At this week's Black Hat conference in Las Vegas, Charlie Miller and Chris Valasek will present on on-board car computer insecurities to thousands.


The DARPA-funded research will show how they can control a Toyota Prius and Ford Escape from the vehicles' ECU (Electronic Control Unit) including moving the car, stopping the car and sounding the horn.

In contrast, a House of Lords injunction granted by Volkswagen has gagged Univerity of Birmingham lecturer Flavio Garcia from presenting his research into the Megamos crypto RFID chips. These chips are used by the immobiliser in Volkswagen's cars.


Volkswagen claim that it could lead to the theft of millions of Porsches, Audis, Bentleys and other high end cars. According to a recent Telegraph article, Mr Garcia and his colleagues asserted that they are "responsible, legitimate academics doing responsible, legitimate academic work". Despite this, Mr Justice Birss ruled against the academics on the grounds that it would mean "that car crime will be facilitated".

So far, so reasonable, or so you might think. After all, such flaws may be difficult to fix and could lead to £250,000 cars being stolen by criminal gangs. Sadly this kind of thinking is all too common. The fact remains that the vulnerabilities in the RFID chips used to protect the cars still exist and are just as likely, if not less likely to be fixed.

As co-organiser of the UK's biggest technical information security conference, 44con, we often see research that's controversial. It's often controversial research that spurs changes. Barnaby Jack, the sadly recently deceased vulnerability researcher who famously 'jackpotted' ATMs at Black Hat, went on to do considerable research in the field of medical hardware, research that was in the process of improving medical security, just as his earlier work on ATMs led to improvements in ATM security.


44Con hasn't shied away from controversy either. At our first event one speaker presented ground-breaking research on weaknesses affecting the keylogging protections in Trusteer's Rapport, an anti-phishing security product used in homes across the world to securely access their bank accounts.

This injunction is a severe impediment on the ability for legitimate academic research to be openly discussed. It sets the precedent that if a vendor doesn't like what you're doing, they can gag researchers rather than address vulnerabilities providing they can convince a judge that there's criminal risk, which is no doubt easier than fixing a problem.

This will only lead such research underground, which is no good for anyone. When there's a market for vulnerabilities and exploits and legitimate routes for research are closed, then for many, selling to the bad guys will be the only option left.



Steve Lord co-organises 44Con and is technical director of Mandalorian