German car manufacturer Volkswagen placed thousands of car owners at risk of being electronically hacked by blocking the results of a white hat study about the security of their vehicles' electronic systems in European courts.
Bloomberg reports that the blocked paper, written by security researchers Roel Verdult and Baris Ege from Radboud University in the Netherlands along with Flavio Garcia from the University of Birmingham is now in the public domain after two years, and is currently being presented at the USENIX security conference in Washington, D.C.
According to the paper, the Megamos Crypto Transponder used by Volkswagen on their keyless car models had a security hole in the RFID chip embedded in the key or key fob.
The Megamos is an immobilizer transponder that prevents the vehicle's engine from starting up unless the correct key is placed in the key slot, or the correct key hub is placed in proximity to the sensor.
Verdult and Ege were able to deactivate the transponder by employing a brute force attack; they narrowed down the possible combinations of keys by listening in twice to the communications between the transponder in the vehicle and the RFID chip in the keys.
They then identified the secret key out of a pool of 196,607 potential matches through the brute force attack - a process that took only about thirty minutes to accomplish.
Mashable meanwhile reports that the research team originally presented the results of their investigation to the manufacturer of the RFID chip, then to Volkswagen itself; however, the car maker sued the research team, claiming that publishing the paper puts car owners at risk of theft, and were awarded by the UK High Court in 2013 with an injunction.
Since then, however, the two parties have settled amicably and allowed the paper to be published in almost its original form, except for a single sentence that details the a component of the calculations on the RFID chip.
In a statement emailed to Mashable, a Volkswagen representative claimed, "The circumstances presented in the laboratory can be replicated in reality only with considerable, complex effort, and in this relation organised crime will most likely have the greatest interest in implementing this method of circumvention in the form of tools."
Another statement claimed that "Volkswagen maintains its electronic as well as mechanical security measures technologically up-to-date and also offers innovative technologies in this sector."
Volkswagen owns many car brands, including luxury cars like Audi and Fiat and supercars like Porsche, Maserati and Ferrari. The researchers did not identify the particular car models affected by the vulnerability.
Join the Conversation