VW Hushed Up Auto Security Flaw for TwoYears

The car hacking news just rolls on, as it were…this time involving that venerable bastion of German engineering, Volkswagen.

VW—whose name ironically stands for “people-wagon”—has hardly been a chariot of the people on this score. Das Auto is insecure, you see.

According to the Guardian newpaper,  the car giant went to court to hush up the news of a major security flaw that would allow keyless theft of more than 100 car models, including cars from Audi, Citroën, Fiat, Honda, Volvo and VW itself.

The report said that Flavio Garcia, a computer scientist at the University of Birmingham, and two colleagues from a Dutch university, found the flaw two years ago. But they were prevented until now from disclosing the bug by VW and the courts that sided with the auto-making giant.

The researchers found several weaknesses in the Swiss-made Megamos Crypto immobilizer system that’s common to all of the affected models. The system is supposed to disable the engine start if a transponder embedded in the key is not present. The idea is to prevent hotwiring, essentially. Unfortunately, it turns out that the immobilizer is easily hacked via wireless.

“Our attacks require close range wireless communication with both the immobilizer unit and the transponder,” the team said. “It is not hard to imagine real-life situations like valet parking or car rental where an adversary has access to both for a period of time. It is also possible to foresee a setup with two perpetrators, one interacting with the car and one wirelessly pickpocketing the car key from the victim’s pocket.”

In 2013, the court imposed an interim injunction on the paper’s release detailing the flaw, because VW successfully argued that the disclosure could “allow someone, especially a sophisticated criminal gang with the right tools, to break the security and steal a car.”

The researchers countered they were simply white hats, “responsible, legitimate academics doing responsible, legitimate academic work.” Which is true, given that they disclosed the flaw to the manufacturer before wanting to publish on the issue. The problem appears to be that no fix has been forthcoming.

Now, perhaps sensing the mounting pressure on car-makers to be proactive in securing their vehicles from digital compromise, VW has reportedly struck a deal—months in the making—with the researchers to allow the flaw’s disclosure in the paper, as long as certain details were redacted.

The situation points out the ethical issues involved in achieving transparency, and with working with the security and academic community on vulnerabilities and flaws. On one hand, consumers have a right to know the dangers that they’re stepping into; on the other, providing a roadmap for the bad guys absent a fix or a patch isn’t okay either. Usually those that discover flaws and those that produce things with flaws proactively work together to address the issue in a timely fashion and establish a reasonable timeline for public disclosure. In this case that process clearly broke down—with no real explanation as to why.

The car industry runs on design and mechanics and the selling dreams and image. But manufacturers cannot continue to bury their head in the sand when it comes to cybersecurity holes. They need to eschew denial—and gag orders—and embrace the security process, as do other device-makers in the real of the Internet of things.

What’s Hot on Infosecurity Magazine?