Injunction Imposed in Volkswagen Car Hacking Case: Public Safety Favored Over Transparency
By Jonathan Sapp – Edited by Alex Shank
[caption id="attachment_3639" align="alignleft" width="150"] Photo By: Glen Edelson - CC BY 2.0[/caption]
In June, a British high court ruled in favor of Volkswagen by enjoining Flavio Garcia from publishing an academic paper that sought to expose weaknesses in Volkswagen’s automobile security systems. In the paper, Garcia revealed secret codes used to activate the ignition systems of several luxury vehicles including those by Audi, Bentley, Lamborghini, and Porsche. The British court’s ruling is the latest in the battle against researchers who expose security systems’ flaws through hacking.
The Guardian provides a thorough analysis of the case. Ars Technica cautions against the “Internet of automobiles” and discusses the latest trend in car hacking: brake and speed tampering. Extreme Tech offers insight into security system hacking and suggests that boats and planes are not immune.
While working for the University of Birmingham as a computer science lecturer, Flavio Garcia utilized “chip slicing” to uncover the algorithm by which certain vehicles’ security chips operated. He then attempted to publish his findings at the USENIX Security Symposium. However, before the paper was published, Volkswagen contacted Garcia and his associates, requesting that they redact the vehicles’ security codes. The scientists refused to honor the request, arguing that the public has a right to see the weaknesses exposed. Volkswagen subsequently sought an injunction against the researchers on the grounds that revelation of the codes used to activate the vehicular ignition systems would facilitate criminal activity. The British high court agreed, ordering the injunction.
Over the past few decades, vehicular security systems have become increasingly complex and computerized. The systems provide consumers with abundant security features that were not previously available in older vehicle models. However, reliance on computer-based security has faced increased scrutiny as of late, due to the increased number of system hacks in the air, land, and sea. As security systems become more computerized, they also become more exposed. Researchers worldwide have uncovered product security flaws in an effort to promote transparency and initiate the development of higher-quality systems for the consumer. Last week’s Black Hat conference in Las Vegas, covered by NPR, featured DARPA-funded research on how to hack the Electronic Control Unit of a Toyota Prius and Ford Escape.
The Volkswagen case illustrates some issues that legal systems must confront as the incidence of hacking increases. The British court’s ruling provides a significant roadblock for those who intend to expose flaws in security systems. Following the decision, researchers in the UK may choose their words wisely and potentially limit their scholarship in the field of security exposure. Judicial systems will face the challenge of weighing the proposed benefits of consumer awareness against the potential harm that may result with the exposure of secret security information.
Photo By: Glen Edelson - CC BY 2.0[/caption]
In June, a British high court ruled in favor of Volkswagen by enjoining Flavio Garcia from publishing an academic paper that sought to expose weaknesses in Volkswagen’s automobile security systems. In the paper, Garcia revealed secret codes used to activate the ignition systems of several luxury vehicles including those by Audi, Bentley, Lamborghini, and Porsche. The British court’s ruling is the latest in the battle against researchers who expose security systems’ flaws through hacking.
The Guardian provides a thorough analysis of the case. Ars Technica cautions against the “Internet of automobiles” and discusses the latest trend in car hacking: brake and speed tampering. Extreme Tech offers insight into security system hacking and suggests that boats and planes are not immune.
While working for the University of Birmingham as a computer science lecturer, Flavio Garcia utilized “chip slicing” to uncover the algorithm by which certain vehicles’ security chips operated. He then attempted to publish his findings at the USENIX Security Symposium. However, before the paper was published, Volkswagen contacted Garcia and his associates, requesting that they redact the vehicles’ security codes. The scientists refused to honor the request, arguing that the public has a right to see the weaknesses exposed. Volkswagen subsequently sought an injunction against the researchers on the grounds that revelation of the codes used to activate the vehicular ignition systems would facilitate criminal activity. The British high court agreed, ordering the injunction.
Over the past few decades, vehicular security systems have become increasingly complex and computerized. The systems provide consumers with abundant security features that were not previously available in older vehicle models. However, reliance on computer-based security has faced increased scrutiny as of late, due to the increased number of system hacks in the air, land, and sea. As security systems become more computerized, they also become more exposed. Researchers worldwide have uncovered product security flaws in an effort to promote transparency and initiate the development of higher-quality systems for the consumer. Last week’s Black Hat conference in Las Vegas, covered by NPR, featured DARPA-funded research on how to hack the Electronic Control Unit of a Toyota Prius and Ford Escape.
The Volkswagen case illustrates some issues that legal systems must confront as the incidence of hacking increases. The British court’s ruling provides a significant roadblock for those who intend to expose flaws in security systems. Following the decision, researchers in the UK may choose their words wisely and potentially limit their scholarship in the field of security exposure. Judicial systems will face the challenge of weighing the proposed benefits of consumer awareness against the potential harm that may result with the exposure of secret security information.