Volkswagen silences talk about security flaws in luxury cars

PorscheIf you park a luxury car worth up to $300,000 outside a restaurant, you probably want to feel confident it’s still going to be there where you left it when you return at the end of the evening.

That’s why the cars of the super-rich, such as Audis, Bentleys, Porsches, and Lamborghinis, are protected by the Megamos Crypto system – an RFID transponder that uses an algorithm designed to verify the identity of the ignition key being used to start their motors.

If it isn’t the right ignition key, the engine should remain immobilised and the car refuse to start.

Enter security researcher Flavio Garcia, a lecturer in Computer Science at the University of Birmingham in the UK.

Sign up to our free newsletter.
Security news, advice, and tips.

Garcia has been blocked by a British court from presenting his research into weaknesses in car immobilisation systems, at the behest of car manufacturing giant Volkswagen and the French defence group Thales.

Their concern? That the talk could “allow someone, especially a sophisticated criminal gang with the right tools, to break the security and steal a car.”

Garcia, and his colleagues Baris Ege and Roel Verdult, who are security researchers at Radboud University in the Netherlands, were scheduled to give a talk entitled “Dismantling Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobilizer” at the Usenix Security Symposium, being held in Washington in a couple of weeks.

Indeed, the talk is still listed in the conference’s proceedings:

Controversial talk

The researchers claim that they found a software program on the internet which contained the Thales-devised algorithm, and were able to find a weakness in its code which allowed it to be compromised. According to the security researchers, the program had been available on the net since 2009.

Volkswagen and Thales, however, argued that the algorithm was confidential, and that if the code has been released onto the internet it was probably done so illegally. The companies disputed disclosure of details about the problem was in the public interest, and said that criminals might attempt to take advantage.

That’s an argument which clearly convinced the UK court.

Both Birmingham and Raboud University have agreed to abide by the court’s decision, but they’re clearly feeling a bit miffed.

A spokeswoman for Raboud University was reported by the BBC as saying that the ban was “incomprehensible”:

“The publication in no way describes how to easily steal a car, as additional and different information is needed for this to be possible.”

“The researchers informed the chipmaker nine months before the intended publication – November 2012 – so that measures could be taken. The Dutch government considers six months to be a reasonable notification period for responsible disclosure. The researchers have insisted from the start that the chipmaker inform its own clients.”

If there is a problem with the Megamos Crypto system used by a variety of car manufacturers, then that really needs to be fixed. Sooner, rather than later.

I cannot help but feel sorry for Flavio Garcia and his fellow researchers, as it sounds like they might not get their hour in the spotlight. They, after all, did the hard work here. And if it wasn’t for them – no-one, including Volkswagen and Thales, would probably know that a serious security problem existed.

It must be particularly galling for Garcia, Ege and Verdult as this week at the Black Hat conference in Las Vegas, security researchers Charlie Miller and Chris Valasek will be explaining how they managed to hack into car computer systems, and meddle with the brakes and steering of a vehicle in motion.

Quite rightly, their research will attract both a large audience and worldwide acclaim. Far from their talk being silenced by the-powers-that-be, their research was actually funded by the US Department of Defense’s DARPA wing to the tune of $80,000.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

2 comments on “Volkswagen silences talk about security flaws in luxury cars”

  1. shitasa

    Security through obscurity…how many times has it ever worked?

  2. Chris Pugson

    It appears that cars requiring a traditional key to be inserted and rotated in a traditional switch to start the engine are not at such a risk of theft as cars which only require the key to be present while the starter switch is a simple push-button. However, I wonder if such cars may still be at heightened risk of intrusion, say by thieves attempting to steal the contents of a car.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.