Back in 2013, a team of computer scientists at the University of Birmingham found a hack that let them unlock millions of Volkswagens. But Volkswagen hit the team with a lawsuit and delayed the team’s discovery for two years.
At the Usenix Security Conference earlier this month, a research team from the University of Birmingham working with the German engineering firm Kasper & Oswald presented two software bugs. The holes in Volkswagen software affect the keyless entry systems of almost 100 million cars. Keyless car theft now accounts for 42% of stolen vehicles in London. Police say that a good hacker can unlock a car in 60 seconds.
The paper [PDF] shown at the Usenix conference gives details of the hack. It involves the Radio Frequency Identification (RFID) transponder chip in immobilizers. According to the paper, the immobilizer is “an anti- theft device which prevents the engine of the vehicle from starting when the corresponding transponder is not present.”
Specifically, the hack targets the cryptography and authentication protocol in the Megamos Crypto transponder. The Megamos is the most common transponder. Car models like Volkswagen, but also Audi, Porsche, Bentley, Lamborghini, Fiat, Honda, Volvo and certain Maserati models include it.
The research team cracked the transponder’s 96-bit cryptosystem. They did so by wirelessly snooping on the radio communication between the car key and transponder. The key fobs normally prevent regular theft methods like hot-wiring. The team bypassed this just by boosting the signal.
By intercepting the signal twice, they reduced the pool of potential secret key matches. This allowed them to use a brute force attack to try 196,607 secret keys until they found the right one. This only took less than 30 minutes.
Megamos has a number of weaknesses, including:
- The transponder doesn’t have a pseudo-random number generator. This makes the authentication protocol vulnerable to replay attacks
- The cipher state only has 56 bits, which is smaller than the 96-bit secret key
- The cipher state successor function can be inverted. With the inverted state and cipher-text known, it’s possible to compute the predecessor state
- The last steps of the authentication protocol gives an adversary 15 bits of known plaintext
Security researcher Andrew Tierney said,
“The attack is quite advanced, but VW produces a lot of very high-end vehicles that get stolen to order. The criminals involved are more sophisticated than the sorts who just steal your keys and drive off with your car.”
The team presented their findings to the transponder company in February 2012. Then, in May 2013 they told Volkswagen. The car company then filed a lawsuit to block the publication of the team’s paper. The U.K. High Court awarded Volkswagen an injunction. After many negotiations, the security team won the right to publish their findings in the public domain. However, the Court ordered the redaction of one sentence.
Roel Verdult – one of the researchers – said: “This single sentence contains an explicit description of a component of the calculations in the chip.” Removing the sentence makes it harder for other hackers to recreate the attack. A spokesman for VW responded that “Volkswagen maintains its electronic as well as mechanical security measures technologically up-to-date and also offers innovative technologies in this sector.”
The team performed a second hack called HiTag2 that affects, even more, vehicles. Models include Alfa Romeo, Citroen, Fiat, Ford, Mitsubishi, Nissan, Opel, and Peugeot. This version of the first attack uses a time-memory trade-off. The team used a pre-computed 12 terabyte lookup table. This optimized attack exploits two weaknesses:
- The memory of Megamos transponders in the field is either unlocked or locked with a publicly known default PIN code. This means that anyone has write access to the memory, including the secret key bits
- The 96-bit secret key is in blocks of 16 bits instead of being an atomic operation
At this point, you may be asking yourself what kind of fancy tools the team used. As it turns out, they used a $40 Arduino device. Arduino is an open-source platform that lets people build their input/output systems.
The researchers say hackers can carry out the attack with a software defined radio connected to a laptop. Another tool is an Arduino board with an attached radio receiver. Flavio Garcia, part of the Birmingham team, said,
“The cost of the hardware is small, and the design is trivial. You can really build something that functions exactly like the original remote.”
What does this mean for the future? The researchers say that Volkswagen finally confirmed the holes. NXP, the semiconductor company that sells chips with the notorious HiTag 2 system, says it has been recommending upgrades for years. NXP spokesperson told Wired, “[HiTag2] is a legacy security algorithm, introduced 18 years ago. Since 2009 it has been gradually replaced by more advanced algorithms…”