Security Flaws: Carmakers Have Skeletons in the Closet, Too

For two years, Volkswagen successfully banned the release of an academic publication that would otherwise expose the security flaws of its vehicles. However, everything is out in the open, well at least the parts permitted by the court.

Flavio D. Garcia of the University of Birmingham UK along with Roel Verdult and Baris Ege of the Radboud University Nijimegen, Netherlands found just how easy it is to dismantle the Megamos Crypto transponder and remotely control a hacked car via text messages.

Garcia and his team came up with more than 700 pages of research paper outlining the security flaws involving the transponder applied in a myriad of car brands including Audi, Fiat, Honda, Volkswagen and Volvo.

volkswagen-e-bugster-concept-qs

What is a Megamos Crypto?

It is a transponder, embedded in the vehicle’s key as a RFID tag, is used in electronic vehicle immobilizers to counter car theft. The immobilizer stops the car’s engine from running without the transponder. However, the said antitheft device can be so easily disabled, making way for a “keyless theft”.

By reverse engineering the transponder, Garcia’s team were able to control the hacked vehicle. They found several vulnerabilities in the security mechanisms of the transponder, and from there devised three practical attacks to recover the 96-bit transponder key and do a keyless ignition.

car-keys-2

Simple SMS Text Disables Car Brakes

In another study, a group of researchers from the University of California found how easy it is to disable an automobile’s brakes and wipers through SMS messages.

Researches led by Stefan Savage hacked the dongles in the onboard diagnostics port of cars used by US insurance companies to track vehicles and collect data.

Cellphone and an automobile electronic key

Addressing the Security Flaw

Garcia’s team recommended that carmakers must shift from vulnerable proprietary ciphers to community-reviewed ciphers in order to address the security flaws of the Megamos Crypto transponder.

Garcia’s team added that contactless smart cards available in the market are all it takes to generate the transponder key. They criticized automakers for not investing on better transponder chips when it only costs a fraction of a dollar.

The research team’s paper entitled, Supplement to the Proceedings of the 22nd USENIX Security Symposium, was completed in August 2013, but had just obtained permit for publication from the court provided authors remove one sentence from the document upon Volkswagen’s request.

Meanwhile, insurers Mobile Devices and Metromile issued patches for the dongles with security flaws after notified of the problem in June 2015.

Leave a Comment