Recently a British court ordered researchers to withdraw a paper, “Dismantling Megamos Security: Wirelessly Lockpicking a Vehicle Immobiliser” from next week’s USENIX Security Symposium. This is a blow not only to academic freedom but also to progress in vehicle security. And for those of us who have worked in security for a long time, it raises bad memories of past attempts to silence researchers, which have touched many of us over the years.
The paper, by Flavio Garcia of the University of Birmingham and Roel Verdult and Baris Ege of Radboud University Niemegen, would have discussed the operation and security of Megamos, a cryptography-based system used in most or all recent Volkswagen-made vehicles. Megamos wirelessly authenticates a key to the car, and vice versa, so that the car can be started only by an authorized key. Unfortunately, as the paper would have explained, Megamos has vulnerabilites that would allow an attacker to start the car without a legitimate key in some circumstances.
There is a fallacy, typically more common among non-experts, that only “constructive” security research—that is, research that claims to describe a secure system—has value. In fact, case studies of vulnerabilities can be very valuable. Given that most security systems turn out to be vulnerable, it pays to understand in detail how and why sophisticated designers end up shipping vulnerable technologies—which is exactly what the Megamos paper was apparently trying to do.
This case has strong echoes of an incident in 2001, when the Recording Industry Association of America and some other entities threatened to sue my colleagues and me over our case study of several copy protection technologies for compact discs. The RIAA and friends threatened to sue us and others if we went ahead with publication of our paper. Under these threats, we withdrew the paper from its original venue and went to court to secure the right to publish. With help from the EFF, USENIX, and others, we were eventually able to publish our work in the 2001 USENIX Security Symposium.
The two cases are similar in many ways. Both involved a case study paper that described how a technology worked and why it was vulnerable. Both papers were fully peer reviewed and accepted for publication, and in both cases affected companies knew about the papers well in advance but acted only late in the game to try to block publication. We faced threats of a lawsuit, whereas the Megamos researchers were actually ordered by a court not to publish (pending further court proceedings). And in both cases the threatening companies seemed to be motivated mostly by a fear of embarrassment due to their poor engineering choices becoming public.
As usual, the attempt to avoid embarrassment will fail. By trying to block publication, the company is effectively admitting that it has something to hide and that the paper is correct in saying that Megamos is vulnerable. Of course trying to block the paper will only draw more attention to the flawed technologies. But what the company might succeed in doing is to withhold from researchers and practitioners the main value of the paper, which is its diagnosis of exactly what went wrong and why, that is, the lessons it teaches for the future.
This is yet another example of the legal system’s apparent ambivalence about security research. We hear that digital insecurity is a major challenge facing society. But at the same time the law seems too eager to block or deter the very research and scholarly communication that can help us learn how to do better.