This is getting old, since how many times has this been repeated in the past years?
If you notify, so that good companies can analyse, patch and protect customers,
then you risk that "bad" companies will play "sly" and just sue you to stop the
information, rather than fix the problem. Or even better, fit you up for an attempted
extortion defense or shift the blame onto the reporter, using spin.
Most modern companies deny the existence of *any* responsibility to their customers,
employees or communities (natural, governmental or academic).
So why the expectation of different behaviour when it comes to security?
Actually, these issues are pretty useful when it comes to deciding on which
products to purchase, since you get to see the real ugly shapes behind the PR
VW have pioneered the use of reduced, only 2-year warranties, at least in Europe,
without lowering the price of their cars. Support is not a priority factor for them.
Security has obviously been a low priority issue that they have decided *not* to
"waste" money on.
If, the issue is really as reported, that given access (either physical or via some wifi "probe"),
to the controller unit (CAN?) for the ECUs, since VW did not add encryption, authentication
or serious security, an intruder can control a lot of things in the car, even while it is
Which means that VW would:
1. Need not only updated software to fix the controller, they would probably need some
hardened hardware, probably including some TPM/tamperproof elements.
2. Need new supplier handling, development, testing, support and dealer support mechanisms.
3. Have to build a "PKI"-type infrastructure for their dealers, including identification/registration
key distribution and other key handling nightmares.
4. To avoid the potential liability issues, they might also need some addtional components to
provide "black box" audit mechanisms, similar to flight recorders. Again with crypto,
tamper-proofing and crash resistance.
Which is all EXPENSIVE. And OBVIOUS. And offers dealer chain lockin and other
non-competitive medium+ term advantages.
So, apparently faced with an entirely foreseeable issue, VW chose the cheap option, and
now it has blown up in their faces. So they have to fix this, then do it right anyway.
And depressingly predictable, what was the response?
Did they play the quality card, roll with it and try to convert it into a "branding"
op, while actually addressing the issue?
They sent in the lawyers.
Stifle discussion, threaten academics and try to kick the problem away under the table.
I would also bet that they are right now lobbying for new "responsible reporting" laws,
at German and EU levels.
Schein nicht sein.
Well, I won't be buying a VW, Audi, Skoda, Seat anytime soon.
To generalise, unless a company has contracted you to analyse and report on their products,
then what obligation or benefit do you have to report anything to them?
If you contact them to report an issue, companies have try to frame you for extortion in order
to suppress the security vulnerability. "No comment on judicial process" ...
Publish and be damned, though the Heavens Fall.