" front door.

#1 is his problem (and honestly "I got my hands on the master key" isn't much of a paper unless he did it in some odd way that is in and of itself a security hole) and phalamir is correct.
#2 is the car maker's problem that their "super-duper" security could be defeated by the computer equivalent of a lockpick and DerAppie is correct.


The way I read it they did number one, which gave them a code which was basically number 2. Then they wanted to publish number one and number two. Volkswagen didn't number 2 published, which I consider to be reasonable, so they demanded it be redacted from the publication. The rest could then still be published. That way all the technical data is still available while someone with an rfid chip writer (or whatever those keys use) still needs to shell out $50k to get the data for an universal ignition key for 250k cars.
 
2013-07-29 04:25:30 PM

DerAppie: The way I read it they did number one, which gave them a code which was basically number 2.


I'm guessing you mean #2 to #1.
 
2013-07-29 04:59:23 PM
I was going to publish 1) wait in the bushes with a knife 2) wait for guy to open car 3) take keys 4) profit, but VW wouldn't let me.

/Crypto's really only as good as the number of whacks it takes with a rubber hose to get you to give up the password.
 
2013-07-29 05:02:44 PM
Were this about an American being told he can't publish his paper, I'd be outraged. Because: First Amendment. But it's this guy's own fault for being British.
 
2013-07-29 05:33:32 PM

DerAppie: Volkswagen didn't number 2 published, which I consider to be reasonable, so they demanded it be redacted from the publication.


Then VW ought to have to front the man cash.  It is not his responsibility to look out for VW.  If he is beholden to VW's bottom line, then it is only fair he profit from VW's bottom line.
 
2013-07-29 05:35:15 PM

Because People in power are Stupid: Obscurity is the new best security


This is an old ethos.
 
2013-07-29 05:37:22 PM
Don't certain government agencies require that car remotes can be hacked fairly easily?  I could have sworn i heard that about Europe?
 
2013-07-29 05:45:15 PM
".....as it could lead to the theft of millions of vehicles, a judge has ruled. "

really?   Sounds like a bit of hyperbole to me.    I doubt that there are "millions" of vulnerable ferraris, lambos, and bentlys extant.  Audis?   NFI.   But I don't think releasing this info is going to suddenly cause every single one of them to be stolen.
 
2013-07-29 05:58:37 PM
 
2013-07-29 06:26:19 PM
intellihub.com
Of course, only the government can be trusted with that information.
 
2013-07-29 07:12:30 PM

r1niceboy: ThatBillmanGuy: bdub77: show me: bdub77: dahmers love zombie: COOTYS RAT SEMEN

MY SOCRATES NOTE

SETEC ASTRONOMY

TOO MANY SECRETS

COTE MANY TOSSER


TOSS MY TEEN ORCA
 
2013-07-29 07:49:04 PM
Computer lecturer banned from revealing a secret algorithm that can turn any Lamborghini, Bentley or Porsche into Herbie.

I didn't even know they had computers that lectured. I guess I'll never get to see that since they've been banned.
 
2013-07-29 07:49:23 PM

whither_apophis: r1niceboy: ThatBillmanGuy: bdub77: show me: bdub77: dahmers love zombie: COOTYS RAT SEMEN

MY SOCRATES NOTE

SETEC ASTRONOMY

TOO MANY SECRETS

COTE MANY TOSSER

TOSS MY TEEN ORCA


SOOTY MEN'S CRATE
 
2013-07-29 07:49:31 PM

show me: I'm all for open research and freedom and all that, but couldn't the dudes just black out the code in the paper until a fix can be put in? Maybe a fix isn't even possible, I don't know. That would be one hell of a recall.


Did anyone read the article? - "had probably used a technique called "chip slicing" which involves analysing(sic) a chip under a microscope and taking it to pieces and inferring the algorithm from the arrangement of the microscopic transistors on the chip itself"

Analysis of the hardware seems to have led to the algorithm. I'm surprised there are not more car thefts.
 
