Researchers have revealed vulnerabilities in a vital security chip used in vehicles from companies including Volkswagen, Fiat and Volvo after a two-year court injunction prevented them from releasing the information.
A research paper, Dismantling Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobiliser, was to be unveiled at the USENIX security conference in 2013. But it was silenced for two years after an injunction filed by Volkswagen in the UK High Court.
The research uncovered flaws in a car transponder known as the Megamos Crypto, an anti-theft tool that prevents an engine starting without a key being close to the vehicle.
Researchers Roel Verdult, Flavio Garcia and Baris Ege found that car manufacturers including Porsche, Ferrari and Alfa Romeo use the affected transponder and that the radio frequencies it uses can easily be hacked.
The research was revealed to car companies in 2012, but is only now being publically released.
The security researchers said they were able to execute the attack "in practice" on several vehicles. The report shows that over 25 vehicle brands and over 100 models are affected by the hack.
"We were able to recover the key and start the engine with a transponder-emulating device. Executing this attack from beginning to end takes only 30 minutes," the research paper stated.
"Our attacks require close range wireless communication with the immobiliser unit and the transponder. It is not hard to imagine real-life situations like valet parking or car rental where an adversary has access to both for a period of time.
"The implications of the attacks presented in this paper are especially serious for those vehicles with keyless ignition. At some point the mechanical key was removed from the vehicle but the cryptographic mechanisms were not strengthened to compensate."
Security expert Graham Cluley said that the report is a warning to car manufacturers that use radio frequency identification technology.
"Maybe the paper in its current form is not quite a blueprint for sophisticated criminals to steal luxury cars with ease, but there remains a clear problem for the car manufacturers who have sold millions of vehicles with potentially vulnerable systems," he explained.
Nicko Van Someren, chief technology officer at Good Technology, suggested that the news is indicative of the rush to connect devices to the internet.
"This is a great example of what happens when you take an interface that was designed for local access and connect it to the wider internet," he said.
"Increasingly, in the rush to connect ‘things' for the Internet of Things, we find devices that were designed with the expectation of physical access control being connected to the internet, the cloud and beyond. If the security of that connection fails, the knock-on effects can be dire and potentially even fatal."
A VW spokesperson told V3 that the firm has "an interest in protecting the security of its products and its customers."
"In this connection Volkswagen does not make available information that might enable unauthorised individuals to gain access to its vehicles. In all aspects of vehicle security, be this mechanical or electronic, Volkswagen goes to great lengths to ensure the security and integrity of its products against external malicious attack."
North Korean hackers reportedly step up their activity as tensions with the US increase
Ice Lake probably won't appear before 2019 at the earliest
Krzanich follows Kevin Plank of Under Armor and Kenneth Frazier of Merck
Release of latest version of Android imminent