Just appeared, almost two years after the 22nd USENIX Security Symposium (14-16 August 2013), a supplement to the proceedings: Dismantling Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobilizer.
In this paper Dutch researchers describe “several weaknesses in the design of the cipher, the authentication protocol and also in their implementation.” The article ends with:
“Following the principle of responsible disclosure, we have notified the manufacturer of our findings back in November 2012. Since then we have an open communication channel with them. We understand that measures have been taken to prevent the weak-key and partial key-update attacks when the transponder was improperly configured.”
Despite the disclosure and the open communication, the manufacturer could get an injunction from the High Court of Justice in the United Kingdom prohibiting the authors (one of the Dutch researchers moved to Birmingham), their institutions, and anyone who assists them, from publishing key sections of the paper.
Was the judge right in his ruling? What about academic freedom? My first reaction was one of disbelief, but at second thought I could understand the concerns of the manufacturer. Information technology can never be 100% secure. Sometimes systems are badly designed, sometimes quite well. Even in the latter case smart researchers may manage to break security. Is law fit to evaluate this? How could a lawyer assess this adequately? How can a computer scientist? How much time should a company be given to repair shortcomings? Is an academic always allowed to publish after a while, even if such a publication really facilitates criminals. Intriguing questions.
I hope to be able to contribute to answering related questions. If you are a VU student (either computer science or law), you can become an assistant for ten months (October 2015-August 2016). The research (with Herbert Bos, Joeri Toet and Kyra Sandvliet) I am talking about is Treatment of information security tools under the Wassenaar Arrangement:
This proposal seeks to evaluate the treatment of information security research tooling under the Wassenaar Arrangement. As a result of developments outlined below, many tools that the information security research community commonly produces and uses, and that are readily distributed amongst the members of this community are now, or will soon be, in scope of the export control regime maintained as a result of the Wassenaar Arrangement. Not surprisingly, the Arrangement has led to much concern among hackers, security experts and scientists alike.
If you want more information, you can contact me.
