There is a major security vulnerability present in tens of thousands of cars, research from 2013 has revealed. The findings of this important study have only just come to light after an injunction on its publication was lifted.
Security researchers from the University of Birmingham in the UK and Radboud University in the Netherlands discovered that there was a significant flaw in the Megamos Crypto transponder, which is widely used in vehicles belonging to the likes of Audi, Fiat, Honda, Volkswagen and Volvo.
The team noted in its paper that this anti-theft immobilizer, which is intended to prevent thieves from easily taking off with a car, has serious shortcomings.
In fact, they went so far as to say it left many cars vulnerable to a “trivial” denial-of-service attack.
For example, the encryption process between key fob and the on-car transponder was so weak that researchers were able to hack into the system within 30 minutes.
“Our attacks require close range wireless communication with both the immobilizer unit and the transponder,” the authors elaborated in their paper.
“It is not hard to imagine real life situations like valet parking or car rental where an adversary has access to both for a period of time. It is also possible to foresee a setup with two perpetrators, one interacting with the car and one wirelessly pickpocketing the car key from the victim's pocket.”
This detail, along with the rest of the study, was intended to be discussed at the 22nd USENIX Security Symposium in Washington DC in 2013.
However, the universities were prevented from fully disclosing their findings when Volkswagen and the Thales Group - a major French electronic systems company - won an injunction from a high court judge in the UK.
It was successfully argued at the time that the information, if revealed, would cause more harm than good.
Volkswagen said at the time that the publication could “allow someone, especially a sophisticated criminal gang with the right tools, to break the security and steal a car”.
Thankfully, after years of intense negotiations, the researchers have finally been able to publish their report, although they have had to slightly amend the original manuscript. One sentence has been omitted.
A spokesperson for Volkswagen said: “Volkswagen has an interest in protecting the security of its products and its customers. In this connection Volkswagen does not make available information that might enable unauthorised individuals to gain access to its vehicles.
“In all aspects of vehicle security, be this mechanical or electronic, Volkswagen goes to great lengths to ensure the security and integrity of its products against external malicious attack.”