European computer scientists have revealed a massive flaw in keyless ignition technology used by more than 100 models of high-end vehicles from different companies. They say Volkswagen and other manufacturers sued the researchers for two years to keep them from revealing the security bug in the remote controls.
The flaw, that could help malicious hackers to unlock everything from a Kia to a Lamborghini, was discovered by Flavio D. Garcia, Baris Ege and Roel Verdult of the Radboud University Nijmegen in the Netherlands. They presented their findings Wednesday at the Usenix Security Symposium in Washington, DC.
The researchers say the flaw lies in the component known as the Megamos Crypto transponder, a tiny device in the car that is responsible for the encryption between the car and the remote. The transponder is designed to stop an engine from starting if it is not in close proximity to the vehicle. The researchers managed to access the transponder’s 96-bit secret key and then they were able to start a keyless car in only half an hour.
126 types of cars are in the list of the impacted vehicles including Volkswagen’s Porsche, Audi, Bentley, and Lamborghini brands, as well as Kia, Honda, Volvo, Toyota, Chrysler, Daewoo, Fiat, GM, and many others. All of them rely on chips made by EM Microelectronic in Switzerland.
The white hat hackers say they have known about the flaws since 2012, and warned the automakers. The scientists gave the chip maker company nine months to fix the problem before they reveal their discovery in a report. The carmakers used their lawyers to keep the research under wraps but now a legal settlement has allowed the documents to go public.
According to Volkswagen, the hack takes ‘considerable, complex effort’ and it is unlikely to be used except by ‘tech-savvy, organized crime syndicates.’ The carmaker claims that its latest cars, including the Golf 7 and Passat B8, aren’t vulnerable.