High Court gags UK scientist who cracked car security codes

• Published: 29 Jul 2013 8:53

The High Court has banned UK scientist Flavio Garcia from publishing an academic paper on how he cracked the security codes used to start cars, including Porsches, Bentleys, Lamborghinis and Audis.

The interim injunction against Garcia, a lecturer in computer science at the University of Birmingham, and two other cryptography experts from a Dutch university was granted after a request by the parent company of Volkswagen, according to the Guardian.

The judgement was handed down three weeks ago, but has now become part of a wider discussion about car manufacturers' responsibilities relating to car security, the paper said.

Mr Justice Birss ruled that publication of the Megamos Crypto algorithm that allows the car to verify the identity of the ignition key using radio frequency identification (RFID) could lead to the mass theft of vehicles.

Volkswagen told the court the system was used in a number of mass market vehicles from several manufacturers.

The car maker went to court after the scientists had refused to publish a redacted version of their paper on dismantling the Megamos Crypto at the Usenix Security Symposium in Washington DC in August.

The scientists said they were responsible academics whose aim was to improve security for everyone, not to help criminals.

They argued that "the public have a right to see weaknesses in security on which they rely exposed". Otherwise, the "industry and criminals know security is weak but the public do not".

Mr Justice Birss said he recognised the importance of the right for academics to publish, but it would mean "car crime will be facilitated".

Similar concerns have led a growing number of software makers to begin offering cash rewards to security researchers to ensure they report vulnerabilities in code before publishing the details.

Software makers such as Microsoft would prefer to work with bug finders before the details are made public to ensure security updates can be pushed to customers in time.

Bounty programmes are aimed at encouraging responsible disclosure of software vulnerabilities by offering cash rewards to bug finders who might otherwise be tempted to sell the information.