2013-07-29 08:16:36 PM

PapaChester: Analysis of the hardware seems to have led to the algorithm. I'm surprised there are not more car thefts.


imgs.xkcd.com

Or, rather, in this case:

image.dhgate.com

People worry about the dumbest things when it comes to cars and their electronics. How many car thieves have the capability to analyze the arrangement of transistors on a microchip to steal a $100,000 car and how many would bother when they could steal twenty $10,000 cars by smashing a window or checking door handles in the time it takes to do it?
 
2013-07-29 08:54:58 PM
This still works, yes?
i.imgur.com
 
2013-07-29 10:31:26 PM

4of11: Is this really over the crypto algorithm the cars use like the article seems to suggest? Or is it actually private key codes that were extracted, and the author is confused?

If it's the algo, then that company is utterly incompetent, and should lose all their business immediately and forever. And the car manufacturers who were dumb enough to buy from them should suffer the cost of recalls to fix it. Any crypto system that relies on a secret algorithm should be assumed to be broken. Never trust cryptography that isn't open source and thoroughly vetted by cryptanalysts.


It wasn't until very recently that in-car data was encrypted at all.  Data like the handshake from the module that senses the smart fob that stays in your pocket since the car is push button start.

I like tech advances but I'll stick with my good old-fashioned keys, thank you.

/also removes key fuses or relays when parking long-term
 
2013-07-29 10:40:22 PM

wambu: This still works, yes?
[i.imgur.com image 850x590]


As long as you just want the spare change and the Creedence tapes.
 
2013-07-29 10:58:25 PM

wambu: This still works, yes?


It works fine to get you inside the car. It is somewhat less effective in convincing the computer to turn the engine on so that you can drive away. You could directly hot-wire the starter but that won't help unless the fuel injection etc. is also active.
 
2013-07-29 11:19:06 PM
Damnit. My car uses algorithmic keys to run the car. You can't even stick the key in the car anywhere. There are no holes. Except on the driver's side door.

/considering my car is an inexpensive one, maybe they couldn't afford this shiatty cryptography.
 
2013-07-29 11:46:34 PM
I worked with Garcia on this paper, and since I'm living in the states we're going to release it here. The codes are...

1...

2...

3...

4...

5...

Information is freedom!
 
2013-07-29 11:55:42 PM

Tsar_Bomba1: I worked with Garcia on this paper, and since I'm living in the states we're going to release it here. The codes are...

1...

2...

3...

4...

5...


That's the same combination I have on my luggage!
 
2013-07-30 12:47:47 AM

wambu: This still works, yes?
[i.imgur.com image 850x590]



Nope actually. The whole point to the keyed algorithm is to make it difficult to steal a car without a key. Hotwiring some of these kinds of cars are nearly impossible without such a master key that this professor would of provided to the world.
 
2013-07-30 12:59:57 AM

viscountalpha: wambu: This still works, yes?
[i.imgur.com image 850x590]


Nope actually. The whole point to the keyed algorithm is to make it difficult to steal a car without a key. Hotwiring some of these kinds of cars are nearly impossible without such a master key that this professor would of provided to the world.


Bad guys already have it. Just not as many as would.
 
2013-07-30 01:45:45 AM

PapaChester: show me: I'm all for open research and freedom and all that, but couldn't the dudes just black out the code in the paper until a fix can be put in? Maybe a fix isn't even possible, I don't know. That would be one hell of a recall.

Did anyone read the article? - "had probably used a technique called "chip slicing" which involves analysing(sic) a chip under a microscope and taking it to pieces and inferring the algorithm from the arrangement of the microscopic transistors on the chip itself"

Analysis of the hardware seems to have led to the algorithm. I'm surprised there are not more car thefts.


Your (sic) doesn't make you look smart, it lets me know that you have no idea how to spell British English.
 
2013-07-30 01:53:09 AM
You know what car most car thieves steal? The easiest one to steal. The one that's unlocked and preferably with the keys in it. These cars, while they are extremely valuable, are difficult for a street thug to steal.
 
