It's unclear if the authors actually responsibly disclosed this, although they did make some attempts at contacting Honda, it's unclear how long they waited for a reply.
> What does Honda think about this Rolling-PWN Bug?
> We have searched through the Honda official website, but we can not find any contact info for report Vulnerability. Seems Honda motor DOES NOT have a department to deal with security related issue for their products. And a person who works at HONDA has told us "The best way to report the Honda vulnerability is to contact customer service". Therefore, we filed a report to Honda Customer service, but we have not get any reply yet.
Is the obligation to find a security disclosure contact really on an individual researcher who already did free work for them, or is it on Honda to make it easy? I do not blame them at all.
If corporations deprioritize security, that doesn’t mean we should shift responsibility onto individuals.
What would the illegal part be in this instance? They're not illegally accessing Honda's services, which is what most security researchers can end up sued about. This is a local replay attack using the researcher's own hardware. I don't see why they would possibly need to inform Honda first.
Responsible disclosure for issues like these is more of a curtousy to show good intent and to protect people by allowing the manufacturer to roll out patches. Honda doesn't seem interested in protecting their customers and they seem unwilling to get into contact with these people, so if it's true that they tried to contact Honda, that's enough of a curtousy for me, at least.
> What would the illegal part be in this instance?
I don't know exactly what country they're located in, but I'm assuming that filming yourself unlocking random peoples car in the wild can be classified as breaking into something, especially if a corporation would like to hide a story and have government contacts they can engage in the silencing.
I don't see anything wrong with what they did, they went above and beyond to test Honda's systems for Honda, in exchange for nothing. But I do worry about courts not being as technically adept as me, and not seeing it like this.
Opening random cars is probably a crime, but do we have reason to believe they weren't testing on their own car?
They go out of their way not to make the details public to prevent car theft so I think any decent court should see that they're operating in good faith. A bad court may sentence them regardless, but I don't think responsible disclosure would've helped them in that situation either.
> Opening random cars is probably a crime, but do we have reason to believe they weren't testing on their own car?
Yes, we do, since one of their videos are labeled "field test" which I presume means "testing random vehicles found in the wild".
> We have successfully tested the latest models of Honda vehicles. And we strongly believe the vulnerability affects all Honda vehicles currently existing on the market. Please see the field test video down below.
> so I think any decent court should see that they're operating in good faith [...] A bad court may sentence them regardless
I hope so too, for the sake of the authors. Overall, they did the only thing they could do in this situation, since Honda doesn't seem to be receptive to security disclosures at all.
Given that the author(s) live in China and has been doing similar tricks for like, forever. I don't think most of the "crime" or "court" things in this thread make any sense to them.
Yup, not necessarily good, just I don't see them in immediate trouble.
Laws are lacking for these cases in China, OTOH you don't face fair judgement if someone decided to f-u :( see WooYun[1] for an example. tl;dr China had their own HackerOne/BugCrowd and it's even founded earlier than both, only to have it killed in 2016 because it annoyed the wrong guy.
You might could get them on unauthorized access to a computer system, but I believe this would technically fall outside most places' law regarding breaking into a vehicle since they didn't actually open the vehicle.
But that's a criminal matter, in a crime that doesn't target Honda. Getting police to prosecute that without naming any victims would he hard, if it's even legally possible in their jurisdiction. Getting anywhere would involve some legwork from Honda to find the victims, and convincing the relevant parties to prosecute, before you get to a court case at all.
Looks like they published various videos of them exploiting the vulnerability in public space. Supposedly, OSINT techniques could at least uncover these locations.
> What does Honda think about this Rolling-PWN Bug?
> We have searched through the Honda official website, but we can not find any contact info for report Vulnerability. Seems Honda motor DOES NOT have a department to deal with security related issue for their products. And a person who works at HONDA has told us "The best way to report the Honda vulnerability is to contact customer service". Therefore, we filed a report to Honda Customer service, but we have not get any reply yet.
> In addition, we found an article from Bleeping-Computer (https://www.bleepingcomputer.com/news/security/honda-bug-let...), which Seems that Honda does not care about security issues anyway :(
Hope the authors are either anonymous enough or in a jurisdiction they can't be sued for making this public.