High Court gags UK scientist who cracked car security codes

The High Court has banned UK scientist Flavio Garcia from publishing an academic paper on how he cracked the security codes used to start cars, including Porsches, Bentleys, Lamborghinis and Audis.

Download this free guide

The importance of web security

Join us as we take a look at the different approaches you can take in order to bolster your web security. We find out how to identify and address overlooked web security vulnerabilities, how security controls affect web security assessment results and why web opportunities must be met with appropriate security controls.

Start Download

• Corporate E-mail Address:

  You forgot to provide an Email Address.

  This email address doesn’t appear to be valid.

  This email address is already registered. Please login.

  You have exceeded the maximum character limit.

  Please provide a Corporate E-mail Address.

• • I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.

  Please check the box if you want to proceed.

• • I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.

  Please check the box if you want to proceed.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

The interim injunction against Garcia, a lecturer in computer science at the University of Birmingham, and two other cryptography experts from a Dutch university was granted after a request by the parent company of Volkswagen, according to the Guardian.

The judgement was handed down three weeks ago, but has now become part of a wider discussion about car manufacturers' responsibilities relating to car security, the paper said.

Mr Justice Birss ruled that publication of the Megamos Crypto algorithm that allows the car to verify the identity of the ignition key using radio frequency identification (RFID) could lead to the mass theft of vehicles.

Volkswagen told the court the system was used in a number of mass market vehicles from several manufacturers.

The car maker went to court after the scientists had refused to publish a redacted version of their paper on dismantling the Megamos Crypto at the Usenix Security Symposium in Washington DC in August.

The scientists said they were responsible academics whose aim was to improve security for everyone, not to help criminals.

They argued that "the public have a right to see weaknesses in security on which they rely exposed". Otherwise, the "industry and criminals know security is weak but the public do not".

Mr Justice Birss said he recognised the importance of the right for academics to publish, but it would mean "car crime will be facilitated".

Similar concerns have led a growing number of software makers to begin offering cash rewards to security researchers to ensure they report vulnerabilities in code before publishing the details.

Software makers such as Microsoft would prefer to work with bug finders before the details are made public to ensure security updates can be pushed to customers in time.

Bounty programmes are aimed at encouraging responsible disclosure of software vulnerabilities by offering cash rewards to bug finders who might otherwise be tempted to sell the information.