2013-07-30 04:32:36 AM

skozlaw: PapaChester: Analysis of the hardware seems to have led to the algorithm. I'm surprised there are not more car thefts.

[imgs.xkcd.com image 448x274]

Or, rather, in this case:

[image.dhgate.com image 587x436]

People worry about the dumbest things when it comes to cars and their electronics. How many car thieves have the capability to analyze the arrangement of transistors on a microchip to steal a $100,000 car and how many would bother when they could steal twenty $10,000 cars by smashing a window or checking door handles in the time it takes to do it?


Well, it does depend, you could potentially see someone creating and selling a universal key for Porsche so instead of breaking windows to riskily steal $10k cars, you buy something off the internet and then just go up to any Porsche (or whatever), click a button and the doors unlock and the engine switches on - far less risky and far more profitable.
 
2013-07-30 07:18:22 AM

viscountalpha: wambu: This still works, yes?
[i.imgur.com image 850x590]


Nope actually. The whole point to the keyed algorithm is to make it difficult to steal a car without a key. Hotwiring some of these kinds of cars are nearly impossible without such a master key that this professor would of provided to the world.


It's too bad that there is a handy port under the dash/steering column that allows you access to the UNencrypted data networks.

C&D did a story on this a while back.  How they unlock the car using your key fob without you knowing it is even simpler.
 
2013-07-30 01:34:19 PM

xria: Well, it does depend, you could potentially see someone creating and selling a universal key for Porsche


I believe Megamos Crypto protects the immobilizer, not the door locks. You'd still have actually get into the car first and even then your key would have to negotiate the lockout codes for that particular car.

Mister Peejay: How they unlock the car using your key fob without you knowing it is even simpler.


They extend the signal. But you can only repeat the type of signal the fob gives off to something like two dozen feet so the person would have to be pretty close to both you and your car to actually make it work. Probably easier to just hit you in the head and steal your key at that point since they'll need the key anyway to actually steal the car.

Mister Peejay: It's too bad that there is a handy port under the dash/steering column that allows you access to the UNencrypted data networks.


[citation needed]

The OBD-II port could be used to do a lot of Bad Things if somebody slapped a device on it without the owner knowing, but I am highly suspect of the idea that it could be used effectively to steal a car. Your bigger concern is going to be dumb shiat like OnStar that bridges a wireless network with key components of your vehicle.
 
2013-07-30 09:48:28 PM
skozlaw:
Mister Peejay: It's too bad that there is a handy port under the dash/steering column that allows you access to the UNencrypted data networks.

[citation needed]

The OBD-II port could be used to do a lot of Bad Things if somebody slapped a device on it without the owner knowing, but I am highly suspect of the idea that it could be used effectively to steal a car. Your bigger concern is going to be dumb shiat like OnStar that bridges a wireless network with key components of your vehicle.


Well, given that there is already an open project online to decode the datastream, and all scantools work by reading (and sometimes writing) signals, I have zero doubt that someone could easily make a plug-in device to spoof the signals and put a valid wake-up over the bus.

If you want "evidence of the glazzies", automakers are now finally starting to encrypt data that goes over the various buses.

As far as RF distance is concerned, all you need is someone hiding behind another car as you park, and then they unlock the door as you walk away.  A lot of the keyless cars don't even require you to hit the button to unlock the doors, they sense the fob and unlock the door automatically when you pull the handle...

You can argue against it all you want, and I agree that it all SEEMS far-fetched, but given that these supposedly unstealable cars are being stolen with ease, something is happening.  Where there's a will, there's a way...  Supposedly it's extremely common for high-end Mercedes in SEA to wind up in China.  Likewise vehicles from Germany and the Scandinavian countries end up in Russia.
 
Displayed 60 of 60 comments

View Voting Results: Smartest and Funniest


This thread is closed to new comments.

Continue Farking
Submit a Link »






Report