I tend to agree this is something that should not be debated in public through PR releases. I hate it when security companies do that in the IT world. Both sides need to sit down and discuss the issue. Public discussion of security issues is fine, but in an area like this, it might not be a good idea. It's not like all the car systems can be patched like a operating system can.

Public discussion of security issues is a must (after a reasonable amount of time is given for the company to workaround or patch the issue). Security through obscurity is no way to make your car secure.

@Ickypoopy: Exactly.

But security through obscurity works so well! Look at DirecTV cards, CSS (DVD encryption), DRM, etc.
/sarcasm off

They should be shot just for the name KEELOQ - geez.

"[Keeloq] does not believe a public debate on how to steal vehicles benefits consumer security." Thus proving they don't actually get security.

Just as a point of reference, the best cryptology algorithms are open-source, like RSA and Blowfish. If everyone can look at how it encrypts and decrypts, the flaws get shown real quick, but knowing how the encryption works still doesn't let you decrypt something without the base numbers used.

simple challenge:

get out of your lab and go steal a KEELOQ car, or stfu.

personally, I'd love to see the video on youtube.

unfortunately, I'm a skeptic with respect to most of these "proof of concept" press releases. Sort of reminds me of the nerd who says I COULD TAKE ANYONE OUT WITH THIS KARATE MOVE... and then shows us a "proof of concept".

@cde: Don't the NSA/DOJ have backdoors to these anyways?

@Crazytree:
A backdoor to keeloq? Why yes--it's called a tow truck.

@bnet41: As a member of one of those security research groups, let me tell you something. If security research groups did NOT release their findings, the companies would NEVER patch their software. The holes would still be found, but it would be by the people you do NOT want to know about your security holes.