Now, many might be getting quite paranoid about the recent spate of stories revolving around wireless hacks, nifty devices like ‘Rolljam’ and inherent vulnerabilities in connected vehicles that leave them exposed to enterprising hackers.
Well, unfortunately, there’s more bad news. According to Bloomberg, Volkswagen has spent two years trying to hide a huge security flaw that affects thousands of cars from a range of manufacturers. The carmaker has spent two years suppressing the research findings in courts.
The publication states that ‘keyless’ car theft, where hackers target to exploit flaws in electronic locks and immobilisers, now account for 42% of vehicular theft in London. The city’s Metropolitan Police has stated that BMWs and Range Rovers are definitely at risk, as a tech savvy thief could do a proper getaway in these rides under 60 seconds.
Apparently, Roel Verdult and Baris Ege from Radboud University in the Netherlands and Flavio Garcia from the University of Birmingham have presented an academic paper at the USENIX security conference in Washington DC, where they detail how the cryptography and authentication protocol used in the ‘Megamos Crypto’ transponder can be exploited by hackers to ultimately abscond with these luxury vehicles.
This particular immobilizer transponder, the ‘Megamos Crypto’, is most commonly used in Volkswagen-owned brands such as Audi, Porsche, Bentley and Lamborghini. Worryingly, it is also used in brand such as Fiat, Honda, Volvo and some Maserati models too.
Amazingly, the publication states that these researchers broke the transponder’s 96-bit cryptographic system by listening in twice to the radio communication between the key and the transponder.
Since this reduced the pool of potential secret key matches, the researchers opened up the ‘brute force’ option, which ran through 196,607 options of confidential combinations of key codes till they found the suitable key code, all in less than half an hour. The Bloomberg report adds that there’s no quick fix to the problem, as the RFID chips in the keys and transponders inside the cars must be replaced, which would result in a lot of labour costs.
It seems that the research team took its findings to the manufacturer of the chip in February 2012 and then to VW in May 2013, and after the car-maker filed a lawsuit to block the publication of the paper – successfully arguing the case that doing so would expose its vehicles to the risk of theft – the UK’s High Court granted an injunction. Significantly, the paper is now in the public domain, with one sentence omitted.
“This single sentence contains an explicit description of a component of the calculations on the chip,” Verdult said, when speaking to the publication, adding that by removing the sentence it was much more difficult to recreate the attack.
Volkswagen responded swiftly to the publication’s expose – a company spokesman said that anti-theft protection is still reliable even for the older models, while current models are totally secure and invulnerable to these attacks. In any case, there is also list of manufacturers and car models above that may be open to these hacking exploits. The list is focused on vehicles that use Megamos Crypto, and the ones in bold are the models that the research team experimented on.
Looking to sell your car? Sell it with Carro.
padlock and detachable steering wheel might be the new solution although mr bean has been using it decades ago
did you know your steering can be easily cut and remove those steering locks by twisting it out?
err..i didnt say steering lock..do u know mr bean?
Remake of the movie; Gone In 60 Seconds: Wireless Edition
Broken down DSG will oso prevent theft of the VW. Maybe that’s why they dun wanna fix either DSG or autolock problems.
Pun intended. If i were UMW or DRB HICOM, I’d start removing keyless go and tell my customers, “keyless entry not safe you know….”
Is VW’s DSG really really reslly troublesome mr?
Is this referring to cars with keyless entry & keyless go only or all types of entry/ignitions? Cos (correct me if i’m wrong), didn’t know an Audi A4 from 2000 had keyless entry/go. Or even a Honda Jazz from 2002. So this must apply to all types of cars regardless of whether its using keyless go or requires a key (with RFID inside the key I suspect). Quite scary to be honest.
Now that this is publicly known, what will happen if the car gets stolen? Will insurance companies compensate or they will just refuse by saying that it was a known threat, and the owner didn’t do anything to prevent it? But how will a car owner be able to prevent it, until the manufacturer comes up with the proper control measures? I suspect a huge global recall might be coming, even bigger than the Takata airbag issue recalls.
if it was not available to malaysia spec does not necessarily not available to other advance markets like Japan, or Germany or Hong Kong, Taiwan and USA.
I give up on this VW already.
and still they claim it is super safe with autonomous driving, ya, like i am gonna believe it.
Volkswagen cyber-attacks customer website to destroy images of their defective cars!
The website.
http://www.vwfraudclassaction.com/