The curious case of Volkswagen's fight with the car hacking scientists

Car keys

If you're in the business of making top-end sports cars that people typically shell out hundreds of thousands of pounds on, you'd probably feel duty bound to do everything in your power to help your customers keep them safe and secure.

This was undoubtedly Volkswagen Group's motivation for taking out an interim injunction against a research paper that reportedly details the algorithm used to help cars verify the identity of an ignition key.

Gone In Sixty Seconds was a diverting enough addition to Nicolas Cage's illustrious movie career, but no-one wants to see a similar scenario played out for real on the streets.

The banned academic paper in question was written by a trio of scientists. It's understood to have shown the inner workings of the Megamos Crypto algorithm, which is used to work out the codes that are sent between the key and the car.

VW, which owns the Porsche, Audi, Bentley and Lamborghini brands claimed publishing the paper could allow a "sophisticated criminal gang" to override the security system to steal cars. Not just its cars, but those made by other manufacturers, too.

The case has sparked plenty of debate, especially among the members of the IT Pro editorial team, about whether the court was right to ban the paper's publication.

The University of Birmingham, where one of the scientists involved is understood to work as a lecturer, released a statement this week expressing its disappointment at the ruling.

"The judgment...did not uphold the defence of academic freedom and public interest, but [the university] respects the decision," the statement read.

Perhaps it's because I'm a journalist, and find myself regularly butting heads with the public interest defence, that I initially found myself sympathising with the scientists' plight.

After all, a scientist's reputation rests on the quality of their research and discoveries, and if someone bans them from telling anyone about them, it is a rather impotent position to be in.

The scientists claimed their research is designed to demonstrate the lack of security of car immobilisers, which rely on the Megamos chip, but strongly deny it could lead to car theft.

"The paper reveals the inherent weaknesses, on the basis of mathematical calculations, and is based on an analysis of publicly available information," read a further statement released this week by Stichting Katholieke Universiteit, where the remaining two scientists worked.

"The publication in no way describes how to easily steal a car, as additional and different information is needed to do this," it added.

That may be the case, but there's no mention of how easily that additional data would be to come by.

Even so, according to a report this week in the The Guardian, the scientists curiously notified the maker of the chip nine months ago about the report so they could take action.

Responsible publication

It's not hard to see why Volkswagen decided to pursue the case. Gone In Sixty Seconds was a diverting enough addition to Nicolas Cage's illustrious movie career, but no-one wants to see a similar scenario played out for real on the streets.

But is holding back this information really the best way of protecting millions of people from the threat of car theft? Well, that depends on what Volkswagen intends to do with it.

If Volkswagen's intention is to privately seize on the findings of the car hacking scientists, as several national newspapers have dubbed them, to beef up security around this system, more power to them.

And, in Volkswagen's defence, it did offer the scientists the option of publishing a partially redacted version of the report without the codes, but they declined on public interest grounds.

Personally, I think that was the wrong decision. While I appreciate that academic freedom is important, it has to be exercised in a responsible way.

Let's use Barnaby Jack, the renowned computer hacker who sadly passed away last week, as an example.

One of his most talked about pieces of work was the discovery of an insulin pump security flaw that could allow a hacker to administer a fatal dose of the hormone, despite being around 300 feet away from the victim.

His work is reported to have prompted at least one well-know manufacturer of the devices to re-evaluate the security measures it had in place.

But despite doing high-profile demonstration of how the attack would work at a hacker conference last year he stopped short of releasing full details of the vulnerabilities that made it possible.

He proved it could be done, and that was enough to initiate change within the medical industry.

The fact this paper exists, and has been extensively written about in the press, means people will be aware of the risk.

And, by requesting the release of a redacted version of the paper, it suggests to us Volkswagen is not against people knowing the algorithm's been cracked, they just don't want people to be able to use it for criminal ends.

Although, without meaning to trivialise the obvious brainpower of the scientists involved, if they've acquired knowledge of this system, what's to stop someone else? Someone who might not be planning to speak so openly about their findings, and with dastardly deeds in mind...

Caroline Donnelly is the news and analysis editor of IT Pro and its sister site Cloud Pro, and covers general news, as well as the storage, security, public sector, cloud and Microsoft beats. Caroline has been a member of the IT Pro/Cloud Pro team since March 2012, and has previously worked as a reporter at several B2B publications, including UK channel magazine CRN, and as features writer for local weekly newspaper, The Slough and Windsor Observer. She studied Medical Biochemistry at the University of Leicester and completed a Postgraduate Diploma in Magazine Journalism at PMA Training in 2006.