Car hacking - report reveals security flaw in immobilisers

Study was buried for two years; over 100 models at risk from attacks

A Dutch academic study has revealed that well over 100 cars have a security flaw that could allow hackers to start and steal them without a key.

Controversially, the report – entitled ‘Dismantling Megamos Crypto: Wirelessly Lock-Picking A Vehicle Immobilizer’ – has only recently been released, after a court injunction from Volkswagen and other manufacturers was lifted after two years.

You expect to need your car’s key to start it, but according to the report, that’s not always the case. It states that some anti-theft systems on some models can be hacked remotely, allowing the car to be driven away.

The report’s authors Roel Verdult, Flavio Garcia and Baris Ege say they were “able to recover the key and start the engine with a transponder-emulating device. Executing this attack from beginning to end takes only 30 minutes”.

They managed this by ‘listening in’ to the signals sent between the car’s key and the immobiliser and then replicating them.

Cars from across the Volkswagen Group – including Audi, Bentley, Porsche, Lamborghini and VW itself – as well as Alfa Romeo, Fiat and Jeep, are affected.

A 2016 UK study has recently found similar problems, this time concerning the remote central locking systems of an estimated 100 million cars made by the Volkswagen Group (including Skoda, SEAT and Audi models) between 1995 and 2016.

Now working with the University of Birmingham, Flavio Garcia, together with David Oswald, claim VW Group cars can have their keys’ codes ‘cloned’ by thieves after locking or unlocking signals have been intercepted, allowing unauthorised access to the vehicle. While this doesn’t allow the car to be driven away, it’s definitely concerning – particularly when taken in conjunction with the immobiliser issue. Volkswagen is keen to stress its newer models (including the latest Golf, Tiguan and Passat) have improved security measures, though, and aren’t affected by this issue.

Car hacking: could it happen to you?

Manufacturers that use the radio-frequency identification (RFID) are coming under increasing pressure from the researchers to take their findings into account and improve their security measures.

It’s important to note that this is not the same issue as the one recently discovered in the Tesla Model S that can be fixed by a remote software upgrade – this was to do with the quality of the hardware in the key used to send the coded message to the immobiliser.

The researchers claim that a better, more secure chip in the key – costing less than £1 more – would make hacking the immobiliser far more difficult and complicated.

While Verdult, Garcia and Ege are campaigning for manufacturers to do more to combat car hacking and be more open in their discussions about it, some companies aren’t so keen.

Volkswagen Group of America, along with 12 other car manufacturers, is lobbying for car technology to fall under the protection of the Digital Millennium Copyright Act in the US. If it succeeds, research of this nature would become illegal.

Volkswagen insists it’s doing everything possible to prevent these hacking attempts, saying: “In all aspects of vehicle security, be this mechanical or electronic, Volkswagen goes to great lengths to ensure the security and integrity of its products against external malicious attack.”

Recommended

Volkswagen T-Cross SUV review
Volkswagen T-Cross
In-depth reviews
12 Oct 2023

Volkswagen T-Cross SUV review

New Audi Q6 e-tron: interior revealed, plus prototype review
Audi Q6 e-tron
News
4 Sep 2023

New Audi Q6 e-tron: interior revealed, plus prototype review

Volkswagen ID. GTI concept showcases future of VW hot hatches
Volkswagen ID. GTI concept
News
4 Sep 2023

Volkswagen ID. GTI concept showcases future of VW hot hatches

Cheap fun cars: our picks from £1,000 to £10,000
Cheap fun used cars
Tips and advice
27 Jul 2023

Cheap fun cars: our picks from £1,000 to £10,000

Most Popular

Hot car deal: quirky Nissan Juke hybrid for £172 a month
Nissan Juke dynamic
Deals
26 Feb 2024

Hot car deal: quirky Nissan Juke hybrid for £172 a month

Best new car deals 2024: this week’s top car offers
Carbuyer best new car deals hero
Deals
1 Mar 2024

Best new car deals 2024: this week’s top car offers

10 smallest cars on sale 2024
smallest cars on sale
Best cars
28 Feb 2024

10 smallest cars on sale 2024

Tips & advice

View All
Car dashboard warning lights: the complete guide
Car dashboard symbols and meanings
Tips and advice
19 Dec 2023

Car dashboard warning lights: the complete guide

Electric car charging stations: a complete guide
Public EV charge point
Tips and advice
11 Jan 2023

Electric car charging stations: a complete guide

PCP vs HP – which type of car finance is right for you?
PCP vs HP
Tips and advice
17 May 2022

PCP vs HP – which type of car finance is right for you?

Average speed cameras: how do they work?
Average speed cameras: how do they work?
Tips and advice
12 Apr 2023

Average speed cameras: how do they work?

Best cars

View All
Top 10 best car interiors
Peugeot 208 hatchback
Best cars
25 Jun 2021

Top 10 best car interiors

Top 10 best electric cars 2024
The best electric cars 2023
Best cars
2 Jan 2024

Top 10 best electric cars 2024

Top 10 best cheap-to-run cars 2024
The best cheap-to-run cars 2023
Best cars
2 Jan 2024

Top 10 best cheap-to-run cars 2024

The UK's top 10 fastest hot hatchbacks 2024
Fastest hot hatchbacks hero
Best cars
2 Jan 2024

The UK's top 10 fastest hot hatchbacks 2024