VW has spent the last two years trying to keep quiet the findings of Roel Verdult and Baris Ege from the Netherlands along with Flavio Garcia from the UK, into a key hacking vulnerability.
Instead of working with the team to resolve the issue, VW sued them in order to stop publication, arguing that the paper would increase the risk of theft. In other news pot calls kettle black.
The hack details how the cryptography and authentication protocol used in the Megamos Crypto transponder can be gamed by hackers looking to gain access or total theft. The Megamos transponder is one of the most common used, the entire suite of VW luxury brands is at risk, as well as FIATS, Hondas, Volvos and Maseratis.
So how did they do it? They reverse engineered the Megamos' security features allowing them to 'listen' in on the communications between the car and the key in one case, the second option was a brute force attack where they ran through 196,607 options of secret keys until the right one was found (in under 30 minutes)
"This is a serious flaw and it's not very easy to quickly correct," explained Tim Watson, Director of Cyber Security at the University of Warwick. "It isn't a theoretical weakness, it's an actual one and it doesn't cost theoretical dollars to fix, it costs actual dollars."
"The attack is quite advanced, but VW produces a lot of very high-end vehicles that get stolen to order. The criminals involved are more sophisticated than the sorts who just steal your keys and drive off with your car," said security researcher Andrew Tierney.
There is no realistic quick fix to the problem, RFID chips within keys and their accompanying transponders located within the vehicles must be replaced. In other words, total voluntary recall at significant cost to VW. Without government forcing them, VW chose the less costly option.
Their actions not only put VW Group owners at risk but those from other manufacturers. The injunction prevented the researchers from sharing their findings with the other affected manufacturers.
Hopefully VW's actions serve as a precedent of what not to do in the future, the better way would be to work with the hackers in order to reveal real vulnerabilities and fix them before being implemented in mass produced products.