The Hack and the Sack: VW Litigates To Hide Security Flaws In Its Cars

Ignition Switch Attorney - Lance Cooper

The Hack and the Sack: VW Litigates To Hide Security Flaws In Its Cars

Technology is a wonderful. Until someone uses it against you. Many modern cars, especially expensive ones with extensive electronics packages, use electronic keys with transponders. They permit drivers to start their cars remotely or with the key fob in their pocket.  The new keys rely on microchips and computers. Gone is the old metal key. Gone in some cars is the key slot.

In 2012, a group of ethical hackers (those that hack to improve product safety)  found that many cars could be hacked, and their key fobs compromised. In fact, they found they could hack Alfa Romeo, Audi, Buick, Cadillac, Chevrolet, Ferrari, Honda, Isuzu, Kia, Maserati, Opel, Volvo and Volkswagen. You can see the complete list of makes and models here

These cars used a Megamos Crypto chip. It validates the signal from the key fob to the car. They system was intended to be immune from hacking. It uses a 96-bit code encryption. According to the researchers, that means there are billions of code combinations that the key and chip could generate, allegedly creating a secure connection. The hackers, however, found they could eavesdrop on the key and car radio communication just twice, and narrow the signals down.  That allowed them to make 196,607 attempts to hack the car.   Sound like a bunch? Using the right software and hardware, however, it only took hackers 30 minutes to crack the code. Using what they found, they easily made a copy of the key.

But there’s more to this than just the hack.

The ethical hackers found the security flaw in 2012. Yet, the news of their efforts was not publicized until August 2015. Why? Because one of the car makers, Volkswagen, sued the hackers (and their sponsoring universities) to censor their findings and restrain them from publishing the data. This was after the hackers had gone to Megamos with their findings and offered to keep the discovery secret for nine months, so that the chip company could find a fix.

VW apparently wanted more: a complete block on publication. After two years of litigation, VW relented (kind of) and settled the case. The settlement still required the hackers to omit from their paper information that would permit even a non-technical person to hack the car. So, was VW trying to keep this hidden for good?  Was it acting to save its money? Was it acting to protect its customers? We can’t know all that without digging into VW corporate files. But we know that the news of the hack, which could have put property and lives at risk, was kept hidden for so long because of VW.

The affected car makers now say they have fixed the old cars, and their new cars are not susceptible to the hack.

For other references, see:

http://blog.caranddriver.com/hackers-crack-key-fob-encryption-used-by-more-than-25-automakers/

https://twitter.com/popmech/status/634994688731295744

http://www.consumeraffairs.com/news/volkswagen-and-other-keyless-ignitions-easy-to-hack-vw-spent-two-years-suppressing-this-in-court-081415.html

https://www.schneier.com/blog/archives/2013/08/scientists_bann.html

 

Share This

Leave a Comment





This site uses Akismet to reduce spam. Learn how your comment data is processed.