By on July 28, 2013

Screen shot 2013-07-28 at 3.13.13 PM

The English High Court is trying to stop it, but it’s hard to know how much authority they have over the upcoming USENIX Security Symposium. If, as I suspect, the answer is “None”, then attendees to that event will be treated to a presentation on how to break the Megamos Crypto system, the RFID-based immobiliser that prevents counterfeit and physically-copied keys, to say nothing of plain old “hot-wiring” at the ignition switch, from starting the Bentley Continental GT that, apparently, uses it.

Of course, some of you will have already considered that if the system is in use in the CGT, it’s in use in the Phaeton, and probably the Touraeg, as well. You’re right, and there are far more cars at risk than just those.

A brief bit of research suggests that every VW Group product made since circa 2001 or even earlier uses the Megamos Crypto system. Porsches may also be involved. A real-world implementation of the hack that will be demonstrated at USENIX could theoretically be launched from near the car; once it’s done its thing, any car thief should be able to do the whole “gone in 60 seconds” business with it. There’s apparently a well-distributed hack that allows BMWs to be started and stolen once access to the OBD-II port is gained, so in this manner at least Audi is doing a solid job of catching up to the Bavarian market leaders.

While the British High Court might still be naive enough in 2013 to think that this kind of knowledge can be suppressed by legal fiat, the rest of us out there might want to take some advice from Antoine Dodson: Hide your Audi, hide your Gallardo, ’cause they’re stealing every one out there!

Get the latest TTAC e-Newsletter!

32 Comments on “Megamos Crypto Is Broken And Your Bentley Is Gonna Get Ganked...”

  • avatar
    Kyree S. Williams

    I’m sure it involves the other Bentley models as well. Of course the (Continental) Flying Spur would use the same system as the GT, and the Mulsanne appears to have the same key system as well. Even the now-discontinued Arnage, Brooklands and Azure models with their carryover electronics systems probably had these same VAG keys. Then, like you said, there’s also Porsche, Lamborghini, Audi…even Bugatti. There’s a lot of high-end metal that’s at stake here.

    As far as the BMW thing goes, what makes it even worse is that BMW’s stolen-car assistance requires you to file a police report *and* get a case number before BMW will assist you in locating and disabling your car…

    • 0 avatar

      Will have to start carrying a wheel lock, Jack & Kyree. Use them on my trailers, a bit of a pain in the wet NW, but what are you going to do… The jerks are not going to force me into driving crap… Well, sometimes… Love those Rat Rods… and so it goes…..

    • 0 avatar

      BMW restricts location tracking because, as they designed the system, concerns about owner privacy were *hugely* important to them. They wanted to do as much as possible to limit the ability for spouses or friends or bad guys to be able to track a vehicle/driver location.

      The alternative is for us to be hearing horror stories about spouses using BMW technology to track down cheating, or bad guys hunting down BMW owners.

      On the flip side, if you call 911 to report your car stolen, most places will give you a case number immediately (dispatch generates the case number as soon as you call). Police departments also love things like OnStar and will quickly act to start tracking a freshly stolen car as rapidly as possible. Catching a car thief is a nice collar for beat cops.

      • 0 avatar
        Kyree S. Williams

        That seems like a very valid explanation, especially since BMW service stations also will not divulge information on the previous owner of a car for privacy reasons.

        And I’m sure police offers *would* rather work with OnStar to disable a stolen car than to wait for the ordeal to turn into a high-speed chase…

        • 0 avatar

          I do a little freelance news photography for fun when I can’t sleep, so I chase scanner calls.

          Once or twice a month, the cops will be chasing down an OnStar call (they call every OnStar like service “OnStar,” sort of like Kleenex). They tend to get officers to surround the suspect vehicle out of sight and shadow it, waiting until they can box it in for a felony traffic stop. I’ve yet to hear them use the capability of actually disabling a vehicle remotely. The felony stop ambush tends to work pretty well.

          iPhone thefts are also something you hear them chasing down pretty often. I often hear officers calling dispatch to get another cop with an iPhone to the scene to get Find My iPhone working. Most of those go dead within a few minutes as the thief turns the phone off – Apple could do a LOT of good by requiring the passcode to power off the phone.

          Also – if you have any sort of facility you want to secure, use Sonitrol. Those calls are the very best; you can hear dispatch giving responding officers a play-by-play of exactly what’s going on during a break in. Out of all the Sonitrol alarm calls I’ve heard, they have a 100% success rate of getting the bad guys thanks to all the real-time info Sonitrol provides.

  • avatar

    Worth noting that when something is to be presented at a seminar, by the kind of people who present things at seminars, the information presented is common currency long before the seminar itself is contemplated.

    What the courts unfailingly subvert is the attempt to collaborate and devastate the hack (read: making this common knowledge useless) usually with the manufacturer of the hacked device cheering them on.

    oh what a world.

  • avatar

    Well at least one of my cars is a stick so that may be me best line of defense

  • avatar
    Nicholas Weaver

    Worse, now that the crypto is known to be flawed, the effort to recreate this work will be considerably less, even if this particular instance does get suppressed.

    There are plenty of cryptographers in the US (rather than the UK) where courts are already shown to look much more favorably on this kind of research, and I’m certain one of our colleagues (I, like Dan Wallach, work in the academic computer security field) will be sure to reproduce the results even if this paper gets pulled from Usenix.

  • avatar

    ..And a year from now they’ll be selling Chinese codebreakers (For diagnostic purpose only!!) on Ebay for $99.

    • 0 avatar

      Welcome to IT. A lot of the patches that people forget to install on their Windows boxes are for security problems.

