View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
August 18, 2015

Volkswagen car hack revealed after two year injunction

Researchers found way to hijack car by listening to radio frequencies.

By Jimmy Nicholls

Volkswagen suppressed details of a security flaw in their cars that could have allowed hackers to steal tens of thousands of luxury vehicles without using a key.

A problem with the Megamos Crypto transponder, which blocks cars from starting by checking a key’s electronic message when inserted in the ignition, was presented to the car makers back in May 2013, but has since been subject to an injunction.

Following lengthy negotiations a paper detailing the flaw was presented at the Usenix security conference in Washington DC, revealing how the authentication in the Megamos Crypto could be bypassed.

As a concession to Volkswagen, a sentence was redacted from the paper which explained an element of the calculations the chip uses to secure the car, an omission said to greatly increase the difficulty of carrying off the attack.

Among the high-end brands affected by the flaw are Bentley, Porsche and Lamborghini, with Audi, Fiat, Honda and Volvo also hit by it.

To carry off the attack, the researchers listened in twice to the radio signal of an "authentication trace", reducing the number of possible key matches and allowing them to "brute force" the system by running through 196,000 potential codes.

The entire process was said to have taken half an hour.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

In February 2012 the flaw was shown to the makers of the afflicted chip by Roel Verdult and Baris Ege of Radboud University in the Netherlands, and Flavio Garcia from the University of Birmingham.

When after more than a year these details were handed over to Volkswagen the car maker applied to the UK High Court for an injunction, which duly granted over fears the information’s release would aid criminals.

Nicko Van Someren, chief technology officer at security vendor Good Technology, said: "This is a great example of what happens when you take an interface that was designed for local access and connect it to the wider internet.

"Increasingly, in the rush to connect ‘things’ for the Internet of Things, we find devices that were designed with the expectation of physical access control being connected to the Internet, the cloud and beyond."

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.