Posted By thestatedtruth.com on August 15, 2015
It’s a new world out there for hackers, and luxury cars are now in vogue. There’s no quick fix for the problem – the RFID chips in the keys and transponders inside the cars have become easy targets by hackers.
“Keyless” car theft, which sees hackers target vulnerabilities in electronic locks and immobilizers, now accounts for 42 percent of stolen vehicles in London. BMWs and Range Rovers are particularly at-risk, police say, and can be in the hands of a technically minded criminal within 60 seconds.
This week the paper – by Roel Verdult and Baris Ege from Radboud University in the Netherlands and Flavio Garcia from the University of Birmingham, U.K. – is being presented at the USENIX security conference in Washington, D.C. The authors detail how the cryptography and authentication protocol used in the Megamos Crypto transponder can be targeted by malicious hackers looking to steal luxury vehicles.
The Megamos is one of the most common immobilizer transponders, used in Volkswagen-owned luxury brands including Audi, Porsche, Bentley and Lamborghini, as well as Fiats, Hondas, Volvos and some Maserati models.
But the Megamos Crypto is not the only immobilizer to have been targeted in this way – other popular products including the DST transponder and KeeLoq have both been reverse-engineered and attacked by security researchers.
Below is a list of some of the models that may be vulnerable to hacking.
“This is a serious flaw and it’s not very easy to quickly correct,” explained Tim Watson, Director of Cyber Security at the University of Warwick. “It isn’t a theoretical weakness, it’s an actual one and it doesn’t cost theoretical dollars to fix, it costs actual dollars.”
Immobilizers are electronic security devices that stop a car’s engine from running unless the correct key fob (containing the RFID chip) is in close proximity to the car. They are supposed to prevent traditional theft techniques like hot-wiring, but can be bypassed, for example by amplifying the signal.
In this case, however, researchers broke the transponder’s 96-bit cryptographic system, by listening in twice to the radio communication between the key and the transponder. This reduced the pool of potential secret key matches, and opened up the “brute force” option: running through 196,607 options of secret keys until they found the one that could start the car.
It took less than half an hour.