      (Not necessarily algorithm problems, but definitely flaws in the implementation of pretty much everything. We don’t know yet whether this exploit is an algorithm problem if an implementation problem.)

      So, yeah, did you install the security updates on your car?

  • avatar

    Isn’t it easier to just use a flat bed?

    • 0 avatar

      Being able to get in and drive away is, um, less obvious.

      • 0 avatar

        >> Being able to get in and drive away is, um, less obvious.

        Not necessarily.. We’re talking about vehicles, that shall we say, are not exactly strangers to flatbeds. In urban areas, vehicles are towed all the time and even with lights flashing and alarm blaring, people aren’t going to notice.

        In upscale suburban areas, it’s a different problem. When houses are on 1 acre and larger lots with extremely low population density, walking in or even driving with a car can raise suspicion. Lots of suspicious vehicle and suspicious person calls listed in my local police blotter. People know who belongs. A flatbed can pass through a neighborhood and up a long driveway without raising a lot of attention.

  • avatar

    The question of car computer security goes way beyond simply stealing cars.

    Try an on-line search for the .pdf document “Experimental Security Analysis of a Modern Automobile”.

    This was a study by computer scientists from the University of Washington and from the University of California San Diego on the on board systems of two typical modern cars.

    They concluded that vehicles with integrated wi-fi built into their CAN system can be used by an attacker in another car to seize total control of the vehicle’s vital functions, using a laptop, leaving the driver a mere passenger.

    Scary stuff!

  • avatar
    David Hester

    Second look at The Club?

    • 0 avatar

      The Club? HAHAH

      All you have to do is saw through the wheel. A $1000 dollar wheel seems like a small expense when stealing a $100,000 VAG.

      A better option is a brake lock. Most cars will not shift into gear without touching the brake, and no one wants to drive a car with no brakes.

      Or just install a hidden kill switch.

  • avatar

    Before immobilizers, we used to hide main power switches under the dash to cut off ignition – a crude but functional anti-theft device. I wonder if it could be applied to a Bentley?

  • avatar

    911, what is your emergency?

    Oh, hi, I’m calling to report a stolen vag.


    Hello? Hmm, was it something i said?

  • avatar

    I needed a grounding relay on my ’66 bug for a starter relay..used the cigarette lighter. No one could ever figure out how to start it and if I took it out, made it impossible (other than hot wire). Turn the key, push the lighter. Hidden switches are easy.

  • avatar

    I wonder if this is related to some device car thieves are using to gain access to cars that works like a universal remote FOB.

    I hear about this on the news recently, and it APPEARS the cops don’t know what this device is. Yeah, sure…

    Welcome to the shiny, bright future!

    • 0 avatar
      Nicholas Weaver

      Perhaps. Those guys are targeting Hondas/Acuras, it could be a similar type weakness in the keyfob unlock transmitter. Note that those remote-Fobs don’t allow the car to start, just rifle the interior contents.

  • avatar

    Injunction has been granted, and U of Birmingham has withdrawn the paper as they refused to prevent a redacted version.

    Somehow the university feels that providing full details of the hacking to all and sundry would be in the public interest …

  • avatar

    For some reason, I read that as “UNISEX Security Symposium.”

  • avatar

    I’m guessing Megamos was informed of this weakness weeks if not months ago and failed to act. It’s fairly common to disclose these kinds of hacks publically when companies fail to act.

  • avatar

    Did anybody expect anything else? Hint: It uses 96bits (an unusual number) and doesn’t say anything about using AES or other known, safe encryption algorithm. In other words, you can expect something like keeloq, who tried similar idiocy and left “Chrysler, Daewoo, Fiat, General Motors, Honda, Toyota, Lexus, Volvo, Volkswagen, Jaguar, and probably others” wide open for who knows how long.

    on Keeloq:
    BMWs aren’t quite free either:

    As far as an update? You might have to replace all the locks if you want it done right, and maybe some sort of flash update (which pretty much will require getting the circuit board all but out of the car) to make opening the lock roughly as hard (with special equipment) as using a slim jim. If they put the ISP (in Circuit programming) on the board. If not, you are likely toast and since it isn’t a safety issue there won’t be a forced recall (a new circuit board with AES hardcoded (to avoid the timing issues) would be needed for an unflashable board. You would also, of course, need a new keyfob. Not going to happen widescale means infeasably expensive for those few who want it (officially) repaired. Some aftermaket rig might be possible.

    PS. Creating your own super-duper code algorithm is something every geek wants to do and is the first thing you learn in cryptography: your custom encryption not only sucks, but breaking it is a homework problem on the next page. Do not use any product that advertises “magic” cryptography and stick to things like AES (maybe IDEA if you fear NSA-approved algorithms). There are still many, many ways to still expose your secrets/take your car without a key, but they are a much easier to avoid than creating a secure algorithm).

  • avatar

    Is there any kind of list (some website somewhere?) that you can look up whether your car’s security system is “known broken” (perhaps by model year?) or not?

Read all comments

Back to TopLeave a Reply

You must be logged in to post a comment.

Recent Comments

  • Corey Lewis: I would be put off by the CVT of the 450h, even though it had a couple exclusive fancy options as I...
  • ajla: “I don’t think I’d start loving the Charger just because it grew some fender flares and enough power to...
  • Corey Lewis: That last sentence is why I don’t own something like a Jag XJ.
  • Corey Lewis: The H version of the LC offends me, as it’s antithetical to the luxury coupe mission. Interesting...
  • sentience: I can see something like this doing well in the states. Crossover ‘coupes’ or SUV...

New Car Research

Get a Free Dealer Quote

Who We Are

  • Adam Tonge
  • Bozi Tatarevic
  • Corey Lewis
  • Mark Baruth
  • Ronnie Schreiber