In 2012, Radboud University (Netherlands) employed researchers Baris Ege, Flavio Garcia, and Roel Verdult uncovered a major flaw in car security chips, used to prevent automobile thefts. These chips are widely used by numerous car brands, such as Volvo, Honda, Fiat, Volkswagen, Audi, Porsche, Lamborghini and Bentley. The researchers had no intentions to publish the findings until 9 months later, but they were sued by the automakers, as soon as the automakers became aware of the flaws.
These security chips are installed in Transponder keys. These are the keys that most of the cars that were manufactured in the 2000’s come with. What makes them differ from the older, more primitive keys is the electronic chip that communicates with the ignition. This chip can be programmed only by professionals (authorized dealers and automotive locksmith technicians) who have the necessary equipment and knowledge and it’s impossible to start a car engine with a key that doesn’t have a chip that the ignition can recognize.
The aforementioned researchers found a loophole that makes it possible to “fool” an ignition that has a Transponder system and bypass the anti-theft protection.
The Discovery of the Car Lock Hack
The discoveries are now coming to light and will be presented at a conference in Washington, DC that is focused on security, called USENIX. The weaknesses are uncovered in detail in a document named “Dismantling Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobilizer”. Luxury vehicles usually have immobilizers that use Megamos RFID transponders, and the imperfection falls in the authentication and cryptography process.
Immobilizers are attached to an automobile’s starter system. They are electronic devices that detect the existence or deficiency of an RFID (radio frequency identification) chip that would be in a key or key fob, in the vicinity of the ignition switch. The absence of this RFID prevents the engine from starting. This makes it impossible to hotwire the car, or start the engine using an unauthorized duplicate key. A way to bypass this would be to trick the transponder into thinking the RFID chip may be in closer proximity than it actually is. This is done with a radio amplifier. The researchers at Radboud University broke the cryptography system used by the transponder.
The researchers needed to “overhear” the radio waves (that are exchanged between the key and cryptography system) only twice, in order to drastically narrow down the number of possible matches of the key. It took them less than 30 minutes to unlock the information needed in order to start the car, only because the system allowed limitless authentication attempts. When it comes to weaker keys, used by other manufacturers (e.g. Verdult, Ege and Garcia) – nothing more than a couple of minutes of work and a portable computer were needed in order to overcome the anti-theft system.
This cryptography bug in Megamos is not an easy fix for automakers, unlike some other security flaws that only require an over-the-air update or a software patch. This fix would require physically changing the keys and replacing the cryptographic transponder systems in the engines. What is the cost of fixing something like this? The physical parts that need replacing are fairly cheap, but the cost of labor on luxury car models isn’t.
This is not the first flaw of its type to be discovered by Radboud researchers. In 2008, another RFID-based system, used for public transportation passes, was found to be compromised. The researchers were appointed the right to publish their findings in a Dutch court.
Verdult, Ege, and Garcia went back and forth with Volkswagen and the others in early 2012 about the publication of their findings.
Volkswagen won an injunction at first, after filing a suit to block the publication. Negotiations took over a year, but the researchers finally got permission to produce an edited version of the paper, in which they were obligated to delete a single sentence.
The post Major Flaw in Electronic Car Locks Made by Big Brands appeared first on Locks, keys, doors.