A car security loophole highlighted in an academic paper has finally been published following successful negotiations between car manufacturer Volkswagen and academics. The paper entitled "Dismantling Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobilizer", co-written by Flavio Garcia, Roel Verdult and Baris Ege, exposes a systemic security fault in a range of luxury cars that could lead to the theft of potentially thousands of cars.
Although the code has been available on the Internet since 2009, this latest development comes after a two year interim injunction was issued by Birss J in Volkswagen's favour (i.e. against publication) in the 2013 case of Volkwagen Aktiengesellschaft and Thales v Garcia and others. Initially, Mr Garcia, a computer scientist from the University of Birmingham, was ordered by the High Court not to deliver a group paper on the security failings of keyless entry systems used by numerous luxury car companies at the 2013 Usenix Security conference in Washington.
The paper highlighted failings stemming from a car transponder (Megamos Cryto), an anti-theft device that prevents the engine starting without a key being near to the vehicle. Initially released to car companies in 2012, its findings are now firmly in the public domain.
"Responsible, legitimate academic work"
Whilst the paper was initially prevented from being published to stop the dissemination of the start codes for multiple vehicles, Garcia and his co-writers argued that 'the public have a right to see weaknesses in security on which they rely exposed,' or else, the 'industry and criminals know security is weak but the public do not.' However, the High Court wanted to both 'recognise the high value of academic free speech [but also protect] the security of millions of Volkswagen cars.'
Following years of prolonged formal and informal negotiations, this week Volkswagen finally approved the full publication of the paper with one sentence redacted. However, this news has received a mixed reception as the information therein could '[facilitate] car crime' and allow sophisticated criminal gangs with the right tools to override the security and steal luxury cars. This poses a huge problem to multinational luxury car manufacturers such as Ferrari, Volkswagen and Audi who have sold millions of vehicles built using this technology.
Although largely only at risk from 'sophisticated criminal gangs', the increasing instances of keyless thefts are a cause for concern, with electronic hacking of vehicles attributable to 40% of car thefts in London in 2014. Indeed, these overall security risks may have further negative effects on the wider luxury car industry as they may cause increased consumer distrust with manufacturers, negatively impacting on future sales and putting manufacturers at risk of being sued by their customers for misleading buyers over their cars security.
That said, despite the concerns highlighted in the academic paper, researchers believe that the security weaknesses have largely been addressed and rectified in vehicles made in the last two years. However, for the cars made with the faulty security mechanism, the problems have been forecast to cost millions of pounds to rectify.Posted by: in: Case Law, Digital/Tech, News, Regulatory