News, Technology

Hackers reveal flaws in more than 25 automakers’ key-fobs!

Car keys
Picture for illustration purposes only

Modern transponder-equipped car keys are supposed to be one of the safest features offered in our vehicles as a deterrent against car-theft. The chip-keys and key fobs communicate with readers inside the car, allowing the car to start only once a secret digital password has been transmitted automatically.

Recently a team of security researchers have figured out a way to circumvent the system used by some of the world’s largest automakers and what they have found was rather shocking.

Three researchers have found a security loophole in the Megamos Crypto transponder, the in-car electronic device that confirms the key or keyless transponder present inside the car is genuine before allowing the car to start. Megamos Crypto transponders are found in numerous models like Fiat, Honda, Volkswagen and Volvo, even luxury brands like Porsche, Audi, Bentley, and Lamborghini.  

The system is supposed to be uncrackable: the 96-bit code exchanged between the key and vehicle means there are countless billions of possible combinations, making a random guess virtually impossible. But the hackers discovered that by listening in to the radio communication between the key and the car just twice, they were able to narrow down the number of guesses it would take to crack the code to just 196,607 attempts. For a computerized “brute force” system, which the hackers were able to build, such a feat could take less than 30 minutes—and once the proper code is found, making a duplicate key that works just like the original is easy.

Flavio D. Garcia, one of the researchers explains, “It’s a bit like if your password was ‘password,’ ”

But here’s the shocking news….

Although the researchers presented these findings very recently, the vulnerability in the system was founded all the way back in 2012. However, when the researchers first discovered the fault, they went to Megamos with their findings, offering to keep their discovery private for 9 months while the Swiss chipmaker found a solution. But in 2013, Volkswagen sued the researchers individually, and the universities that employ them, to block them from publishing their findings. The company also reaffirms that the hack takes considerable complex effort and that its latest cars, including the Golf Mk7 and Passat B8 aren’t vulnerable.

The same goes to Volvo, the Swedish company stressed that the issue only effects older models and that the Megamos Crypto is not used in any of the Volvo vehicles currently being produced. Below is the full list of vehicles that are supposedly affected:

2B7309C500000578-0-image-a-33_1439851661861
List of vehicles affected by the Megamos Crypto hack. Models listed in bold were tested by the researchers; the rest were extrapolated since they utilize the affected electronics

Source: The  Daily Mail via Car and Driver