Fixing the flaw will require replacing the keys of all affected vehicles

Security flaw in car immobiliser supressed for two years

News of a major security flaw in a widely used car immobiliser system was suppressed for two years by Volkswagen (VW).

The researchers behind the study discovered that the Megamos Crypto immobiliser system used by manufacturers including Audi, Fiat, Honda, Volvo and Volkswagen in more than 100 car models was vulnerable to 'keyless theft'.

However, they were prevented from releasing an academic paper on the vulnerability after German carmaker VW won an injunction in the High Court to stop its publication, which was due in 2013, by arguing that it could allow a sophisticated criminal gang to override the immobiliser and steal cars.

The system works by preventing the engine from starting when a radio frequency identification chip embedded in a car's key is not near the ignition, but the researchers from Raboud University in the Netherlands discovered that they could listen into the radio exchange between the chip and the system's transponder.

While the signal between the two was encrypted, as the system allowed unlimited attempts to authenticate the presence of the key the researchers were able to crack the code within 30 minutes using a standard laptop by simply having 200,000 attempts at randomly guessing the correct key.

"Our attacks require close range wireless communication with both the immobiliser unit and the transponder," said the paper.

"It is not hard to imagine real-life situations like valet parking or car rental where an adversary has access to both for a period of time. It is also possible to foresee a set-up with two perpetrators, one interacting with the car and one wirelessly pickpocketing the car key from the victim's pocket."

To make matters worse for the manufacturers, the flaw is in the hardware of the system, meaning that solving the issue will require physically replacing the keys and transponders for every affected vehicle.

Security expert Ryan Kalember, from cyber-security firm Proofpoint said: "This is further proof that it's a bad idea to write your own cryptography algorithms. It's even more worrying that the supplier relied on the algorithm itself staying a secret - that type of 'security by obscurity' has a poor track record."

Mr Kalember added given the nature of the technology - and the inability of car owners to disable the function themselves - meant there was "no real defence" from the issue.

"The only thing a sufficiently concerned car owner could do is buy LoJack or a similar system that goes into effect once the car is already stolen."

The researchers had consistently argued in favour of publishing the report saying that their aim was to improve security for everyone.

The paper has now been made public following a series of discussions between VW and the researchers, with the car manufacturer accepting the authors' proposal to remove one sentence from the original report.

Recent articles

Info Message

Our sites use cookies to support some functionality, and to collect anonymous user data.

Learn more about IET cookies and how to control them