Court blocks the publication of a scientific paper

The English High Court (the highest civil court) has blocked the publication of a scientific paper that would have revealed the full details of a zero day vulnerability in Volkswagen’s immobiliser mechanisms – the temporary injunction against publication has been granted to stop the publication of “Dismantling Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobilizer” – due to be presented at a Usenix security conference.

One of the paper’s authors is Flavio D. Garcia, who is based in the UK (the University of Birmingham) and so would have to respect the injunction or face contempt proceedings (and the possibility of prison) – the two other authors Roel Verdult and Baris Ege, both of Radboud University Nijmegen are not in or from the UK so it’s not clear to me how effective the injunction would be against them if they opted to defy it.

It’s difficult to see this as an open-and-shut case about academic freedom – as Volkswagen were not trying to supress the fact of the vulnerability, merely the details of how to conduct the crack – but it does concern me. Many security researchers make it their normal practice to publish the full details of zero day exploits – some arguing that the pressure thus applied is the only way to ensure the problems get fixed. It’s a legitimate argument to make and it should not, in my view, be a matter for the courts to judge on as a matter of routine.

I am not a lawyer but my understanding is that temporary injunctions are usually granted pending a full hearing – to preserve the status quo ante while the full legal arguments are heard: so this may have some time to run yet.

8 thoughts on “Court blocks the publication of a scientific paper

  1. Stopping ordinary people from knowing about this will not in any way stop the criminals from knowing about it… Keeping the people from expecting a rapid solution only aids the criminals at the expense of the customers. This is aiding and abetting the car thieves.

  2. Any radio ham can wreak total havoc on these so called immobilisers the 70cm band is very useful blame the EU for insisting car systems are put in the middle of the ham 70cm band

  3. The Guardian apparently wrote that Volkswagen only asked for the actual “start codes” to be omitted from the paper. When the author declined, they tried to get the temporary injunction. If this is true, I think it’s Garcia’s own fault. From a scientific standpoint there is nothing gained from knowing the start codes and if he just wanted to prove that he was successful, he could have published a sha1 of the values.

    1. +1. In fact, I think the symposium should insist on a redacted version as a condition of acceptance.

  4. Let’s think: VAG (Volkswagen Auto Group) uses its key systems on Audi, Porsche, Bentley, Lamborghini and Bugatti. That’s a lot of high-dollar metal at stake…

Comments are closed.