Car hacking - report reveals security flaw in immobilisers

Study was buried for two years; over 100 models at risk from attacks

A Dutch academic study has revealed that well over 100 cars have a security flaw that could allow hackers to start and steal them without a key.

Controversially, the report – entitled ‘Dismantling Megamos Crypto: Wirelessly Lock-Picking A Vehicle Immobilizer’ – has only recently been released, after a court injunction from Volkswagen and other manufacturers was lifted after two years.

You expect to need your car’s key to start it, but according to the report, that’s not always the case. It states that some anti-theft systems on some models can be hacked remotely, allowing the car to be driven away.

The report’s authors Roel Verdult, Flavio Garcia and Baris Ege say they were “able to recover the key and start the engine with a transponder-emulating device. Executing this attack from beginning to end takes only 30 minutes”.

They managed this by ‘listening in’ to the signals sent between the car’s key and the immobiliser and then replicating them.

Cars from across the Volkswagen Group – including Audi, Bentley, Porsche, Lamborghini and VW itself – as well as Alfa Romeo, Fiat and Jeep, are affected.

A 2016 UK study has recently found similar problems, this time concerning the remote central locking systems of an estimated 100 million cars made by the Volkswagen Group (including Skoda, SEAT and Audi models) between 1995 and 2016.

Now working with the University of Birmingham, Flavio Garcia, together with David Oswald, claim VW Group cars can have their keys’ codes ‘cloned’ by thieves after locking or unlocking signals have been intercepted, allowing unauthorised access to the vehicle. While this doesn’t allow the car to be driven away, it’s definitely concerning – particularly when taken in conjunction with the immobiliser issue. Volkswagen is keen to stress its newer models (including the latest Golf, Tiguan and Passat) have improved security measures, though, and aren’t affected by this issue.

Car hacking: could it happen to you?

Manufacturers that use the radio-frequency identification (RFID) are coming under increasing pressure from the researchers to take their findings into account and improve their security measures.

It’s important to note that this is not the same issue as the one recently discovered in the Tesla Model S that can be fixed by a remote software upgrade – this was to do with the quality of the hardware in the key used to send the coded message to the immobiliser.

The researchers claim that a better, more secure chip in the key – costing less than £1 more – would make hacking the immobiliser far more difficult and complicated.

While Verdult, Garcia and Ege are campaigning for manufacturers to do more to combat car hacking and be more open in their discussions about it, some companies aren’t so keen.

Volkswagen Group of America, along with 12 other car manufacturers, is lobbying for car technology to fall under the protection of the Digital Millennium Copyright Act in the US. If it succeeds, research of this nature would become illegal.

Volkswagen insists it’s doing everything possible to prevent these hacking attempts, saying: “In all aspects of vehicle security, be this mechanical or electronic, Volkswagen goes to great lengths to ensure the security and integrity of its products against external malicious attack.”

Recommended

New 2022 Volkswagen ID.5 starts from £50,550
Volkswagen ID.5 and ID.5 GTX
Volkswagen
28 Jan 2022

New 2022 Volkswagen ID.5 starts from £50,550

What does TDI stand for?
Audi's latest engine labelling system continues to baffle, though. The 3.0-litre diesel is the 50 TDI – 55 TFSI the petrol.
Volkswagen
20 Jan 2022

What does TDI stand for?

2022 Jeep Renegade and Compass gain new e-Hybrid engine
Jeep Renegade and Jeep Compass e-Hybrids
Jeep
20 Jan 2022

2022 Jeep Renegade and Compass gain new e-Hybrid engine

Should you buy an Audi, a BMW or a Mercedes?
Should you buy an Audi, a BMW or a Mercedes?
Tips and advice
13 Jan 2022

Should you buy an Audi, a BMW or a Mercedes?

Most Popular

Top 10 best cheap-to-run cars 2022
Toyota Prius front 3/4 cornering
Best cars
17 Jan 2022

Top 10 best cheap-to-run cars 2022

UK road tax 2022: VED tax rates and bands explained
2021 Road Tax explained
Car tax
20 Jan 2022

UK road tax 2022: VED tax rates and bands explained

Next Nissan Micra will be retro-inspired electric supermini
Nissan Micra EV teaser
Nissan Micra
27 Jan 2022

Next Nissan Micra will be retro-inspired electric supermini

Tips & advice

View All
Car dashboard warning lights: the complete guide
Car dashboard symbols and meanings
Tips and advice
10 Aug 2021

Car dashboard warning lights: the complete guide

Electric car charging stations: a complete guide
Electric car charging station
Tips and advice
5 Nov 2021

Electric car charging stations: a complete guide

PCP vs HP – which type of car finance is right for you?
PCP vs HP
Car buying
21 Jan 2022

PCP vs HP – which type of car finance is right for you?

Average speed cameras: how do they work?
Average speed cameras: how do they work?
Tips and advice
23 Jul 2021

Average speed cameras: how do they work?

Best cars

View All
Top 10 best car interiors 2022
Peugeot 208 hatchback
Best cars
25 Jun 2021

Top 10 best car interiors 2022

Top 10 best electric cars 2022
Ioniq 5
Best cars
19 Jan 2022

Top 10 best electric cars 2022

Top 10 best cheap-to-run cars 2022
Toyota Prius front 3/4 cornering
Best cars
17 Jan 2022

Top 10 best cheap-to-run cars 2022

The UK's top 10 fastest hot hatchbacks 2022
Audi RS 3 driving - front view
Hot hatches
21 Jan 2022

The UK's top 10 fastest hot hatchbacks 2022