Researchers find flaw in RFID encryption for keyless car tech.

VW Didn’t Want You to Find Out About This Vulnerability in Its Keyless Cars

VW Didn’t Want You to Find Out About This Vulnerability in Its Keyless Cars

Future Tense
The Citizen's Guide to the Future
Aug. 14 2015 5:19 PM

VW Didn’t Want You to Find Out About This Vulnerability in Its Keyless Cars

465774604-brand-new-volkswagen-passat-and-a-golf-7-car-are-stored
Volkswagens may be mesmerizing, but security concerns about keyless entry are real.

Photo by Alexander Koerner/Getty Images

Recently published research shows that certain car models with keyless entry and ignition systems from Volkswagen, Audi, Fiat, Honda, Volvo, Porsche, Bentley, and other makers can be hacked. But though the information may be new to us, Volkswagen has known about it since 2013 and fought in United Kingdom court to keep the information quiet.

Keyless systems use radio-frequency identification, or RFID, chips in the fobs we carry around to send signals to transponders in our cars. When you approach your car, the transponder recognizes the signal from your RFID fob, the car doors unlock, and you can start the engine.

Advertisement

The vulnerability demonstrated by researchers at Radboud University in the Netherlands and the University of Birmingham in the U.K. involves cracking the encryption and authentication process in a widely used Megamos Crypto transponder. The transponder includes a 96-bit secret key, proprietary cipher, and 32-bit PIN code, but the researchers realized that its internal security was actually weaker. They wrote:

At some point the mechanical key was removed from the vehicle but the cryptographic mechanisms were not strengthened to compensate. We want to emphasize that it is important for the automotive industry to migrate from weak proprietary ciphers like this to community-reviewed ciphers ... and use it according to the guidelines.

The researchers notified the chip maker in February 2012 and then contacted Volkswagen in May 2013. But Bloomberg reports that VW filed a lawsuit to keep them from publishing the findings, and the U.K. high court granted an injunction. Two years later, the paper is finally being published with one redaction related to specific calculations that make the attack easier to replicate.

Thoroughly addressing the issue will involve replacing all the fobs and transponders in affected cars. A VW representative told Bloomberg, "Volkswagen maintains its electronic as well as mechanical security measures technologically up-to-date and also offers innovative technologies in this sector." Volkswagen did not immediately respond to a request for comment from Slate about its plans for addressing the vulnerability.

As more components of cars are run digitally, the arsenal of potential car hacks grows. If researchers face two years of opposition every time they attempt to disclose a hack, we could start to encounter some dangerous driving conditions.

Future Tense is a partnership of SlateNew America, and Arizona State University.