7 car manufacturers affected by electronic key security flaw

Aug 16, 2015 07:32 GMT  ·  By

High-end cars from Audi, Citroen, Fiat, Honda, Skoda, Volvo, and Volkswagen are vulnerable to car-hacking via their keyless engine start function.

While hacking into a car is certainly nothing new these days, suing the researchers that have found a vulnerability in your car is, and that's what Volkswagen has been doing to 3 security experts for the past 2 years.

The group made up of Roel Verdult, Baris Ege, and Flavio Garcia, researchers at the Radboud University (Netherlands) and the University of Birmingham (U.K.) have been fighting since 2013 for the right to present their research paper, which discloses security vulnerabilities in the Megamos Crypto transponder, a component widely used in remote keyless entry systems.

These keyless entry systems are simple electronic devices, which allow the driver to open or close the doors of a car, when near it.

In recent years, these keyless entry systems have evolved, and nowadays they will also allow the driver to start the engine with the push of a button, either on the key itself or on the steering wheel.

The catch is that the electronic key needs to be near the car for the driver to be able to start it. This is because the electronic keyless system sends an encrypted signal to a special device in the car called "immobilizer," authenticating the driver and the correct key, which then allows for the engine to be started.

The security flaw resides in the electronic key system

The research paper that Volkswagen tried to block details a method through which an attacker could gain control over the car's engine start feature, without the key being near the car.

The attacker only needs to intercept a few communications between the key and the car, and by leveraging a security flaw in the car's built-in immobilizer, they can break the encryption key in less than half an hour, start the car's engine and make a clean getaway without ever being detected.

The fix for this security flaw involves changing the car's RFID chips, which means that affected companies need to recall all vulnerable models.

For this particular reason, Volkswagen sued the researchers in a UK court, trying to prevent them from publishing their data, arguing that this paper would make it very easy for a hacker to steal VW cars.

While true in their arguments, the problem is that Volkswagen hasn't been recalling cars to fix them in the meantime, and eventually, after two years of litigation, the court has allowed the researchers to publish their findings.

Other car manufacturers at risk

The only compromise was the redaction of a single line that detailed some of the hacking procedures.

The paper will be presented at this year's USENIX conference in Washington DC in the fall, and will surely be one of the most followed talks.

Below is an image obtained by the Bloomberg staff, which details all the car manufacturers that have Megamos Crypto immobilizer transponders installed in their vehicles, along with the affected models. Cars in bold are the ones on which the security researchers tested their paper.

As you can see for yourself, besides the aforementioned Audi, Citroen, Fiat, Honda, Skoda, Volvo, and Volkswagen cars, other manufacturers like Alfa Romeo, Buick, Cadillac, Chevrolet, Daewoo, DAF, Ferrari, Holden, Isuzu, Iveco, Kia, Lancia, Maserati, Opel, Pontiac, Porsche, Seat, Ssangyong, and Tagaz may also be in trouble.

Car models with the Megamos Crypto transponders installed
Car models with the Megamos Crypto transponders installed

Photo Gallery (2 Images)

Volkswagen tried to hush and intimiate security researchers
Car models with the Megamos Crypto transponders installed
Open gallery