The work of three security researchers, detailing how to hack car immobiliser systems, has finally been published, two years after a UK High Court judge ruled in favour of French defence group Thales and German auto maker Volkswagen, both of which had claimed the information could be used by criminals.
Now, however, Roel Verdult, Flavio Garcia, and Baris Ege from Radboud University in Holland, have published their findings which, they say, highlights the ease with which car anti-theft systems can be cracked.
Examining the encryption system used in the Megamos immobiliser, found in many popular brands of car, including Audi, Honda, Porsche and over 20 others – which prevents a car engine from starting unless a passive RFID transponder embedded in the key is nearby – the researchers were able to reverse engineer the entire system.
This allowed Verdult, Garcia and Ege to identify several weaknesses, they say, including the design of the cipher used, the authentication protocol and the overall implementation of the system.
In their paper, which underwent edits before permission to publish was granted, the trio said they were able to exploit three different weaknesses with the only requirement being wireless communication with the system.
In one attack, they were able to exploit weaknesses inherent in the design of the cipher and authentication protocol:
We show that having access to only two eavesdropped authentication traces is enough to recover the 96-bit secret key with a computational complexity of 256 cipher ticks (equivalent to 249 encryptions).
In the second attack, the researchers were able to take advantage of a weakness in the key-update mechanism of the transponder which allowed them to “recover the secret key after 3 × 2[to the power of sixteen] authentication attempts with the transponder”. This attack, they said, required minimal computational power and was successfully executed against several vehicles. From start to finish, the attack took only 30 minutes they said, though I suspect that in itself would be enough to put off the average car thief!
In the last attack, the trio took advantage of some manufacturers’ propensity to use weak crypto, using:
a time-memory trade-off which recovers such a weak key after a few minutes of computation on a standard laptop.
Mitigating against the attacks in the future is a relatively simple affair the researchers said, requiring little more than better ciphers for the transponders, something that would likely add less than a dollar to the cost of a new car. For older vehicles, the solution is not quite so simple, requiring the replacement of car key fob radio chips and the corresponding hardware in those vehicles that are affected.
Given recent news about car hacks and other other car-related issues, I can only hope that some manufacturers consider such a move as worthwhile before the whole industry gains a reputation for employing sub-standard security that is both embarrassing and potentially dangerous.