Anti-theft devices found on millions of vehicles have been vulnerable to wireless hacking for years, according to security researchers from the UK and the Netherlands.
The researchers presented their findings to car maker Volkswagen in 2013, but were prevented from publishing their results after the car maker was awarded an injunction by a UK high court in 2013. The research paper is finally being published and presented this week at the USENIX security conference in Washington, D.C.—albeit, with a one line redaction.
In their study, the researchers reverse engineered a car security component called the Megamos Crypto transponder, found in "one of the most widely deployed electronic vehicle immobilizers." According to the researchers, the transponder is used in most Audi, Fiat, Honda, Volkswagen and Volvo cars, and contains a Radio-Frequency Identification chip (RFID), which prevents a vehicle's engine from starting up if a matching key fob isn't close enough to the vehicle.
The device is meant to reduce car thefts by preventing vehicles from being hot wired—but the researchers found they could exploit a vulnerability in the transponder's hardware and software to wireless start the car instead.
"It's not an easy flaw to fix," Samy Kamkar, a well-known hacker and cyber security expert, told me over the phone. "Those researchers found some critical weaknesses within the actual algorithm and its implementation."
In several cars of different makes and models, weaknesses in the transponder's encryption algorithm enabled hackers to crack the immobilizer, emulate a key fob, and wirelessly start the vehicle within 30 minutes. Fixing the flaws to this system would involve a mass vehicle recall as both the affected hardware in the vehicles and the chips in the car key fobs need to be replaced.
Currently, both the cipher design and authentication protocol—in other words, specifics about the security measures used—have been kept a secret by the transponder's manufacturer, according to the report. This, said Kamkar, put the manufacturer at a disadvantage as it meant that no outside parties could inspect and scrutinize the transponder's operating system in order to make it more secure.
"If it were open source, the flaws would have been found much earlier on, and you would have way less customers/consumers using this flawed system," said Kamkar, noting that it would be beneficial for the automotive industry to start readapting their thinking around vehicles.
"For years we've had so many different layers of protection on computers to make sure that they don't get a virus, or so that hackers don't get in," he said. "Now that our cars are computers, we need to be just as cognizant [of the fact that] this is a computer, it's on the internet, someone could connect to this, and if there's a vulnerability, they could potentially take off with the car."
According to a BBC report, the paper's researchers have been talking and collaborating with car makers to make their vehicles more hack proof. A Volkswagen spokesperson stated over email that "Volkswagen has an interest in protecting the security of its products and its customers [...] In all aspects of vehicle security, be this mechanical or electronic, we go to great lengths to ensure the security and integrity of our products against external malicious attack."