Researchers have demonstrated how a flaw in a car security system could allow a vehicle to be stolen. The system is used in the cars of several manufacturers including Volkswagen, Audi, Fiat, Honda, and Volvo. However, details of the vulnerability have up until now been blocked thanks to an injunction in a UK court.
The supressed paper has finally seen the light of day at the USENIX security conference in Washington, DC. Titled "Dismantling Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobilizer," the paper shows how a flaw in the cryptography and authentication protocol used in the Megamos RFID transponder found in car immobilisers could be used to break into vehicles from Volkswagen-owned luxury-brands, including Audi, Porsche, Bentley, and Lamborghini, and other brands including Volvo, Honda, Fiat, and some Maserati models.
The flaw was discovered by researchers Roel Verdult and Baris Ege from Radboud University in the Netherlands, and Flavio Garcia from the University of Birmingham in the UK back in 2012. When notified of the flaw, Volkswagen responded by slapping a law suit on the researchers preventing them from publishing their findings. Only this week have the researchers been allowed to spill the details, albeit with redactions in the paper, after years of negotiation with VW.
In the paper, the researchers detail how they managed to reverse engineer the system and attack it wirelessly. Thanks for several weaknesses in the cipher design and key update mechanisms, the researchers showed how in as little as 30 minutes they were able to recover a 96-bit encryption key used to secure entry to cars.
“Our first attack exploits weaknesses in the cipher design and in the authentication protocol. We show that having access to only two eavesdropped authentication traces is enough to recover the 96-bit secret key with a computational complexity of 256 cipher ticks (equivalent to 249 encryptions),” said the researchers in the paper.
The researchers added that a second attack exploited a weakness in the key-update mechanism of the transponder. While the third attack “exploits the fact that some car manufacturers set weak cryptographic keys in their vehicles.”
“We propose a time-memory trade-off which recovers such a weak key after a few minutes of computation on a standard laptop."
Ken Munro of Pen Test Partners told SCMagazineUK.com that it's not that manufacturers have a cult of secrecy when it comes to disclosing security issues, it's more that they need a decent time window in which to assess and remediate the problem.
“Think of the complexity of identifying exactly what the problem is, depending on how a researcher approaches a manufacturer and what sort of information they provide this might not be straightforward,” he said. “Then consider the logistics of first putting together and deploying a patching/update solution that'll work perfectly 100 per cent of the time.”
“They may also need to review and change a range of product roadmaps, for other models and for future releases.”
Gavin Reid, vice president of threat intelligence at Lancope, told SCMagazineUK.com that having the Megamos Crypto transponder using its own proprietary encryption algorithms was “never a good idea as doing new encryption protocols are very hard and, without peer-review and testing, bound to have problems.”
“What we see with this paper is the first peer review of their proprietary encryption with not-too-surprising results. With so many cars using the transponder, and the difficulty with implementing a mass change, it is both no wonder they need more time to fix and also should have done a better job upfront using well known and peer-reviewed cryptology,” he said.
Richard Kirk, vice president of AlienVault, told SCMagazineUK.com that hacking into electronic car locks is old news however, what is new is that the manufacturers still haven't fixed the security weaknesses.
“One can only guess why car manufacturers try to hide behind court injunctions however this neither helps their customers nor has it fixed the root cause of the problem,” he said.
“Is it time for governments to consider full disclosure as a means to bring this information into the public domain or should the car industry look elsewhere for inspiration? The airline industry can offer some insight into how to address safety issues without apportioning blame and at the same time continually raising safety standards. Consumers are at the mercy of car manufacturers given the sophistication of today's automobiles, and perhaps there is an opportunity for the comeback of the crook-lock."
Bryan Lillie, chief technical officer of Cyber Security at QinetiQ, said that if publishing the details of a vulnerability puts people in danger, then the courts are right to withhold it, at least temporarily.
“But doing so permanently misses the point of such research. If vulnerabilities exist, they will be found eventually. It is better that they are found by academics who can provide details to the manufacturer, than by criminals, “he told SCMagazineUK.com.
“As the automotive and IT industries converge, the former must catch up with the latter. Companies like Microsoft reward people who identify vulnerabilities, giving them a better chance of staying ahead of criminals. Car manufacturers must start taking a similar approach.
Gavin Millard, technical director EMEA of Tenable Network Security told SCMagazineUK.com that unlike phones and laptops, the ability to update a car with new software can be incredibly expensive and time consuming. “Tesla have the ability to update “over the air” and until other manufacturers start to implement the same approach, the process of updates will continue to be laborious,” he said.
Andy Monaghan, senior researcher at Context Information Security told SC Magazine that updates to automotive systems usually require a visit to an authorised dealer and have a financial cost to the owner (for example through software updates that provide new features such as the ability to sync your phone to your car).
“In cases such as this, one would expect any updates to be provided free of charge, but the manufacturers usually don't allow consumers access to the update mechanisms. So at present, yes drivers are generally at the mercy of manufacturers,” he said.
He added that whether the injunction was ever justified on security grounds was probably a question for lawyers rather than technologists.
“It is worth mentioning that the intended publication apparently focussed on the mathematics of the crypto-algorithms as opposed to a guide on how to break into cars. It is highly unlikely that such a paper would have provided opportunities for any but the most advanced criminal gangs to capitalise on the vulnerability. Whether that is sufficient justification for an injunction, rather than the manufacturers working to fix the issue is up for debate,” he said.