Security flaw affecting more than 100 car models exposed by scientists

Academics found cars were vulnerable to ‘keyless theft’, including models from Audi, Honda and Volkswagen – which suppressed the research for two years

A major security flaw in more than 100 car models has been exposed in an academic paper that was suppressed by a major manufacturer for two years.

Flavio Garcia, a computer scientist at the University of Birmingham, and two colleagues from a Dutch university were unable to release the paper after Volkswagen won a case in the high court to ban its publication.

The research team discovered car manufacturers including Audi, Citroën, Fiat, Honda and Volvo, as well as Volkswagen, had models that were vulnerable to “keyless theft” because a device designed to prevent the vehicles from being stolen could be disabled easily.

After years of formal and informal negotiations, Volkswagen has agreed to the publication of the paper after accepting the authors’ proposal to remove one sentence from the original manuscript.

Garcia and his colleagues Roel Verdult and Bariş Ege, from Radboud University in Nijmegen, said they found several weaknesses in the Swiss-made immobiliser system, called Megamos Crypto. The device works by preventing the engine from starting when the corresponding transponder – embedded in the key – is not present.

But the researchers showed it was possible to listen to signals sent between the security system and key, making the vehicles vulnerable to “close-range wireless communication” attacks.

“Our attacks require close range wireless communication with both the immobiliser unit and the transponder,” the team say in the paper. “It is not hard to imagine real-life situations like valet parking or car rental where an adversary has access to both for a period of time. It is also possible to foresee a setup with two perpetrators, one interacting with the car and one wirelessly pickpocketing the car key from the victim’s pocket.”

The computer scientists had wanted to publish the paper at the Usenix Security Symposium in Washington DC in 2013, but the court imposed an interim injunction. Volkswagen complained that its publication could “allow someone, especially a sophisticated criminal gang with the right tools, to break the security and steal a car”.

The researchers argued they were “responsible, legitimate academics doing responsible, legitimate academic work” and their aim was to improve security for everyone.

The RAC said electronic security systems have improved car security as vehicle theft has fallen 70% in 40 years. However, the overall decrease hides a rise in electronic hacking of vehicles, which featured in four out of 10 car thefts in London last year.

Vehicles’ vulnerability was recently exposed by researchers from the University of California, San Diego, who hacked a car, remotely activated its windscreen wipers and disabled its brakes, all via text message.

In July, Fiat Chrysler announced it was recalling about 1.4m cars and trucks in the US after hackers took control of a Jeep over the internet.


Jamie Grierson

The GuardianTramp

Related Content

Article image
Robert Opron obituary
French car designer who helped create three of Citroën’s most popular vehicles

Anders Clausager

23, Jun, 2021 @4:50 PM

Article image
Fiat Chrysler recalls 8,000 more Jeeps over wireless hacking
Latest recall designed to protect connected vehicles from remote manipulation, says automobile company

Alex Hern

07, Sep, 2015 @9:15 AM

Article image
Truckmakers fined by Brussels for price collusion
MAN, Volvo/Renault, Daimler, Iveco, and DAF responsible for breaking EU antitrust rules

Sean Farrell

19, Jul, 2016 @2:49 PM

Article image
Many car brands emit more pollution than Volkswagen, report finds
Diesel cars by Fiat, Suzuki and Renault among makers emitting up to fifteen times European standard for nitrogen oxide

Zoe Wood

19, Sep, 2016 @5:01 AM

Article image
Car hacking scientists agree to delay paper that could unlock Porsches

University of Birmingham and Dutch university say they will respect injunction from High Court to stop paper that could detail how to crack cryptography around ignition keys. By Lisa O'Carroll

Lisa O'Carroll

30, Jul, 2013 @6:02 AM

Article image
Security researchers hack a car and apply the brakes via text
Vulnerability revealed in diagnostic dongles used for vehicle tracking and insurance that lets them take control using just an SMS

Samuel Gibbs

12, Aug, 2015 @10:28 AM

Article image
All Volvo cars to be electric or hybrid from 2019
Landmark move as first big manufacturer says it will stop making vehicles solely powered by internal combustion engine

Adam Vaughan

05, Jul, 2017 @11:26 AM

Article image
Uber riders to be able to hail self-driving cars for first time
Ride-sharing firm to trial autonomous vehicles in Pittsburgh as it also announces tie up with Volvo to develop driverless cars

Samuel Gibbs and agencies

18, Aug, 2016 @3:26 PM

Article image
Volvo to install cameras in new cars to reduce road deaths
The Swedish carmaker says the cameras will detect early signs of intoxication

Jasper Jolly

20, Mar, 2019 @5:38 PM

Article image
VW urged to come clean over which UK diesel vehicles are affected
Lawyers acting for Volkswagen drivers in UK attack ‘lack of clarity’ as UK prime minister calls company’s actions unacceptable

Julia Kollewe

27, Sep, 2015 @4:50 PM