Computerworld this week reported on what seems to be an effort to hide flaws in the Megamos Crypto transponder, which is an RFID device used in keys and key fobs for keyless engine starting by several automobile manufacturers. Three researchers found flaws in Megamos that help auto thieves, and the flaws were presented to the Swiss manufacturer of the devices in February, 2012 and to Volkswagen in May of the following year. Volkswagen subsequently sued to block publication of a paper the researchers had written.
According to Computerworld, the known flaw was unaddressed and the results were real:
Two years of negotiations between the researchers and Volkswagen passed, during which keyless entry systems have been targeted by other security researchers and the Metropolitan police said, ‘Last year, over 6,000 cars and vans across London were stolen without the owners’ keys. That is an average of 17 vehicles a day, and represents 42% of all thefts of cars and vans.’ Finally, two years later, researchers Roel Verdult, Baris Ege, and Flavio Garcia were able to publish and present their research at the USENIX Security Symposium…after redacting just one sentence.
Clearly, trying hide a flaw in a security system is not as bad as hiding a brake or steering system problem, but one can see that a pattern of putting the corporation ahead of the public is already in place.
The connectivity of vital systems in vehicles is growing and goes far beyond theft. For instance, earlier this month, Ars Technica reported on St. Louis researchers Charlie Miller and Chris Valasek, who remotely took control of a Jeep Cherokee and were able to turn the brakes and the engine on and off, control the vehicle while it was moving in reverse, and perform other tasks.
The Verge’s Russell Brandom suggests that the problems with connected cars are bad and will get worse. In fact, he implies that the best alternative may be a world in which cars are not linked to the Internet:
Unplugging feels like an unusual solution — the tech world isn’t used to tactical retreats — but it makes more sense than you might think. In security theory terms, it’s a question of attack surface. Every connectivity feature gives attackers one more place to break in. We’ve already seen attacks targeting vehicles’ Wi-Fi hotspots, Bluetooth controls, and even plain old remote key fobs. Security means protecting each of those avenues from attack, but it also means asking if each new attack surface is worth the tradeoff. Since most connectivity features come as an all-or-nothing set, that’s a question consumers haven’t been able to ask — but it’s one automakers should be giving a lot of thought.
Society has a very important issue with which to deal. Essentially, the Internet of Things (IoT), wireless connectivity and related technologies enable the Internet to burrow its way ever deeper into our lives. This, juxtaposed with the lackadaisical way people approach security, the proliferation of attack surfaces, and the apparent ambivalence of companies to proactively confront the issues, is serious food for thought.
Carl Weinschenk covers telecom for IT Business Edge. He writes about wireless technology, disaster recovery/business continuity, cellular services, the Internet of Things, machine-to-machine communications and other emerging technologies and platforms. He also covers net neutrality and related regulatory issues. Weinschenk has written about the phone companies, cable operators and related companies for decades and is senior editor of Broadband Technology Report. He can be reached at [email protected] and via twitter at @DailyMusicBrk.