Volkswagen Sued Researchers To Hide Key Hacking Flaw

Bozi Tatarevic
by Bozi Tatarevic
volkswagen sued researchers to hide key hacking flaw

Volkswagen has spent over two years trying to block the publication of a research paper which reveals a key hacking vulnerability in many of their models as well as thousands from other manufacturers. According to Bloomberg, a team of researchers discovered the vulnerability in 2012 and notified Volkswagen in May 2013. Instead of working with the researchers to resolve the issue, Volkswagen argued that the paper would increase the risk of theft and sued them to stop the publication.

The research paper was blocked by an injunction from the United Kingdom High Court for two years and was finally released after originally being blocked from presentation at the 2013 USENIX Security Symposium. The researchers were able to negotiate an agreement with Volkswagen to allow the paper to be published once they removed one sentence that described a component of the calculations on the chip.

The hack describes a vulnerability in transponders that use the Megamos Crypto algorithm that allows brute force attacks to defeat the security mechanism. A similar attack was described by Silvio Cesare last year which allows a radio transmission device to generate potential unlock codes that can be sent to a car until it is opened. This attack goes one step further by using a similar mechanism to generate a response that defeats the immobilizer systems in the affected vehicles and allows them to be started.

The research team of Roel Verdult and Baris Ege from the Netherlands along with Flavio Garcia from the United Kingdom were able to reverse-engineer the Megamos Crypto security mechanisms and were able to recover the 96-bit secret key and transmit it using an RFID device. Their first type of attack is able to exploit a weakness in cipher design which allows recovery of a portion of the secret key by listening in to two legitimate communications between the vehicle and key. The second type of attack uses brute force to send updates to the immobilizer in the vehicle.

This procedure allowed the researchers to generate a secret key in about 30 minutes that was able to start the car. Their last type of attack uses a similar brute force method, but exploits systems that use a weak cryptographic key. These systems can be hacked using a standard laptop in a few minutes due to the fact that they may use a shorter secret key or lack safety mechanisms such as pseudo-random number generators in their algorithm.

Models Affected By The Vulnerability (Models In Bold Tested By Researchers)

This type of security flaw is not something that can be corrected with a software update but would require new keys as well as new immobilizer hardware inside the cars which could be costly for Volkswagen and other manufacturers. Since the flaw did not constitute a safety issue it would not require a recall in most countries.

Volkswagen not only put its own vehicles at a higher risk of theft by suppressing the research, but also caused the risk to go unknown for many other manufacturers who use the same algorithm. Volkswagen states that the current models such as the Golf and Passat use a new algorithm that is immune to this type of attack, but have not offered any assistance to owners of older vehicles with vulnerable systems.

The main issue with the response from Volkswagen is that they look to protect their design by relying on the “security through obscurity” safety mechanism. While lawsuits and injunctions will keep legitimate researchers from publishing information about these flaws, thieves will eventually find a way to break through themselves. This was demonstrated with the Keeloq algorithm in 2007 when proprietary design information was discovered by Russian hackers and leaked online.

The better way to approach these issues is to invite these researchers and white hat hackers to work with the manufacturer once a security system is developed in order to reveal vulnerabilities and fix them before they reach thousands of cars.

[Main Photo Credit: Yahya S/ Flickr/ CC BY 2.0]

[Affected Vehicles Chart Credit: Verdult, Garcia, and Ege]

Join the conversation
3 of 23 comments
  • MBella MBella on Aug 18, 2015

    Electronic keys aren't 100% impenetrable? There needs to be a large class action lawsuit for this. Preferably were the lawyers get 100 million each, and the customer gets a warning sticker.

    • Luke42 Luke42 on Aug 18, 2015

      That's a carguy answer. The computer guy answer is "uhh, this was in the crypto textbook and we knew better all along. Why didn't your engineers read the damn textbook like we did?!?" It's easier said than done, but better crypto is widely available and is something the average engineer can understand if he/she bothers to try.

  • Stuki Stuki on Aug 18, 2015

    Nah, could you imagine the powerful and connected using the legal system to benefit themselves (in the short run, until bonus season), at the expense of those less equal.... How surprising!! But, but the lawyers say they are, like, good, and, like, fight the baaad evil corporations, says the public school indoctrinated progressives with the customary confused looks on their collective faces.....

  • ToolGuy CXXVIII comments?!?
  • ToolGuy I did truck things with my truck this past week, twenty-odd miles from home (farther than usual). Recall that the interior bed space of my (modified) truck is 98" x 74". On the ride home yesterday the bed carried a 20 foot extension ladder (10 feet long, flagged 14 inches past the rear bumper), two other ladders, a smallish air compressor, a largish shop vac, three large bins, some materials, some scrap, and a slew of tool cases/bags. It was pretty full, is what I'm saying.The range of the Cybertruck would have been just fine. Nothing I carried had any substantial weight to it, in truck terms. The frunk would have been extremely useful (lock the tool cases there, out of the way of the Bed Stuff, away from prying eyes and grasping fingers -- you say I can charge my cordless tools there? bonus). Stainless steel plus no paint is a plus.Apparently the Cybertruck bed will be 78" long (but over 96" with the tailgate folded down) and 60-65" wide. And then Tesla promises "100 cubic feet of exterior, lockable storage — including the under-bed, frunk and sail pillars." Underbed storage requires the bed to be clear of other stuff, but bottom line everything would have fit, especially when we consider the second row of seats (tools and some materials out of the weather).Some days I was hauling mostly air on one leg of the trip. There were several store runs involved, some for 8-foot stock. One day I bummed a ride in a Roush Mustang. Three separate times other drivers tried to run into my truck (stainless steel panels, yes please). The fuel savings would be large enough for me to notice and to care.TL;DR: This truck would work for me, as a truck. Sample size = 1.
  • Art Vandelay Dodge should bring this back. They could sell it as the classic classic classic model
  • Surferjoe Still have a 2013 RDX, naturally aspirated V6, just can't get behind a 4 banger turbo.Also gloriously absent, ESS, lane departure warnings, etc.
  • ToolGuy Is it a genuine Top Hand? Oh, I forgot, I don't care. 🙂