The "new" (actually 2 years old) thing is the UK courts granting injunctions preventing the publication of security research from a well known UK university. WTF.
> The research team first took its findings to the manufacturer of the affected chip in February 2012 and then to Volkswagen in May 2013. The car-maker filed a lawsuit to block the publication of the paper - arguing that its vehicles would be placed at risk of theft - and was awarded an injunction in the U.K.'s High Court.
But then they don't detail the legal situation that led to the two years of litigation and the eventual release, so I don't know who to be mad at..
People are usually bad understanding counter intuitive notions such as the fact that making security flaws public actually makes consumers more secure, not less.
I disagree. Making a security flaw known forces manufacturers to fix it. As the article states, they went "to the manufacturer of the affected chip in February 2012 and then to Volkswagen in May 2013". Two years later the problem hasn't been fixed, because a recall would be too labor intensive. Meanwhile VWs are still being stolen using this exploit. Now that the exploit is out there VW is forced to act.
And it's not like regular people are going to turn into car thieves because this exploit has been made public. Not even house burglars will turn into car thieves. I would guess that car thieves are very specialized due to the seemingly complicated logistics behind these operations, so it's unlikely that they weren't aware of this exploit.
I'm far from being an expert on the subject, but I don't see how this is a net loss. I see very little potential for a spike in thefts and a high probability of VW finally facing the problem.
The specifics of how to exploit it do not contribute to pushing the manufacturers to fix it. Disclosing the general vulnerability does, the specifics does not.
> Meanwhile VWs are still being stolen using this exploit
Immediately there is but what about long term? If industries know that researchers will post the vulnerabilities all over the net as soon as they find it, it may change their security behavior in a way that is a net positive to security.
Exactly. So how many vulnerable cars are on the roads of the world right now because the UK High Court wanted to "protect consumers". It seems insane. A temporary injunction, sure. But two years (actually three since the original vulnerability report) isn't remotely acceptable.
And getting back to the original point: I'd want to see some coverage of how this disaster happened in the UK courts.
Not everyone buys only new cars. Besides, in a world in which research was not censored, do you really expect that VW would have been slower to fix the issue?
No but I don't think they would of been faster either was my point.
Hence, to answer to the question posed "So how many vulnerable cars are on the roads of the world right now because the UK High Court wanted to "protect consumers""
I would answer 'possibly zero, BECAUSE of that' and once they are manufactured and sold they exist regardless of the owner, till they are destroyed.
but they got the key, so you can safely assume everybody else has or could. publishing it is the kind of pressure the manufacturer need from the public, otherwise people will do the same reasoning, kicking into 'secret = safe' mode even when it's completely pwnd - heck it's not even theoretical there is a paper on it with the extracted keys.
the fact you weren't affected is just because stealing a car is not the hardest part of the ordeal.
Now, after lengthy negotiations, the paper is finally in the public domain - with just one sentence redacted.
"This single sentence contains an explicit description of a component of the calculations on the chip," Verdult said, adding that by removing the sentence it was much more difficult to recreate the attack.
http://www.theguardian.com/technology/2013/jul/30/car-hackin...