A Birmingham scientist has won a two-year legal battle to finally publish research revealing a major security flaw that could leave scores of car models at risk of being stolen.
Volkswagen had used its lawyers to keep under wraps the research of computer scientist Flavio Garcia and his colleagues Baris Ege and Roel Verdult from Radboud University Nijmegen in the Netherlands.
They discovered more than 100 models of car produced by 26 car manufacturers were at risk of theft by hackers who could crack codes to produce fake keys – thanks to flaws in a device designed to prevent vehicles from being stolen.
READ MORE: {}
Among those at risk are Audi, , Skoda, Citroen, Fiat and Volvo, as well as top of the range sports cars produced by Porsche and Ferrari.
After a lengthy legal wrangle, which saw Volkswagon suing both the universities and researchers, Volkswagen has now agreed to the publication of the paper after the researchers agreed to omit a single line from their report – a pivotal detail which could allow a nontechnical person to work out the hack.
Computer chips inside key fobs and car ignition switches are meant to make car theft more difficult. A car should only start if the chips are near each other and transmit the right code.
However, the researchers claimed a flaw lies with in a chip called a Megamos Crypto transponder – widely used in the car manufacturing industry.
The transponder “talks” to the key fob wirelessly to check its identity and if it can’t find the correct code, it immobilises the engine.
Most Read
In theory there are billions of possible combinations for the code, making it all but impossible to happen upon the right one by chance.
But the hackers discovered that by listening in to the wireless communication between the car and the transponder just twice, they could narrow the number of possible combinations down to just 200,000. Then an automated ‘cracking’ programme could try each one of those 200,000 codes – allowing it to find the right combination in just half an hour.
And once the right combination has been found, it would be child’s play for the hackers to make a fake key that will be recognised by the car as the real deal.
Mr Garcia said: “It’s a bit like if your password was ‘password’.
“We want to emphasise that it is important for the automotive industry to migrate from weak proprietary ciphers like this to community-reviewed ciphers and use it according to the guidelines.”
A Volkswagen spokesman said the hack takes “considerable, complex effort that’s unlikely to be used except by tech-savvy, organised crime syndicates”.