News

Car company kept security flaw in 100 different models secret for years

The researchers had discovered a weakness in an immobiliser system
The researchers had discovered a weakness in an immobiliser system

A major security flaw in more than 100 car models has been exposed after a car manufacturer kept the details suppressed for two years.

Three researchers, including a computer scientist from the University of Birmingham, were prevented from releasing the academic paper which detailed the flaw after Volkswagen won a case in the High Court to stops its publication.

The researchers had discovered a weakness in an immobiliser system used by car manufacturers including Audi, Fiat, Honda, Volvo and Volkswagen that made it vulnerable to "keyless theft", where the signal sent between the key and ignition could be listened into, making it vulnerable to attack, and cars open to theft.

The Swiss-made immobiliser system in question - Megamos Crypto - works by preventing the engine from starting when a transponder embedded in a car's key is not present. However the research paper showed it was possible to listen in to the signals between the two, creating the potential for it to be manipulated.

"Our attacks require close range wireless communication with both the immobiliser unit and the transponder," said the paper.

"It is not hard to imagine real-life situations like valet parking or car rental where an adversary has access to both for a period of time. It is also possible to foresee a set-up with two perpetrators, one interacting with the car and one wirelessly pickpocketing the car key from the victim's pocket."

Volkswagen were able to gain an injunction on the publication of the report, which was due in 2013, by arguing that it could "allow someone, especially a sophisticated criminal gang with the right tools, to break the security and steal a car". The researchers argued that their aim was to improve security for everyone.

Security expert Ryan Kalember, from cyber-security firm Proofpoint said: "This is further proof that it's a bad idea to write your own cryptography algorithms. It's even more worrying that the supplier relied on the algorithm itself staying a secret - that type of 'security by obscurity' has a poor track record."

Mr Kalember added given the nature of the technology - and the inability of car owners to disable the function themselves - meant there was "no real defence" from the issue.

"The only thing a sufficiently concerned car owner could do is buy LoJack or a similar system that goes into effect once the car is already stolen."

Last month, Fiat Chrysler announced it was recalling more than a million vehicles in the US after hackers were able to take control of a Jeep remotely, over the internet.

The report has now been made public following a series of discussions between Volkswagen and the researchers, with the car manufacturer accepting the authors' proposal to remove one sentence from the original report.