If you knew how to disable Megamos Crypto, the wonderfully named, high-security, radio-frequency-ID-enabled algorithm that makes luxury cars incredibly difficult to steal, what would you do with that knowledge? Take a joyride? Sell the information on the international black market for millions? Or write an academic paper and tell your peers? Flavio Garcia, a computer scientist at the University of Birmingham in Britain, along with two Dutch colleagues from Raboud University, chose the least remunerative but only legal option. Volkswagen thought it was a pretty bad choice.
The Volkswagen group owns a number of high-end car brands, including Audi, Bentley, Lamborghini and Porsche, all of which use Megamos Crypto. Along with Thales, a French defense group, Volkswagen successfully petitioned a UK court to impose an injunction on the publication of the paper, arguing it would enable criminals “to break the security and steal a car,” as reported by the Guardian. The authors of the paper, titled “Dismantling Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobilizer,” were to present it at a security conference in Washington DC next month.
Both universities have agreed to respect the court’s decision. The University of Birmingham’s official position is that it “is disappointed with the judgment which did not uphold the defence of academic freedom and public interest, but respects the decision.” And in a statement posted on its website, Raboud University, argued that:
The chip dates back to the mid-nineties and has since become outdated, but is nevertheless still widely used in the automotive industry. The paper reveals inherent weaknesses, on the basis of mathematical calculations, and is based on an analysis of publicly available information. The publication in no way describes how to easily steal a car, as additional and different information is needed for this to be possible.
The researchers informed the chipmaker nine months before the intended publication (November 2012) so that measures could be taken. The Dutch government considers six months to be a reasonable notification period for responsible disclosure. The researchers have insisted from the start that the chipmaker inform its own clients.
This is not the first time computer-science-related papers and talks have faced corporate pushback. Nor is it the first debate about whether academic research could pose greater harm than good.
In December 2011, the scientific world was in an uproar about two papers, one by researchers in America and the other in the Netherlands, that looked at how H5N1, better known as bird flu, could be engineered to spread among humans. The researchers played around with the with the virus until it became transmittable through the air.
The implications are terrifying. Bird flu in its present form cannot easily be transmitted, which is why its death toll is a relatively low 330 people over the past decade. Were the knowledge of how to spread it readily accessible, terrorists could conceivably re-create a mutant variety and unleash it upon humanity. (For the record, this would be a spectacularly daft thing to do as they would have no way of controlling its spread.)
America’s National Science Advisory Board for Biosecurity suggested the US authors censor part their report before publishing it. In the Netherlands, scientists had to seek the permission of their government to disseminate it. Within six months, and after lengthy, relatively civilized debate, both papers had been published in respected journals. In neither case did courts get involved. The argument that won the day was that it is better to make knowledge public, and therefore make the means to fight it public, than to hide it away in fear. Apparently, the same logic does not apply when it comes to luxury cars.