University condemns court ban of research paper on flaws in car lock system

Locking system used to protect luxury cars is outdated, say security researchers

A court ban on a research paper that analyzes flaws in a car-lock system should be overturned, according to the Dutch university that employs two of the three researchers who wrote the analysis.

The U.K. High Court of Justice banned the publication of the paper, "Dismantling Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobilizer" on June 25, said the Radboud University Nijmegen in a news release on Monday. The ban came to the attention of the public when the U.K. newspaper The Guardian published a story about it over the weekend.

The U.K. court issued an interim block on the research paper, while considering a permanent ban on request of car manufacturer Volkswagen, the university added. French defence group Thales also requested the ban, according to a report by the BBC.

Roel Verdult and Baris Ege, of the Digital Security faculty at Radboud University, were planning to present their paper with Flavio Garcia a lecturer in Computer Science of the University of Birmingham during the USENIX Security Symposium in Washington, D.C., in August, the Dutch university said.

Verdult and Ege said in a joint email on Monday that they did not want to comment on the matter. Garcia did not return a request for comment.

"In their scientific article, they show that there is a fault in the security of the Megamos chip that is used in the immobilizer in different car brands," the Radboud University said, adding that the chip was designed in the mid-90s and is outdated. "Nevertheless, it is still widely used in the automotive industry," it said.

The research is based on publicly available information and in their paper the researchers reveal the weakness of the chip in mathematical terms, the university said. The research "by no means reveals how to easily steal a car," it said, adding that very different information is needed to do that.

Furthermore, the researchers informed the chip maker in November 2012, nine months before the intended publication of their paper, so that security measures could be taken, the university said. The researchers also urged the chip maker to inform their own customers from the outset, it added.

"The decision of the English court imposes severe restrictions on the freedom of academic research in a socially highly relevant field," Radboud University said, adding that it nevertheless respects the decision of the court.

"The University of Birmingham is disappointed with the judgment which did not uphold the defence of academic freedom and public interest, but respects the decision," a University of Birmingham spokesperson said in an email. It has decided to defer publication of the academic paper in any form while it obtains additional technical and legal advice.

Because the court is considering a final ruling, Radboud University spokeswoman Anja van Kessel declined to provide further comment, but said the university hopes the court will ultimately decide in favor of publication of the paper.

Volkswagen did not respond to a request for comment.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityVolkswagen

More about BBC Worldwide AustralasiaThales AustraliaVolkswagen Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Loek Essers

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place