Three-year-old research demonstrating the vulnerability of thousands of cars from manufacturers such as Audi, Citroën, Ferrari, Fiat, Honda, Skoda, Volkswagen and Volvo has finally been published, two years after VW secured an injunction against its publication.
The research, from the University of Birmingham and Radboud University, identifies a weakness in the Megamos Crypto system that allows a car engine to start without the keyfob containing the radio-frequency identification (RFID) chip.
Researchers found that “listening in” to RFID signals between the chip and the car twice would give them what they needed to reverse-engineer the codes required to start the car.
Although the security flaw was uncovered back in 2012, a UK high court awarded Volkswagen an injunction a year later, after the German car manufacturer insisted that publication would make it easier for criminals to steal cars utilising the Megamos Crypto technology. The paper – “Dismantling Megamos Crypto: Wirelessly Lockpicking Vehicle Immobiliser” – was finally revealed at the USENIX Security Symposium in Washington last weekend, with just one sentence redacted.
Volkwagen described the case as being settled “amicably”, but in an email to Mashable claimed that consumers shouldn’t be alarmed: “The circumstances presented in the laboratory can be replicated in reality only with considerable, complex effort, and in this relation organised crime will most likely have the greatest interest in implementing this method of circumvention in the form of tools.”
That’s not how Professor Tim Watson, director of the cybersecurity centre at the University of Warwick, sees the situation. “This is a serious flaw and it’s not very easy to quickly correct. It isn’t a theoretical weakness, it’s an actual one and it doesn’t cost theoretical dollars to fix, it costs actual dollars,” he told Bloomberg.
Actual dollars? Yep. The paper recommends that owners of the models affected change the chip system to one that includes a random number generator. Around 6,000 cars were stolen without keys last year, according to the Metropolitan Police.
Although cars from 26 manufacturers are affected, it’s not surprising that Volkswagen was the one to call for an injunction. There are 29 Volkswagen models listed as being affected, and the company also owns Audi, Porsche, Seat and Skoda, which account for an additional 30.
You can see the full list of affected models from the paper below.
Images from Gerry Lauzon and Frankieleon used under Creative Commons
Disclaimer: Some pages on this site may include an affiliate link. This does not effect our editorial in any way.
