CAR COMPANY Volkswagen (VW) has watched as a security vulnerability in a key system on a range of vehicles has been released from the garage and put on the news road.
VW was first notified about the problem two years ago, but has worked to keep it under the bonnet. Well, not all of it, just a single line - not a yellow line - has been contentious. The line is still controversial, and has been redacted from the full, now released, report.
VW secured an injunction in the UK high court two years ago. The firm argued at the time that the information would make it easy to steal vehicles that come from its factories and forecourts. That might be true, but that is often the case with vulnerabilities.
The news that VW has suppressed the report for this amount of time is interesting, but it does remind us that not everyone in the industry (see the Oracle CSO) appreciates third-party information about weaknesses.
VW has a lot of cars under its hood and, according to the report, a lot of different vehicles are affected. These run from Alfa Romeo through to Volvo, and take in midlife crisis mobility vehicles like the Maserati and Porsche.
The report is entitled Dismantling Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobilizer (PDF), and is authored by Roel Verdult from Radboud university in the Netherlands and Flavio Garcia from the University of Birmingham in the UK.
Megamos Crypto sounds like a sci-fi bad guy, maybe a rogue Transformer, but it is actually designed to be a good thing. The security paper said that it is a widely deployed "electronic vehicle immobiliser" that prevents a car starting without the close association of its key and included RFID tag.
The researchers described how they were able to reverse engineer the system and carry out three attacks on systems wirelessly. They mention several weaknesses in the design of the cipher and in the key-update mechanisms. Attacks, they said, can take as little as 30 minutes to carry out, and recovering a 96-bit encryption key is a relatively simple process.
This could be considered bad news if you are a car driver. It may even be worse news for pedestrians. Concerned car owners should find their keys (try down the back of the sofa cushion) and assess whether they have keyless ignition. The researchers said that they told VW about the findings in 2012, and that they understand that measures have been taken to prevent attacks.
We have asked VW for an official statement on the news, but so far it isn't coughing. Ready to talk, though, is the security industry, and it is giving the revelation the sort of disapproving look that people give cats when they forget what that sand tray is for.
Nicko Van Someren, CTO at Good Technology, suggested that this is another example of what happens when you go from first gear to fourth while going up a hill (this is our analogy). He described it in terms of the Internet of Things (IoT), and in respect of extending systems before they are ready to be extended.
"This is a great example of what happens when you take an interface that was designed for local access and connect it to the wider internet," he said.
"Increasingly, in the rush to connect ‘things' for the IoT, we find devices that were designed with the expectation of physical access control being connected to the internet, the cloud and beyond. If the security of that connection fails, the knock-on effects can be dire and potentially even fatal." µ
US court rules that firm 'strangled' competition in the modem market
Alternative OS powers, ACTIVATE!
According to a loose-lipped Sapphire rep
Chipmaker gears up to take on AMD's Eypc Rome CPUs