Academics have discovered a major security flaw, meaning that car models including Audi, Honda, Volvo, Fiat, Citroën and Volkswagen are vulnerable to ‘keyless theft’.
This major flaw in more than 100 car models has recently been exposed through an academic paper, which was suppressed by a major manufacturer for two years. The author Flavio Garcia and his two colleagues were unable to release the paper after Volkswagen won a case in the high court to ban its publication.
After years of formal negotiations, Volswagen has agreed to the publication of this paper after the authors’ agreed to remove a sentence, detailing the security flaw from the original manuscript.
The team discovered that the popular manufacturers all had models which were vulnerable to keyless theft because a device designed to prevent the vehicles from being stolen could be easily and quickly disabled.
The report states that the team found several weaknesses in the immobiliser system Megamos Crypto, which prevents the engine from starting when the transponder (embedded in the key) is not present. The researchers, however, showed that it was possible to listen to the signals being sent by the system and make close range wireless communication attacks.
“Our attacks require close range wireless communication with both the immobiliser unit and the transponder,” the team say in the paper. “It is not hard to imagine real-life situations like valet parking or car rental where an adversary has access to both for a period of time. It is also possible to foresee a setup with two perpetrators, one interacting with the car and one wirelessly pickpocketing the car key from the victim’s pocket.”