Security flaw affecting 100-plus car models exposed

18 August 2015

burglar An academic paper has discovered and exposed a massive security flaw in more than 100 car models, which has been kept secret by a major manufacturer for the past two years.

Volkswagen won a high court case to keep the paper from being unpublished, written by the University of Birmingham's Flavio Garcia, and two colleagues from a university in the Netherlands.

The team found that car manufacturers including Audi, Volvo, Citroën, Honda and Fiat, as well as the aforementioned Volkswagen, had cars that were exposed to 'keyless theft' thanks to a device that was supposed to stop cars from being nicked, could be easily disabled.

And now, after a series of negotiations, Volkswagen have agreed to the report being published after getting one sentence removed from the original paper.

Garcia, and Roel Verdult and Bariş Ege from Radboud University in Nijmegen, said that they discovered flaws in the Swiss-made immobiliser system called Megamos Crypto, which is a device that stops the engine from starting when the corresponding transponder (which is embedded in the key) is not present.

However, it was found that it was possible to listen to signals sent between the key and the security system, which means that cars could be attacked by "close-range wireless communication."

"Our attacks require close range wireless communication with both the immobiliser unit and the transponder," say the team. "It is not hard to imagine real-life situations like valet parking or car rental where an adversary has access to both for a period of time. It is also possible to foresee a set-up with two perpetrators, one interacting with the car and one wirelessly pickpocketing the car key from the victim’s pocket."

An injunction stopped the report from seeing the light of day, with Volkswagen arguing that the report would basically give criminals an idea or two. However, the research team brushed that complaint aside, saying that they were "responsible, legitimate academics doing responsible, legitimate academic work".

This of course, follows the recall of 1.4m Fiat Chrysler vehicles, after some hackers got control of a Jeep.

TOPICS:   Motoring   Scams

1 comment

  • oldgit
    So technically possible but practically unlikely then, much easier to actually nick the keys.

What do you think?

Connect with Facebook, Twitter, or just enter your email to sign in and comment.

Your comment