After a major auto manufacturer suppressed the news for two years, it appears there is a major security flaw in more than 100 car models, researchers said.
Flavio Garcia, a computer scientist at the University of Birmingham, and two colleagues from a Dutch university were unable to release the paper after Volkswagen won a case in the High Court of Justice in the United Kingdom to ban its publication.
The research team discovered car manufacturers including Audi, Citroën, Fiat, Honda and Volvo, as well as Volkswagen, had models vulnerable to “keyless theft” because a device designed to prevent a thief from stealing the vehicles could end up disabled easily.
After years of formal and informal negotiations, Volkswagen agreed to the publication of the paper after accepting the authors’ proposal to remove one sentence from the original manuscript.
Garcia and his colleagues Roel Verdult and Bariş Ege, from Radboud University in Nijmegen, said they found several weaknesses in the Swiss-made immobilizer system, called Megamos Crypto. The device works by preventing the engine from starting when the corresponding transponder – embedded in the key – is not present.
But the researchers showed it was possible to listen to signals sent between the security system and key, making the vehicles vulnerable to “close-range wireless communication” attacks.
“Our attacks require close range wireless communication with both the immobilizer unit and the transponder,” the team say in the paper. “It is not hard to imagine real-life situations like valet parking or car rental where an adversary has access to both for a period of time. It is also possible to foresee a setup with two perpetrators, one interacting with the car and one wirelessly pickpocketing the car key from the victim’s pocket.”
The computer scientists had wanted to publish the paper at the Usenix Security Symposium in Washington DC in 2013, but the court imposed an interim injunction. Volkswagen said its publication could “allow someone, especially a sophisticated criminal gang with the right tools, to break the security and steal a car.”
The researchers said they were “responsible, legitimate academics doing responsible, legitimate academic work” and their aim was to improve security for everyone.
RAC Limited, a British automotive services company, said electronic security systems have improved car security as vehicle theft has fallen 70 percent in 40 years. However, the overall decrease hides a rise in electronic hacking of vehicles, which featured in four out of 10 car thefts in London last year.
Automobile vulnerabilities continue to make headlines as a vulnerability ended up revealed by researchers from the University of California, San Diego, who hacked a car, remotely activated its windscreen wipers and disabled its brakes, all via text message.
In July, Fiat Chrysler recalled 1.4 million cars and trucks in the U.S. after hackers took control of a Jeep over the Internet.
Click here to download the paper.