re: How To Hack A Porsche Research Muffled
Let's look at all of the facts. first points from the article, then my take on each one
The researchers said "They said they found a software program on the Internet, publicly available since 2009, that included the algorithm, which was created by French security group Thales."
The researchers said they obtained all of the information in their paper from the public domain, meaning no significant obstacle would face anyone else who wants to find exploitable vulnerabilities in the immobilizers. "The paper reveals inherent weaknesses, on the basis of mathematical calculations, and is based on an analysis of publicly available information," said Radboud University Nijmegen.
An attacker would have to run a software program that would take, on average, two days to identify a working crypto crack. The software would need to be run fresh for every different immobilizer targeted.
The automaker also argued that the algorithm used to disable the car's immobilizer was confidential information.
Attorney Tom Ohta at British law firm Bristows told the BBC that the manner in which the researchers had obtained the cryptographic details has so far proved to be their legal undoing. "An important factor here was that the academics had not obtained the software from a legitimate source, having downloaded it from an unauthorized website," he said. "This persuaded the court that the underlying algorithm was confidential in nature, and bearing in mind the public interest of not having security flaws potentially abused by criminal gangs, led to the injunction."
This tells me that the information is on the internet and can be found, and that the algorithm was created by Thales. I'm not sure where 2009 comes into play - was that when Thales created the algorithm or when the information was put on the web?
The researchers say the algorithm is crackable, based on mathematics.
I know that any algorithm is crackable, but good ones take years to break (where breaking the algorithm means that someone could log in as someone else, or gain access to information they should not). Plus, the information is on the web, most likely open to anyone.
Two days to hack a Porshe? That makes it almost worthwhile.... naw.... too long.
If the algorithm is confidential information, then anybody knowing the algorithm is "unauthorized".
I also know that even secret algorithms can be discovered, given enough computing power and time. this is why hiding the algorithm and saying "I'm secure" is security suicide.
The lawyer is saying that because the researcher did not get the algorithm from Thale or Volkswagen, the researchers "downloaded it from an unauthorized website." See my second part of 3, above.