In 2012, researchers at Radboud University in the Netherlands discovered a security flaw in a common automotive security chip used in theft prevention by Volkswagen, Audi, Fiat, Honda, and Volvo vehicles. But after they disclosed their results to the auto manufacturers—a full nine months before they planned to publish them—the automakers sued to keep them quiet.
Today, that suppressed paper is finally being presented at the USENIX security conference in Washington, DC. Entitled “Dismantling Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobilizer,” the paper details how researchers Roel Verdult, Flavio Garcia, and Baris Ege uncovered weaknesses in the cryptography and authentication protocol used in the Megamos RFID transponder used in car immobilizers used in many luxury vehicles. The list of impacted cars includes vehicles from Volkswagen’s Porsche, Audi, Bentley, and Lamborghini brands.
An immobilizer is an electronic device that is connected to a vehicle’s starter system. It detects the presence (or absence) of a radio frequency identification chip in a key fob or key in proximity to the ignition switch, preventing the engine from starting if it’s not present (therefore deterring car theft by hotwiring or use of an unauthorized duplicate key). There are a number of ways to bypass these systems, including the use of a radio amplifier to fool the transponder into believing the RFID chip is closer than it actually is. But the Radboud researchers were able to go further, actually breaking the crypto system used by the Megamos transponder.
By eavesdropping on the radio exchange between the Megamos Crypto system and the key only twice, the researchers were able to dramatically reduce the size of the pool of potential matches to the system’s 96-bit secret key. Because the system allowed unlimited attempts to authenticate, Verdult, Garcia, and Ege were able to recover the secret key within “3 x 2^16” (196,607) tries with “negligible computational complexity.” It all took less than 30 minutes. Some car manufacturers used weaker keys, and the researchers were able to recover the secret key in just a few minutes with a laptop computer.
Unlike some of the other recently revealed security flaws in automobiles, the Megamos cryptography bug isn’t something that automakers can easily fix with a software patch or over-the-air update. Since it’s a flaw in the RFID chips in the cars’ physical keys as well as in the transponder, it would require physically re-keying all affected vehicles and replacing the cryptographic transponders integrated into the vehicle’s engine starting system. While the components themselves are relatively inexpensive, the labor costs to dealers (particularly for the luxury models affected) would be more than trivial.
Another team of researchers at Radboud had discovered a similar flaw in 2008 in an RFID-based public transport pass system, and the group won the right to publish their work in a Dutch court. But when Verdult and his colleagues brought their findings to Volkswagen and other automakers in February of 2012—again, nearly a year before any planned publication—Volkswagen filed a suit in the UK to block. Volkswagen initially won an injunction, forcing the paper to be withdrawn. But over a year of negotiations with Volkswagen after, the researchers gained permission to publish a redacted version of their paper. The edits? They deleted a single sentence from the report.