University condemns court ban of research paper on flaws in car lock system

Locking system used to protect luxury cars is outdated, say security researchers

A court ban on a research paper that analyzes flaws in a car-lock system should be overturned, according to the Dutch university that employs two of the three researchers who wrote the analysis.

The U.K. High Court of Justice banned the publication of the paper, "Dismantling Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobilizer" on June 25, said the Radboud University Nijmegen in a news release on Monday. The ban came to the attention of the public when the U.K. newspaper The Guardian published a story about it over the weekend.

The U.K. court issued an interim block on the research paper, while considering a permanent ban on request of car manufacturer Volkswagen, the university added. French defence group Thales also requested the ban, according to a report by the BBC.

Roel Verdult and Baris Ege, of the Digital Security faculty at Radboud University, were planning to present their paper with Flavio Garcia a lecturer in Computer Science of the University of Birmingham during the USENIX Security Symposium in Washington, D.C., in August, the Dutch university said.

Verdult and Ege said in a joint email on Monday that they did not want to comment on the matter. Garcia did not return a request for comment.

"In their scientific article, they show that there is a fault in the security of the Megamos chip that is used in the immobilizer in different car brands," the Radboud University said, adding that the chip was designed in the mid-90s and is outdated. "Nevertheless, it is still widely used in the automotive industry," it said.

The research is based on publicly available information and in their paper the researchers reveal the weakness of the chip in mathematical terms, the university said. The research "by no means reveals how to easily steal a car," it said, adding that very different information is needed to do that.

Furthermore, the researchers informed the chip maker in November 2012, nine months before the intended publication of their paper, so that security measures could be taken, the university said. The researchers also urged the chip maker to inform their own customers from the outset, it added.

"The decision of the English court imposes severe restrictions on the freedom of academic research in a socially highly relevant field," Radboud University said, adding that it nevertheless respects the decision of the court.

"The University of Birmingham is disappointed with the judgment which did not uphold the defence of academic freedom and public interest, but respects the decision," a University of Birmingham spokesperson said in an email. It has decided to defer publication of the academic paper in any form while it obtains additional technical and legal advice.

Because the court is considering a final ruling, Radboud University spokeswoman Anja van Kessel declined to provide further comment, but said the university hopes the court will ultimately decide in favor of publication of the paper.

Volkswagen did not respond to a request for comment.

What’s wrong? The new clean desk test
Join the discussion
Be the first to comment on this article. Our Commenting Policies