Volkswagen used its lawyers to keep the research under wraps but now a legal settlement has allowed the documents to go public.
The researchers say the flaw lies in the widely-used Megamos Crypto transponder, which is responsible for the encryption between the car and remote.
As the Daily Mail explains, the system is supposed to be uncrackable: the 96-bit code exchanged between the key and vehicle means there are “countless billions of possible combinations,” making a random guess virtually impossible. But the hackers discovered that by listening in to the radio communication between the key and the car just twice, they were able to narrow down the number of guesses it would take to crack the code to just 196,607 attempts. For a computerized “brute force” system, which the hackers were able to build, such a feat could take less than 30 minutes—and once the proper code is found, making a duplicate key that works just like the original is easy.
The researchers presented these findings in a paper and a lecture at the Usenix digital-security conference in Washington, D.C., last week. But they first found the vulnerability in the system all the way back in 2012. Why did it take so long for the discovery to go public? When the researchers first discovered the fault, they went to Megamos with their findings, offering to keep their discovery private for nine months while the Swiss chipmaker found a solution. But in 2013, the Daily Mail reports, Volkswagen sued the researchers individually, and the universities that employ them, to block them from publishing their findings.
The settlement that finally led to the research being published hinged around a compromise: The researchers agreed to omit one crucial line from their paper, “a pivotal detail which could allow a non-technical person to work out the hack,” the Daily Mail reports. Volkswagen told the paper that the hack takes “considerable complex effort” and that its latest cars aren’t vulnerable.
The list of affected vehicles: