[Audi Q3 News]

VW has spent the last two years trying to keep quiet the findings of Roel Verdult and Baris Ege from the Netherlands along with Flavio Garcia from the UK, into a key hacking vulnerability.

Instead of working with the team to resolve the issue, VW sued them in order to stop publication, arguing that the paper would increase the risk of theft. In other news pot calls kettle black.

The hack details how the cryptography and authentication protocol used in the Megamos Crypto transponder can be gamed by hackers looking to gain access or total theft. The Megamos transponder is one of the most common used, the entire suite of VW luxury brands is at risk, as well as FIATS, Hondas, Volvos and Maseratis.

So how did they do it? They reverse engineered the Megamos' security features allowing them to 'listen' in on the communications between the car and the key in one case, the second option was a brute force attack where they ran through 196,607 options of secret keys until the right one was found (in under 30 minutes)

"This is a serious flaw and it's not very easy to quickly correct," explained Tim Watson, Director of Cyber Security at the University of Warwick. "It isn't a theoretical weakness, it's an actual one and it doesn't cost theoretical dollars to fix, it costs actual dollars."

"The attack is quite advanced, but VW produces a lot of very high-end vehicles that get stolen to order. The criminals involved are more sophisticated than the sorts who just steal your keys and drive off with your car," said security researcher Andrew Tierney.

There is no realistic quick fix to the problem, RFID chips within keys and their accompanying transponders located within the vehicles must be replaced. In other words, total voluntary recall at significant cost to VW. Without government forcing them, VW chose the less costly option.

Their actions not only put VW Group owners at risk but those from other manufacturers. The injunction prevented the researchers from sharing their findings with the other affected manufacturers.

Hopefully VW's actions serve as a precedent of what not to do in the future, the better way would be to work with the hackers in order to reveal real vulnerabilities and fix them before being implemented in mass produced products.

 

[rnlabas]

...and since it's in the public domain now save for ONE (1) redacted sentence, here's the scoop - https://www.usenix.org/sites/default/files/sec15_supplement.pdf

and another interesting tidbit to go along with it is this -

 

[DampDuffer]

Interesting....although this problem has been known by some car makers and dealers for quite some time, apparently only a few have shared it with their customers.

When I purchased my Lexus with a keyless entry device just over a year ago, I was told by my sales rep that it's always a good idea to keep the device in the microwave so that thieves could not electronically access it. Although visiting relatives have come close to turning on the microwave while the keyless device was hiding there, they somehow eventually realized that the little device with the big red streamer dangling from it that read, "Remove Before Flight," was probably not something I wanted cooked while they cooked their microwave popcorn.

I'm rarely too concerned when on the road, and publically parked, because it's been a long, long time since I've found parking anywhere near my destination, so the car is usually well away from its keyless device

 

[AudiFox]

Wouldn't they have fixed this by now with a patch of some kind if it's been know for at least 2 years? Or make your own aluminum foil case for it.

 

[Otto]

It makes sense that they sued for a publication ban. Even if there is a security flaw, the newspaper was basically going to publish "How to steal a VW". Not sure that would actually work to solve the issue.

 

[Quatto]

Wouldn't they have fixed this by now with a patch of some kind if it's been know for at least 2 years? Or make your own aluminum foil case for it.

that or even try to disable the remote function if you can, if it can't send a signal then there's no signal to intercept and hack into.

 

[rnlabas]

that or even try to disable the remote function if you can, if it can't send a signal then there's no signal to intercept and hack into.

Then this requires a Faraday cage or bag and or taking out the batteries every night when stored anywhere else. As for a patch - sounds easy and fast, but if you even glance thru the docs above you should be able to see that a "patch" is prolly months or years in the works, not days or weeks. It's simply amazing to me how often folks hear of potential solutions that have NO clue as to the effort behind an eventual solution or that required to get there - only that it IS there ...