Megamos Crypto Is Broken And Your Bentley Is Gonna Get Ganked

Jack Baruth
by Jack Baruth

The English High Court is trying to stop it, but it’s hard to know how much authority they have over the upcoming USENIX Security Symposium. If, as I suspect, the answer is “None”, then attendees to that event will be treated to a presentation on how to break the Megamos Crypto system, the RFID-based immobiliser that prevents counterfeit and physically-copied keys, to say nothing of plain old “hot-wiring” at the ignition switch, from starting the Bentley Continental GT that, apparently, uses it.

Of course, some of you will have already considered that if the system is in use in the CGT, it’s in use in the Phaeton, and probably the Touraeg, as well. You’re right, and there are far more cars at risk than just those.

A brief bit of research suggests that every VW Group product made since circa 2001 or even earlier uses the Megamos Crypto system. Porsches may also be involved. A real-world implementation of the hack that will be demonstrated at USENIX could theoretically be launched from near the car; once it’s done its thing, any car thief should be able to do the whole “gone in 60 seconds” business with it. There’s apparently a well-distributed hack that allows BMWs to be started and stolen once access to the OBD-II port is gained, so in this manner at least Audi is doing a solid job of catching up to the Bavarian market leaders.

While the British High Court might still be naive enough in 2013 to think that this kind of knowledge can be suppressed by legal fiat, the rest of us out there might want to take some advice from Antoine Dodson: Hide your Audi, hide your Gallardo, ’cause they’re stealing every one out there!

Jack Baruth
Jack Baruth

More by Jack Baruth

Comments
Join the conversation
7 of 32 comments
  • Old5.0 Old5.0 on Jul 29, 2013

    For some reason, I read that as "UNISEX Security Symposium."

    • Th009 Th009 on Jul 29, 2013

      USENIX is one of the original UNIX user groups, dating back almost 40 years.

  • 1998S90 1998S90 on Jul 29, 2013

    I'm guessing Megamos was informed of this weakness weeks if not months ago and failed to act. It's fairly common to disclose these kinds of hacks publically when companies fail to act.

    • See 1 previous
    • Segfault Segfault on Jul 29, 2013

      @th009 A recall. A very large one, like Toyota. Followed by a few class action lawsuits.

  • Wumpus Wumpus on Jul 29, 2013

    Did anybody expect anything else? Hint: It uses 96bits (an unusual number) and doesn't say anything about using AES or other known, safe encryption algorithm. In other words, you can expect something like keeloq, who tried similar idiocy and left "Chrysler, Daewoo, Fiat, General Motors, Honda, Toyota, Lexus, Volvo, Volkswagen, Jaguar, and probably others" wide open for who knows how long. on Keeloq: http://www.schneier.com/blog/archives/2008/04/keeloq_still_br.html BMWs aren't quite free either: http://www.schneier.com/blog/archives/2012/07/hacking_bmws_re.html As far as an update? You might have to replace all the locks if you want it done right, and maybe some sort of flash update (which pretty much will require getting the circuit board all but out of the car) to make opening the lock roughly as hard (with special equipment) as using a slim jim. If they put the ISP (in Circuit programming) on the board. If not, you are likely toast and since it isn't a safety issue there won't be a forced recall (a new circuit board with AES hardcoded (to avoid the timing issues) would be needed for an unflashable board. You would also, of course, need a new keyfob. Not going to happen widescale means infeasably expensive for those few who want it (officially) repaired. Some aftermaket rig might be possible. PS. Creating your own super-duper code algorithm is something every geek wants to do and is the first thing you learn in cryptography: your custom encryption not only sucks, but breaking it is a homework problem on the next page. Do not use any product that advertises "magic" cryptography and stick to things like AES (maybe IDEA if you fear NSA-approved algorithms). There are still many, many ways to still expose your secrets/take your car without a key, but they are a much easier to avoid than creating a secure algorithm).

  • Wei Wei on Jul 30, 2013

    Is there any kind of list (some website somewhere?) that you can look up whether your car's security system is "known broken" (perhaps by model year?) or not?

Next