Car hacking - report reveals security flaw in immobilisers

A Dutch academic study has revealed that well over 100 cars have a security flaw that could allow hackers to start and steal them without a key.

Controversially, the report – entitled ‘Dismantling Megamos Crypto: Wirelessly Lock-Picking A Vehicle Immobilizer’ – has only recently been released, after a court injunction from Volkswagen and other manufacturers was lifted after two years.

You expect to need your car’s key to start it, but according to the report, that’s not always the case. It states that some anti-theft systems on some models can be hacked remotely, allowing the car to be driven away.

The report’s authors Roel Verdult, Flavio Garcia and Baris Ege say they were “able to recover the key and start the engine with a transponder-emulating device. Executing this attack from beginning to end takes only 30 minutes”.

They managed this by ‘listening in’ to the signals sent between the car’s key and the immobiliser and then replicating them.

Cars from across the Volkswagen Group – including Audi, Bentley, Porsche, Lamborghini and VW itself – as well as Alfa Romeo, Fiat and Jeep, are affected.

A 2016 UK study has recently found similar problems, this time concerning the remote central locking systems of an estimated 100 million cars made by the Volkswagen Group (including Skoda, SEAT and Audi models) between 1995 and 2016.

Now working with the University of Birmingham, Flavio Garcia, together with David Oswald, claim VW Group cars can have their keys’ codes ‘cloned’ by thieves after locking or unlocking signals have been intercepted, allowing unauthorised access to the vehicle. While this doesn’t allow the car to be driven away, it’s definitely concerning – particularly when taken in conjunction with the immobiliser issue. Volkswagen is keen to stress its newer models (including the latest Golf, Tiguan and Passat) have improved security measures, though, and aren’t affected by this issue.

Car hacking: could it happen to you?

Manufacturers that use the radio-frequency identification (RFID) are coming under increasing pressure from the researchers to take their findings into account and improve their security measures.

It’s important to note that this is not the same issue as the one recently discovered in the Tesla Model S that can be fixed by a remote software upgrade – this was to do with the quality of the hardware in the key used to send the coded message to the immobiliser.

The researchers claim that a better, more secure chip in the key – costing less than £1 more – would make hacking the immobiliser far more difficult and complicated.

While Verdult, Garcia and Ege are campaigning for manufacturers to do more to combat car hacking and be more open in their discussions about it, some companies aren’t so keen.

Volkswagen Group of America, along with 12 other car manufacturers, is lobbying for car technology to fall under the protection of the Digital Millennium Copyright Act in the US. If it succeeds, research of this nature would become illegal.

Volkswagen insists it’s doing everything possible to prevent these hacking attempts, saying: “In all aspects of vehicle security, be this mechanical or electronic, Volkswagen goes to great lengths to ensure the security and integrity of its products against external malicious attack.”