Volkswagen car hack revealed after two year injunction

Volkswagen suppressed details of a security flaw in their cars that could have allowed hackers to steal tens of thousands of luxury vehicles without using a key.

A problem with the Megamos Crypto transponder, which blocks cars from starting by checking a key’s electronic message when inserted in the ignition, was presented to the car makers back in May 2013, but has since been subject to an injunction.

Following lengthy negotiations a paper detailing the flaw was presented at the Usenix security conference in Washington DC, revealing how the authentication in the Megamos Crypto could be bypassed.

As a concession to Volkswagen, a sentence was redacted from the paper which explained an element of the calculations the chip uses to secure the car, an omission said to greatly increase the difficulty of carrying off the attack.

Among the high-end brands affected by the flaw are Bentley, Porsche and Lamborghini, with Audi, Fiat, Honda and Volvo also hit by it.

To carry off the attack, the researchers listened in twice to the radio signal of an "authentication trace", reducing the number of possible key matches and allowing them to "brute force" the system by running through 196,000 potential codes.

The entire process was said to have taken half an hour.

In February 2012 the flaw was shown to the makers of the afflicted chip by Roel Verdult and Baris Ege of Radboud University in the Netherlands, and Flavio Garcia from the University of Birmingham.

When after more than a year these details were handed over to Volkswagen the car maker applied to the UK High Court for an injunction, which duly granted over fears the information’s release would aid criminals.

Nicko Van Someren, chief technology officer at security vendor Good Technology, said: "This is a great example of what happens when you take an interface that was designed for local access and connect it to the wider internet.

"Increasingly, in the rush to connect ‘things’ for the Internet of Things, we find devices that were designed with the expectation of physical access control being connected to the Internet, the cloud and beyond."