A high court ruling has stifled attempts by three security researchers to publish information containing details of how to crack a car immobilisation system.
Volkswagen, the German car maker, and French defence group Thales secured the interim ruling amid concerns that the information could be ‘misused’ by criminals intent on stealing vehicles.
The technology is utilised by a number of car manufacturers as a ‘fail-safe. ’
The researchers had intended to release the information at a conference in August. Academics Flavio Garcia, a computer science lecturer at the University of Birmingham, and security researchers Roel Verdult and Baris Ege of Dutch University, Radboud, located in Nijmegen outlined their dismay at the ruling.
In a statement from the University of Birmingham, they said: “The University of Birmingham is disappointed with the judgement which did not uphold the defence of academic freedom and public interest, but respects the decision.â€
The University statement continued: “It has decided to defer publication of the academic paper in any form while additional technical and legal advice is obtained given the continuing litigation. The university is therefore unable to comment further at this stage.â€
The initial reaction from Radboud University Nijmegen was one of disbelief, saying that they found the ruling ‘incomprehensible’.
In an official statement the University said: “The publication in no way describes how to easily steal a car, as additional and different information is needed for this to be possible. The researchers informed the chipmaker nine months before the intended publication – November 2012 – so that measures could be taken. The Dutch government considers six months to be a reasonable notification period for responsible disclosure. The researchers have insisted from the start that the chipmaker inform its own clients.â€
The researchers described how they obtained a software program online, which detailed the algorithm devised by Thales that provided the security feature. They claim that the information had been on the internet since 2009.
VW and Thales argued that the algorithm was confidential information and the person(s) responsible for issuing it on the internet had probably done so illegally.
After much deliberation, a high court judge eventually ruled in favour of VW and Thales suggesting that, pending a full trial, the information should be withheld.
In a statement from Tom Ohta, an associate of Bristows’ law firm who had no involvement in this matter – said: “Unfortunately, the way in which the researchers uncovered the flaw, gave them very little ground for their case.â€
He added: “An important factor here was that the academics had not obtained the software from a legitimate source, having downloaded it from an unauthorised website. This persuaded the court
that the underlying algorithm was confidential in nature, and bearing in mind the public interest of not having security flaws potentially abused by criminal gangs, led to the injunction.â€
Tags: Car Legislation, Driving Fines, Driving Laws, Driving Legislation, Driving Penalties, Driving Penalty Points, UK Driving Laws