Three university scientists from England and the Netherlands figured out how to unlock and start Volkswagen-owned luxury vehicles wirelessly without the key, and compiled their findings in an academic paper. The scientists claimed that the research was intended to increase security for everyone, and while that might be true if the codes needed to crack the secret algorithm were never to be published, they planned to publish the paper at the Usenix Security Symposium in Washington, DC, next month.

Fortunately for those who own a Bentley, Lamborghini, Audi or Porsche (and other unmentioned brands), a UK judge imposed an injunction against the England-based scientist, Flavio Garcia, to not attend the symposium, The Guardian reports, recognizing that the information could result in the theft of many vehicles. The other two scientists, Roel Verdult and Baris Ege from Radboud University Nijmegen, won't attend, either.

The algorithm, called Megamos Crypto, allows the key to communicate with the vehicle by deciphering and reordering the codes sent between the two, acting both as a translator of sorts and a safety barrier. With the wrong key in hand – or no key – the car won't function, unless the algorithm has been bypassed another way.

For its part, Volkswagen was actually okay with the paper – Dismantling Megamos Cryptos: Wirelessly Lockpicking a Vehicle Immobiliser – being published, but only if the offending codes were redacted. The scientists, of course, refused.

We appreciate the scientists' effort to increase security by learning the weaknesses of the systems that protect us, but we would rather not have that information in the public domain. With the codes in the wrong hands, who knows what could happen next.


I'm reporting this comment as:

Reported comments and users are reviewed by Autoblog staff 24 hours a day, seven days a week to determine whether they violate Community Guideline. Accounts are penalized for Community Guidelines violations and serious or repeated violations can lead to account termination.


    • 1 Second Ago
  • 26 Comments
      TelegramSam
      • 1 Year Ago
      Security through obscurity is no security at all. All they have done is make the secret harder to discover, but if one group of clever people can do it, so will another.
      AntBee
      • 1 Year Ago
      This sort of code cracking has already been happening with BMWs. A friend of mine was in Belgium last year, and had her belongings in the trunk of a friend's BMW. Thieves were able to get into the locked car and trunk without breaking any windows, it was all done by an electronic bypass. BMW is aware of the problem, but will not do anything to remedy the situation. http://www.bbc.co.uk/programmes/b006mg74/features/bmw-car-theft-technology%20
      _I_I_II_I_I_
      • 1 Year Ago
      hate to say it but sometimes I think people lose sight of what freedom of information is all about.
      Gordon Chen
      • 1 Year Ago
      The scientist should just contact auto manufacturers, tell them about it, have them fix it. Once patched up, then publish it. Everyone wins in this case.
      FutureDoc
      • 1 Year Ago
      I want to see the published paper, great academic work (and sounds like a fun project). Considering that the problem was identified, VW should have had plenty of time to find a solution and then get in contact with the consumers. Simple software update, next. Publishing this paper is not a "crime" by any stretch of the imagination... but how can you prevent "information" in another country?
      BipDBo
      • 1 Year Ago
      These scientists are a--holes. Why don't they use their talents for something that would help humanity? I sure hope that they're working off of their own dime rather than a grant.
        oRenj9
        • 1 Year Ago
        @BipDBo
        It's people like this that keep you safe, whether you realize and appreciate it or not. These guys publish this kind of information only AFTER contacting the company responsible and offering assistance into resolving the issue. The problem with most companies is that they don't want to spend the money to fix "unknown" security exploits. So many of these guys have to make their results public, otherwise the problem never gets fixed. This problem is already known and being exploited by criminals. Unless security researchers make this information public, companies won't be forced to fix issues and the public won't be safe. They will continue to deny that a problem exists because nobody has "proof" that there is a problem. Your options are literally: make it public knowledge so that a fix is created, or keep it "secret" so that only criminals leverage it while the company maintains plausible deniability.
        BipDBo
        • 1 Year Ago
        @BipDBo
        If they were willing to publish the paper (without court order) omitting the codes and key steps they made in breaking the codes, I would not be saying this.
        Kip
        • 1 Year Ago
        @BipDBo
        It seems a little close minded to believe the scientists are the only ones who have figured out the vulnerabilities. The professional car thieves who would exploit the knowledge in this paper already have it. We're not talking about tweekers who want your radio to fund their next bump.
      costeau
      • 1 Year Ago
      The cipher(s) have already been out since 2009, so why should redacting them from the USENIX presentation make a difference in the first place? If the wrong hands wants them, they'll get them anyway. Instead, VW should do the necessary recalls to have the software upgraded to tighten up the security. After all, if it's this weak, it's reason alone to stay away from their vehicles, at least until you've got a 100% satisfaction that it's been fixed. On top of that, VW's clumsy handling of the matter will just hurt the consumers' faith in their security systems.
      drewbiewhan
      • 1 Year Ago
      Thank god I drive a 1999 Taurus...
        antacid
        • 1 Year Ago
        @drewbiewhan
        ya, all they need is a screwdriver to steal a Taurus, not a highly sophisticated item they probably have to solder together themselves from confusing instructions on the internet
        Feurig
        • 1 Year Ago
        @drewbiewhan
        ...which is easier to break into...
        Daniel D
        • 1 Year Ago
        @drewbiewhan
        One of the few times you get to say that.
      KaBoomBOX
      • 1 Year Ago
      Hmmm, sounds like VW hasn't met there redaction price yet.
        KaBoomBOX
        • 1 Year Ago
        @KaBoomBOX
        Sounds like VW hasn't met their redaction price yet.
      Jay
      • 1 Year Ago
      This really isn't news. There has been similar papers published for almost every manufacturer out there.
      jcwconsult
      • 1 Year Ago
      Non-key devices to start vehicles WILL be hacked. It is only a question of time for the expertise to become available. No thanks. James C. Walker, Life Member-National Motorists Association (USA)
        Gordon Chen
        • 1 Year Ago
        @jcwconsult
        I prefer a physical key to start any day. The whole keyless start is 99% "sounds like a cool selling point on brochure" and 1% "makes life better for driver"
      oRenj9
      • 1 Year Ago
      Preventing these guys from speaking is just going to allow VW more time to ignore the problem. The cat's out of the bag and it's only a matter of time before somebody else figures out how to do this.
    • Load More Comments