For 2 years VW tried to hide the exploits that made its cars hack-able .
Now, many might be getting quite paranoid about the recent spate of stories revolving around wireless hacks, nifty devices like ‘Rolljam’ and inherent vulnerabilities in connected vehicles that leave them exposed to enterprising hackers.
Well, unfortunately, there’s more bad news. According to Bloomberg, Volkswagen has spent two years trying to hide a huge security flaw that affects thousands of cars from a range of manufacturers. The car maker has spent two years suppressing the research findings in courts.
The publication states that ‘key-less’ car theft, where hackers target to exploit flaws in electronic locks and immobilizers, now account for 42% of vehicular theft in London. The city’s Metropolitan Police has stated that BMWs and Range Rovers are definitely at risk, as a tech savvy thief could do a proper getaway in these rides under 60 seconds.
Apparently, Roel Verdult and Baris Ege from Radboud University in the Netherlands and Flavio Garcia from the University of Birmingham have presented an academic paper at the USENIX security conference in Washington DC, where they detail how the cryptography and authentication protocol used in the ‘Megamos Crypto’ transponder can be exploited by hackers to ultimately abscond with these luxury vehicles.
This particular immobilizer transponder, the ‘Megamos Crypto’, is most commonly used in Volkswagen-owned brands such as Audi, Porsche, Bentley and Lamborghini. Worryingly, it is also used in brand such as Fiat, Honda, Volvo and some Maserati models too.
Amazingly, the publication states that these researchers broke the transponder’s 96-bit cryptographic system by listening in twice to the radio communication between the key and the transponder.
Since this reduced the pool of potential secret key matches, the researchers opened up the ‘brute force’ option, which ran through 196,607 options of confidential combinations of key codes till they found the suitable key code, all in less than half an hour. The Bloomberg report adds that there’s no quick fix to the problem, as the RFID chips in the keys and transponders inside the cars must be replaced, which would result in a lot of labor costs.