Truth About Computer Security Hysteria
Lexus automobile virus (urban legend)CATEGORY: Myths & urban legends
CATEGORY: Hysteria over a computer security URBAN LEGEND
SC Magazine reporter David Quainton and ZDNet reporter Dan Ilett published stories in late January about an unknown computer virus that might have infected Lexus automobiles. According to the stories, Russian antivirus firm Kaspersky Labs revealed it was contacted "by a user asking how to disinfect the onboard computers of several Lexus cars... The user said that the infection occurred via a mobile phone."
Quainton's story quoted Eugene Kaspersky as saying "if infected mobile devices are scary, just thinking [sic] about an infected onboard computer." F-Secure spokesman Mikko Hyppönen talked in the story about computer security threats for both cars and aircraft.
(Computer security "news" routinely lacks attribution, which in turn leads the experts themselves to believe myths & legends. Click here for more on this controversy. But to Schneier's credit, he correctly described the Lexus virus as "unconfirmed rumors.")
Lexus Product Communications Manager Bill Ussery spoke with Vmyths by phone the day Schneier's newsletter went out. In a follow-up email to Vmyths, Ussery explained "Lexus and its parent companies ... have investigated this rumor and have determined it to be without foundation for the following reasons:
Vesselin Bontchev (FRISK) agreed. "Such a virus doesn't exist yet. It has only been speculated (by Kaspersky Labs, apparently, and then F-Secure have chimed in) that it is possible... [Our antivirus software] gets updated when new known viruses are discovered. Sadly, we can't scan for hypothetical viruses yet." Graham Cluley (Sophos) chimed in with a sound observation. "The media loves to hype virus threats on devices where there isn't a problem, often ignoring Windows desktop PCs which can be bombarded by real attacks every hour of the day."
So there you have it, folks. Just another urban legend — spawned by society's gullibility over computer virus rumors. Stay calm. Stay reasoned. And stay tuned to Vmyths.
Bruce Hughes (ICSA Labs) joked about the notion of test-driving a computer virus. "I'm trying to get the company to buy me a Lexus for testing." Bontchev made the same joke. "The boss firmly refused to buy us a Lexus for 'replication and testing' purposes." Hyppönen chimed in, too. "When we heard about this, boys in our lab immediately left three purchase orders in our IT hardware order system for Lexuses 'for testing purposes.'"
Did Kaspersky Labs start this urban legend as a publicity stunt?Vmyths believes Kaspersky Labs actually did get a phone call from someone with a frustrating Lexus problem. It's still a common tactic for antivirus vendors to create publicity for these things, and we believe Kaspersky Labs followed established norms for creating media hype.
Kaspersky Labs shielded itself from full embarrassment by telling the media they were only "investigating" a Lexus virus accusation. Hence, we must largely blame this urban legend on the many experts and pundits who failed to exercise caveat lector when they retold the story in their own words.
Vmyths has documented any number of cases where experts incorrectly accuse a computer virus/worm of causing havoc (with much fanfare), and then look foolish when the innocuous truth comes out (with little fanfare). History suggests the computer security community won't go out of its way to clarify this story.
Did Lexus at first "refuse to comment" on this urban legend?David Quainton and Dan Ilett both said Lexus had chosen not to discuss the incident. Ussery contested this, saying "Lexus has responded promptly to all media inquiries regarding this matter. Contrary to the original story that appeared on ZDNet, Lexus was never contacted for comment by the writer."
Both reporters live in Britain — not the U.S. or Japan. An investigation by Vmyths leads us to suspect both reporters contacted an out-of-the-loop representative in England who declined comment. Each reporter had enough statements from Kaspersky Labs and other computer security firms to file their stories.
On 15 February 2005 (just a few hours after Schneier's newsletter went out), Ussery fired off a letter to the editors at SC Magazine. This letter almost certainly spawned a story the next day by David Quainton titled "Lexus hits out at car virus claim."
Kaspersky Labs founder Eugene Kaspersky did not respond when Vmyths tried to get a clarification from him.
Last updated: 2005/3/19