For over two years, security researchers have known (and shared with automotive executives) that the keyless entry and ignition systems used in vehicles made by a wide variety of manufacturers, including Volkswagen, Fiat, Honda and Volvo, have been at especially high risk of electronic hacking and theft. But the public is only learning this now because Volkswagen has spent the past two years trying to suppress this information in the courts.
Of course, “keyless” theft has been possible for as long as cars have existed – in the old days, skillful thieves without keys could break into locked cars and hot-wire the engine. But modern “keyless” theft is essentially another form of computer hacking, and as keyless entry and ignition systems have become more commonplace, so too has remote keyless theft.
Keyless theft on the rise
In the U.K. last February, London's Metropolitan Police urged drivers to take stronger measures to protect cars with keyless controls, since keyless thefts accounted for 42 percent of all the previous year's vehicle thefts in the city.
Of course, some makes and models of cars are more susceptible to such thefts than others. A few months before London police issued their warning, insurance companies in London outright refused to insure new Range Rovers unless they were stored in secure parking facilities, since an electronic device readily for sale on eBay made it ridiculously easy for thieves to steal them.
In 2012, researchers Roel Verdult and Baris Ege from Radboud University in the Netherlands, and Flavio Garcia from the University of Birmingham in the U.K., discovered severe security flaws in the Megamos Crypto immobilizer transponders used in many Volkswagen-owned luxury-brand vehicles, including Audi, Porsche, Bentley, and Lamborghini, and other brands including Volvo, Honda, Fiat, and some models of Maserati.
Of course, such immobilizers are supposed to be an anti-theft measure, immobilizing a vehicle (by making it impossible for the engine to run) unless the legitimate owner's key fob, containing an RFID chip, is in the immediate vicinity. However, as Verdult, Ege, and Garcia discovered in 2012, the RFID chips used in the transponders themselves contain security weaknesses which luxury-car thieves could easily exploit.
Volkswagen weaknesses revealed
Volkswagen responded to the discovery with a lawsuit against the researchers, to prevent them from publishing their findings. And only this week have the three been allowed to present their findings (available as a .pdf here) publicly, at the USENIX security conference in Washington, D.C.
Tim Watson, Director of Cyber Security at the University of Warwick, said “This is a serious flaw and it's not very easy to quickly correct. It isn't a theoretical weakness, it's an actual one and it doesn't cost theoretical dollars to fix, it costs actual dollars.”
In February 2012, Verdult, Ege, and Garcia told the chip manufacturer about the problem; then they told Volkswagen about it in May 2013. Volkswagen sued the three in the U.K. and, in July 2013, won a court injunction against them, on the grounds that if information about the vulnerability were published, it would “allow someone, especially a sophisticated criminal gang with the right tools, to break the security and steal a car.”
At the time, the Guardian (U.K.) observed that “[the researchers] said they informed the chipmaker - which was contracted by Volkswagen - nine months before the intended publication so that measures could be taken. … Ege and Verdult said that in Holland a six-month quarantine between scientific discovery and publication was considered the norm, but they too would be respecting the decision of the British court.”
But finally, after years of negotiation with Volkswagen, Ege, Verdult, and Garcia got permission to publish their findings, after making certain key edits. Specifically, they deleted one sentence from their original report, and presented the revised version of the paper at the USENIX conference.
A spokesperson for VW said that “Volkswagen maintains its electronic as well as mechanical security measures technologically up-to-date and also offers innovative technologies in this sector.”