[Infowarrior] - Fwd: another VW story - this is an encryption backdoor

Richard Forno rforno at infowarrior.org
Sun Aug 14 20:01:13 CDT 2016 


> Begin forwarded message:
> 
> From: "Dan
> 
> https://www.techdirt.com/articles/20160812/10515435227/volkswagen-created-backdoor-to-basically-all-cars-now-hackers-can-open-all-them.shtml <https://www.techdirt.com/articles/20160812/10515435227/volkswagen-created-backdoor-to-basically-all-cars-now-hackers-can-open-all-them.shtml>
> 
> Volkswagen Created A 'Backdoor' To Basically All Its Cars... And Now Hackers Can Open All Of Them
> from the backdoors-are-bad-m'kay? dept
> And... for our latest example for why requiring companies to build backdoors into encryption or similar technologies is a bad idea comes from automaker Volkswagen. Researchers are now revealing that approximately 100 million VW vehicles can be easily opened <https://www.wired.com/2016/08/oh-good-new-hack-can-unlock-100-million-volkswagens/> via a simple wireless hack. The underlying issue: a static key used on basically all of the wireless locks in VWs.
> The researchers found that with some “tedious reverse engineering” of one component inside a Volkswagen’s internal network, they were able to extract a single cryptographic key value shared among millions of Volkswagen vehicles. By then using their radio hardware to intercept another value that’s unique to the target vehicle and included in the signal sent every time a driver presses the key fob’s buttons, they can combine the two supposedly secret numbers to clone the key fob and access to the car. “You only need to eavesdrop once,” says Birmingham researcher David Oswald. “From that point on you can make a clone of the original remote control that locks and unlocks a vehicle as many times as you want.”
> In other words, VW created a backdoor, and assumed that it would remain hidden. But it did not. 
> 
> This is exactly the kind of point that we've been making about the problems of requiring any kind of backdoor and not enabling strong encryption. Using a single encryption key across every device is simply bad security. Forcing any kind of backdoor into any security system creates just these kinds of vulnerabilities -- and eventually someone's going to figure out how they work. 
> 
> On a related note, the article points out that the researchers who found this vulnerability are the same ones who also found another vulnerability a few years ago that allowed them to start the ignition of a bunch of VW vehicles. And VW's response... was to sue them <http://www.bloomberg.com/news/articles/2015-08-14/vw-has-spent-two-years-trying-to-hide-a-big-security-flaw> and try to keep the vulnerability secret for nearly two years. Perhaps, rather than trying to sue these researchers, they should have thrown a bunch of money at them to continue their work, alert VW and help VW make their cars safer and better protected.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://attrition.org/mailman/private/infowarrior/attachments/20160815/72fdfa06/attachment.html>

More information about the Infowarrior mailing list