Car key attack takes hackers just 30 minutes to start engine

A potentially significant security flaw has been discovered in Volkswagen, Fiat and Volvo cars that could allow hackers to steal vehicles relatively easily.

It is not clear when the vulnerability was discovered, but it has only just come to light after vehicle manufacturers lifted an injunction on releasing the information.

Read more: Jeep Cherokee remotely hacked and hijacked, owners urged to update car software

In a report titled “Dismantling Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobiliser,” Roel Verdult and Baris Ege from Radboud University Nijmegen, The Netherlands and Flavio Garcia from the University of Birmingham, found that the anti-theft tool built into some car keys did not prevent the engine from being started.

“From our collaboration with the local police it was made clear to us that sometimes cars are being stolen and nobody can explain how,” the researchers explained. “They strongly suspect the use of so-called ‘car diagnostic’ devices. Such a device uses all kind of custom and proprietary techniques to bypass the immobilizer and start a car without a genuine key.”

In an attempt to replicate the attacks, the researchers discovered that they could use a transponder-emulating device and the genuine key to execute an attack in less than 30 minutes. This could easily be exploited by attackers renting cars, for example. Moreover, once the key is returned the attacks can be repeated easily as the security system does not possess a pseudo-random number generator to alter the authentication process.

Responding to the research, Volkswagen has reiterated its commitment to vehicle security.

"In this connection Volkswagen does not make available information that might enable unauthorised individuals to gain access to its vehicles,” a spokesperson told V3. “In all aspects of vehicle security, be this mechanical or electronic, Volkswagen goes to great lengths to ensure the security and integrity of its products against external malicious attack."

Read more: Car thieves using $17 power amplifier to hack keyless entry system

However, Volkswagen is not the only manufacturer affected. Other car brands that use the same transponder are also at risk, including Porsche, Ferrari and Alfa Romeo.