Security Researchers Crack Popular Anti-Theft Protection for Cars

Thieves may not find it very tough to crack a popular electronic safeguard that typically prevents a car’s engine from starting unless the car’s owner intends for it to. Security researchers have finally been allowed to present a paper showing how they cracked a popular electronic vehicle immobilizer used in many common car models.

In some cases, researchers from Radboud University in The Netherlands and the University of Birmingham in the UK needed just a few minutes with a laptop to crack the weak cryptographic keys used by some car makers, according to BBC News. The researchers focused their hacking efforts on the Megamos Crypto transponder used in cars including those made by Audi, Fiat, Honda, Volkswagen and Volvo. Transponders of this type typically exchange a secret key with an immobilizer unit that has control over a car engine’s ability to start.

“Our attacks require close range wireless communication with both the immobilizer unit and the transponder,” said the researchers in a published paper. “It is not hard to imagine real-life situations like valet parking or car rental where an adversary has access to both for a period of time.”

Another setup for car thieves could involve one person interacting with a car and a second person “wirelessly pickpocketing the car key from the victims pocket,” researchers said.

One of the three key-stealing methods tested by researchers involves a “trivial denial of service attack” aimed at flipping one bit of the 96-bit transponder’s secret key to disable the immobilizer. That becomes an option when the transponder—a low-frequency RFID chip located in the plastic part of car keys—is not locked. In such cases, the denial of service attack exploits the fact that the Megamos Crypto transponder does not require authentication to write to memory.

A second successful hacking method, called the “partial key-update attack,”   involves eavesdropping on the authentication data exchanged between the 96-bit transponder and the car’s immobilizer unit. Researchers also detailed a third method, based on exploiting “weak keys” involving just 64 bits rather than 96 bits. 

The researchers originally completed their work three years ago, but were prevented from publishing their work because of legal action by Volkswagen and French defense group Thales. More recently, their paper was allowed to be published after undergoing some edits.

Such vulnerabilities in electronic immobilizers will likely prove troubling for many car owners and makers. The European Commission has required the installation of such immobilizers in all cars sold since 1995. Similar regulations mandating immobilizer installation have also appeared in Australia, New Zealand and Canada.

The United States does not require installation of electronic immobilizers in cars. But according to the Insurance Institute for Highway Safety, about 86 percent of all new passenger cars sold in the United States come equipped with an engine immobilizer.

Such exploitation of immobilizers is yet another example of the increasing vulnerability that comes along with the growing number of electronic components in modern car systems. During the 2015 Blackhat computer security conference, researchers explained how they had effectively taken remote control of a 2014 Jeep Cherokee by using the Internet connection in its entertainment system.