Car hacking - report reveals security flaw in immobilisers

Study was buried for two years; over 100 models at risk from attacks

A Dutch academic study has revealed that well over 100 cars have a security flaw that could allow hackers to start and steal them without a key.

Controversially, the report – entitled ‘Dismantling Megamos Crypto: Wirelessly Lock-Picking A Vehicle Immobilizer’ – has only recently been released, after a court injunction from Volkswagen and other manufacturers was lifted after two years.

You expect to need your car’s key to start it, but according to the report, that’s not always the case. It states that some anti-theft systems on some models can be hacked remotely, allowing the car to be driven away.

The report’s authors Roel Verdult, Flavio Garcia and Baris Ege say they were “able to recover the key and start the engine with a transponder-emulating device. Executing this attack from beginning to end takes only 30 minutes”.

They managed this by ‘listening in’ to the signals sent between the car’s key and the immobiliser and then replicating them.

Cars from across the Volkswagen Group – including Audi, Bentley, Porsche, Lamborghini and VW itself – as well as Alfa Romeo, Fiat and Jeep, are affected.

A 2016 UK study has recently found similar problems, this time concerning the remote central locking systems of an estimated 100 million cars made by the Volkswagen Group (including Skoda, SEAT and Audi models) between 1995 and 2016.

Now working with the University of Birmingham, Flavio Garcia, together with David Oswald, claim VW Group cars can have their keys’ codes ‘cloned’ by thieves after locking or unlocking signals have been intercepted, allowing unauthorised access to the vehicle. While this doesn’t allow the car to be driven away, it’s definitely concerning – particularly when taken in conjunction with the immobiliser issue. Volkswagen is keen to stress its newer models (including the latest Golf, Tiguan and Passat) have improved security measures, though, and aren’t affected by this issue.

Car hacking: could it happen to you?

Manufacturers that use the radio-frequency identification (RFID) are coming under increasing pressure from the researchers to take their findings into account and improve their security measures.

It’s important to note that this is not the same issue as the one recently discovered in the Tesla Model S that can be fixed by a remote software upgrade – this was to do with the quality of the hardware in the key used to send the coded message to the immobiliser.

The researchers claim that a better, more secure chip in the key – costing less than £1 more – would make hacking the immobiliser far more difficult and complicated.

While Verdult, Garcia and Ege are campaigning for manufacturers to do more to combat car hacking and be more open in their discussions about it, some companies aren’t so keen.

Volkswagen Group of America, along with 12 other car manufacturers, is lobbying for car technology to fall under the protection of the Digital Millennium Copyright Act in the US. If it succeeds, research of this nature would become illegal.

Volkswagen insists it’s doing everything possible to prevent these hacking attempts, saying: “In all aspects of vehicle security, be this mechanical or electronic, Volkswagen goes to great lengths to ensure the security and integrity of its products against external malicious attack.”

Recommended

Volkswagen introduces new Active trim level
VW T-Roc Cabriolet
News
19 Apr 2021

Volkswagen introduces new Active trim level

Porsche Taycan vs Tesla Model S: rivals comparison
Porsche Taycan vs Tesla Model S header
Electric cars
19 Apr 2021

Porsche Taycan vs Tesla Model S: rivals comparison

What are Audi TFSI petrol engines?
Yellow Audi Q2
Audi
16 Apr 2021

What are Audi TFSI petrol engines?

New 2021 Audi Q4 e-tron: prices, specs and release date
2021 Audi Q4 e-tron SUV - front 3/4 dynamic
Audi
15 Apr 2021

New 2021 Audi Q4 e-tron: prices, specs and release date

Most Popular

Car dashboard warning lights: the complete guide
Car dashboard symbols and meanings
Tips and advice
13 Apr 2021

Car dashboard warning lights: the complete guide

New Mercedes EQS electric saloon unveiled
2021 Mercedes EQS front 3/4 tracking
Mercedes
15 Apr 2021

New Mercedes EQS electric saloon unveiled

Best new car deals 2021
Skoda Fabia
Deals
16 Apr 2021

Best new car deals 2021

Tips & advice

View All
Car dashboard warning lights: the complete guide
Car dashboard symbols and meanings
Tips and advice
13 Apr 2021

Car dashboard warning lights: the complete guide

Electric car charging stations: a complete guide
Tips and advice
10 Nov 2020

Electric car charging stations: a complete guide

PCP vs HP – what's the difference?
Tips and Advice
23 Mar 2020

PCP vs HP – what's the difference?

Average speed cameras: how do they work?
Average speed cameras: how do they work?
Tips and advice
24 Feb 2021

Average speed cameras: how do they work?

Best cars

View All
Best car interiors
Best cars
10 Mar 2020

Best car interiors

Best electric cars
Best cars
24 Dec 2020

Best electric cars

Best cheap-to-run cars
Toyota Prius front 3/4 cornering
Best cars
1 Feb 2021

Best cheap-to-run cars

The UK's top 10 fastest hot hatchbacks
Hot hatches
9 Apr 2020

The UK's top 10 fastest hot hatchbacks