VW Sued Researchers to Conceal Security Flaw for Two Years

Andre Infante 21-08-2015

Software security vulnerabilities get reported all the time. Generally, the response when a vulnerability is uncovered is to thank (or, in many cases, pay) the researcher who found it, and then fix the problem. That’s the standard response in the industry.


A decidedly non-standard response would be to sue the people who reported the vulnerability to stop them from talking about it, and then spend two years trying to hide the issue. Sadly, that’s exactly what German car maker Volkswagen did.

Cryptographic Carjacking

The vulnerability in question was a flaw some cars’ keyless ignition system. These systems, a high-end alternative to conventional keys, is supposed to prevent the car from unlocking or starting unless the key-fob is nearby. The chip is called the “Megamos Crypto,” and is purchased from a third-party manufacturer in Switzerland. The chip is supposed to detect a signal from the car, and respond with a cryptographically signed message Can You Electronically Sign Documents & Should You? Perhaps you've heard your tech-savvy friends throw around both the terms electronic signature and digital signature. Maybe you've even heard them used interchangeably. However, you should know that they are not the same. In fact,... Read More assuring the car that it’s okay to unlock and start.

Unfortunately, the chip uses an outdated cryptographic scheme. When researchers Roel Verdult and Baris Ege noticed this fact, they were able to create a program that breaks the encryption by listening to the messages between the car and the key-fob. After hearing two such exchanges, the program is able to narrow the range of possible keys down to about 200,000 possibilities – a number which can be easily brute-forced by a computer.

This process allows the program to create a “digital duplicate” of the key-fob, and unlock or start the car at will. All of this can be done by a device (like a laptop or a phone) that happens to be near the car in question. It does not require physical access to the vehicle. In total, the attack takes about thirty minutes.

If this attack sounds theoretical, it isn’t. According to London’s Metropolitan Police, 42% of car thefts in London last year were performed using attacks against keyless unlocked systems. This is a practical vulnerability that puts millions of cars at risk.


All of this is more tragic, because keyless unlock systems can be a great deal more secure than conventional keys. The only reason these systems are vulnerable is due to incompetence. The underlying tools are far more powerful than any physical lock ever could be.

Responsible Disclosure

The researchers originally disclosed the vulnerability to the creator of the chip, giving them nine months to fix the vulnerability. When the creator refused to issue a recall, the researchers went to Volkswagen in May of 2013. They originally planned to publish the attack at the USENIX conference in August 2013, giving Volkswagen about three months to begin a recall/retrofit, before the attack would become public.

Instead, Volkswagen sued to stop the researchers from publishing the paper. A British high court sided with Volkswagen, saying “I recognise the high value of academic free speech, but there is another high value, the security of millions of Volkswagen cars.”

It’s taken two years of negotiations, but the researchers are finally being allowed to publish their paper, minus one sentence which contains a few key details about replicating the attack. Volkswagen still hasn’t fixed the key-fobs, and neither have the other manufacturers who use the same chip.


Security By Litigiousness

Obviously, Volkswagen’s behavior here is grossly irresponsible. Rather than trying to fix the problem with their cars, they instead poured god-knows how much time and money into trying to stop people from finding out about it. That’s a betrayal of the most fundamental principles of good security. Their behavior here is inexcusable, shameful, and other (more colorful) invectives that I’ll spare you. Suffice to say this is not how responsible companies should behave.

Unfortunately, it’s also not unique. Automakers have been dropping the security ball Can Hackers REALLY Take Over Your Car? Read More an awful lot lately. Last month, it was revealed that a particular model of Jeep could be wirelessly hacked through its entertainment system How Secure Are Internet-Connected, Self Driving Cars? Are self driving cars safe? Could Internet-connected automobiles be used to cause accidents, or even assassinate dissenters? Google hopes not, but a recent experiment shows there is still a long way to go. Read More , something that would be impossible in any security-conscious car design. To Fiat Chrysler’s credit, they recalled more than a million vehicles in the wake that revelation, but only after the researchers in question demoed the hack in an irresponsibly dangerous and vivid way.

Millions of other Internet-connected vehicles are likely vulnerable to similar attacks – but nobody’s recklessly endangered a journalist with them yet, so there’s been no recall. It’s entirely possible that we won’t see change on these until someone actually dies.

The trouble here is that car makers have never been software makers before – but now they suddenly are. They have no security-conscious corporate culture. They don’t have the institutional expertise to deal with these problems in the right ways, or build secure products. When they’re faced with them, their first response is panic and censorship, not fixes.


It took decades for modern software companies to develop good security practices. Some, like Oracle, are still stuck with outdated security cultures Oracle Wants You To Stop Sending Them Bugs - Here's Why That's Crazy Oracle is in hot water over a misguided blog post by security chief, Mary Davidson. This demonstration of how Oracle's security philosophy departs from the mainstream wasn't received well in the security community... Read More . Unfortunately, we don’t have the luxury of simply waiting for companies to develop these practices. Cars are expensive (and extremely dangerous) machines. They’re one of the most critical areas of computer security, after basic infrastructure like the electric grid. With the rise of self-driving cars History is Bunk: The Future of Transportation Will Be Like Nothing You've Seen Before In a few decades, the phrase 'driverless car' is going to sound an awful lot like 'horseless carriage,' and the idea of owning your own car will sound as quaint as digging your own well. Read More in particular, these companies must to do better, and it’s our responsibility to hold them to a higher standard.

While we’re working on that, the very least we can do is get the government to stop enabling this bad behavior. Companies shouldn’t even try to use the courts to hide issues with their products. But, so long as some of them are willing to try, we certainly shouldn’t let them. It’s vital that we have judges who are aware enough of the technology and practices of the security-conscious software industry to know that this kind of gag order is never the right answer.

What do you think? Are you concerned about the security of your vehicle? Which auto maker is best (or worst) at security?

Image Credits:opening his car by nito via Shutterstock


Related topics: Automotive Technology, Hacking.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Anonymous
    August 22, 2015 at 1:53 pm

    "After hearing two such exchanges, the program is able to narrow the range of possible keys down to about 200,000 possibilities – a number which can be easily brute-forced by a computer."
    I am assuming the hacking computer has to "try" each of the 200,000 possibilities to find a match,and gain access.Why not introduce a small delay,say a tenth of a second,until the car will accept the next "guess"? That would make trying all 200,000 possible codes impractically long for the hacker. Even 100,000 attempts would be 100,000 x 0.10 = 10,000 seconds or 10,000/60 = 166 minutes.

  2. Anonymous
    August 21, 2015 at 8:10 pm

    "but nobody’s recklessly endangered a journalist with them yet"
    No, but the car manufacturers are recklessly endangering millions of drivers every day for as long as they do not fix the security flaws.

    While the Wired researchers may have been irresponsible, the were not malicious. What happens when hackers, not researchers, start maliciously taking over cars?

    I wonder how is the security on the self-driving cars? After all, Google is a software house. Sorry, I keep forgetting that Google's expertise lies in accessing data, not in setting up security to prevent access.