Volkswagen silences talk about security flaws in luxury cars

PorscheIf you park a luxury car worth up to $300,000 outside a restaurant, you probably want to feel confident it's still going to be there where you left it when you return at the end of the evening.

That's why the cars of the super-rich, such as Audis, Bentleys, Porsches, and Lamborghinis, are protected by the Megamos Crypto system - an RFID transponder that uses an algorithm designed to verify the identity of the ignition key being used to start their motors.

If it isn't the right ignition key, the engine should remain immobilised and the car refuse to start.

Enter security researcher Flavio Garcia, a lecturer in Computer Science at the University of Birmingham in the UK.

Garcia has been blocked by a British court from presenting his research into weaknesses in car immobilisation systems, at the behest of car manufacturing giant Volkswagen and the French defence group Thales.

Their concern? That the talk could "allow someone, especially a sophisticated criminal gang with the right tools, to break the security and steal a car."

Garcia, and his colleagues Baris Ege and Roel Verdult, who are security researchers at Radboud University in the Netherlands, were scheduled to give a talk entitled "Dismantling Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobilizer" at the Usenix Security Symposium, being held in Washington in a couple of weeks.

Indeed, the talk is still listed in the conference's proceedings:

Controversial talk

The researchers claim that they found a software program on the internet which contained the Thales-devised algorithm, and were able to find a weakness in its code which allowed it to be compromised. According to the security researchers, the program had been available on the net since 2009.

Volkswagen and Thales, however, argued that the algorithm was confidential, and that if the code has been released onto the internet it was probably done so illegally. The companies disputed disclosure of details about the problem was in the public interest, and said that criminals might attempt to take advantage.

That's an argument which clearly convinced the UK court.

Both Birmingham and Raboud University have agreed to abide by the court's decision, but they're clearly feeling a bit miffed.

A spokeswoman for Raboud University was reported by the BBC as saying that the ban was "incomprehensible":

"The publication in no way describes how to easily steal a car, as additional and different information is needed for this to be possible."

"The researchers informed the chipmaker nine months before the intended publication - November 2012 - so that measures could be taken. The Dutch government considers six months to be a reasonable notification period for responsible disclosure. The researchers have insisted from the start that the chipmaker inform its own clients."

If there is a problem with the Megamos Crypto system used by a variety of car manufacturers, then that really needs to be fixed. Sooner, rather than later.

I cannot help but feel sorry for Flavio Garcia and his fellow researchers, as it sounds like they might not get their hour in the spotlight. They, after all, did the hard work here. And if it wasn't for them - no-one, including Volkswagen and Thales, would probably know that a serious security problem existed.

It must be particularly galling for Garcia, Ege and Verdult as this week at the Black Hat conference in Las Vegas, security researchers Charlie Miller and Chris Valasek will be explaining how they managed to hack into car computer systems, and meddle with the brakes and steering of a vehicle in motion.

Quite rightly, their research will attract both a large audience and worldwide acclaim. Far from their talk being silenced by the-powers-that-be, their research was actually funded by the US Department of Defense's DARPA wing to the tune of $80,000.

Tags: , , , , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , , , , , ,

2 Responses

  1. shitasa

    August 1, 2013 at 2:38 am #

    Security through obscurity…how many times has it ever worked?

  2. Chris Pugson

    August 11, 2016 at 9:27 pm #

    It appears that cars requiring a traditional key to be inserted and rotated in a traditional switch to start the engine are not at such a risk of theft as cars which only require the key to be present while the starter switch is a simple push-button. However, I wonder if such cars may still be at heightened risk of intrusion, say by thieves attempting to steal the contents of a car.

Leave a Reply