Researchers Hack Into Car Immobilizers, But Can’t Say How They Did It

Where do you draw the line between deciding what people need to know and what should be kept out of the wrong hands? It’s never been easy. The Guardian broke a story about three computer scientists who tried to publish a paper analyzing a faulty algorithm that could let criminals steal cars—that is, before the English High Court of Justice stepped in and issued a provisional ban.

Flavio Garcia, a University of Birmingham computer science lecturer, decoded the algorithm that allows the engine immobilizer to verify the authenticity of a car key. He had hoped to publish his findings in a paper called “Decoding Megamos Crypto: Wirelessly Lock-picking a Vehicle Immobilizer,” at a Usenix Security Symposium next month in Washington, D.C. But Volkswagen and the creators of the algorithm, the French security company Thales, were none too happy about this.  

Megamos Crypto is a system that uses RFID (radio-frequency identification) to disable a feature that prevents the engine from starting. The crypto algorithm sends a signal from the car key to the engine immobilizer.

Although the flawed algorithm is out of date, it’s still in use in plenty of cars. Garcia and his collaborators, Baris Ege and Roel Verdult of Radboud University Nijmegen in the Netherlands, claim the purpose of the paper is purely academic. Furthermore, they insist, publishing it is necessary to expose the flawed system and protect consumers. But not everyone is convinced. Some say this revelation would only inspire crime.

The researchers obtained the information on how to break the code from the Internet, where apparently it had been available since 2009. According to the Guardian, the scientists think the algorithm may have been discovered through “chip slicing,” a process of dissecting a chip under a microscope in order to decipher an algorithm based on the transistor placement. When IEEE Spectrum asked how they used this information to crack the code, both Garcia and Verdult declined comment.

Volkswagen had first asked that they publish a version of the paper without the codes but the researchers refused. Redacting parts of their paper would mean having to submitting it for a second round of peer review and likely missing the symposium (the ruling was issued on 25 June). Radboud University released a statement saying that the chipmaker had been warned nine months ago but no action was taken.

“Vendors should not try to block security research, they should work together with the researchers to understand the nature and potential consequences of the threats they are facing,” said Alex Fidgen, Director at IT security company MWR InfoSecurity. “Resorting to legal action to block such details from being published is the wrong approach. Manufacturers should instead incorporate strong security research in the design process.” He added that the automakers' stance had only called attention to the problem.

In its statement, Radboud University went on to argue that “The paper reveals inherent weaknesses, on the basis of mathematical calculations, and is based on an analysis of publicly available information. The publication in no way describes how to easily steal a car, as additional and different information is needed for this to be possible.”

The University of Binghamton’s press office would release only this statement: “The University of Birmingham is disappointed with the judgment which did not uphold the defense of academic freedom and public interest, but respects the decision. It has decided to defer publication of the academic paper in any form while additional technical and legal advice is obtained given the continuing litigation.  The University is therefore unable to comment further at this stage.”

Advertisement

Risk Factor

IEEE Spectrum's risk analysis blog, featuring daily news, updates and analysis on computing and IT projects, software and systems failures, successes and innovations, security threats, and more.

Contributor
Willie D. Jones
 
Advertisement