A major security flaw in more than 100 car models has been exposed in an academic paper that was suppressed by a major manufacturer for two years.
Flavio Garcia, a computer scientist at the University of Birmingham, and two colleagues from a Dutch university were unable to release the paper after Volkswagen won a case in the high court to ban its publication.
The research team discovered car manufacturers including Audi, Citroën, Fiat, Honda and Volvo, as well as Volkswagen, had models that were vulnerable to “keyless theft” because a device designed to prevent the vehicles from being stolen could be disabled easily.
After years of formal and informal negotiations, Volkswagen has agreed to the publication of the paper after accepting the authors’ proposal to remove one sentence from the original manuscript.
Garcia and his colleagues Roel Verdult and Bariş Ege, from Radboud University in Nijmegen, said they found several weaknesses in the Swiss-made immobiliser system, called Megamos Crypto. The device works by preventing the engine from starting when the corresponding transponder – embedded in the key – is not present.
But the researchers showed it was possible to listen to signals sent between the security system and key, making the vehicles vulnerable to “close-range wireless communication” attacks…
The RAC said electronic security systems have improved car security as vehicle theft has fallen 70% in 40 years. However, the overall decrease hides a rise in electronic hacking of vehicles, which featured in four out of 10 car thefts in London last year.
The point of any hack like this is lies with manufacturers revising their security. Sounds like VW was more interested in trying to keep the hack quiet instead of a fix.