Check if your car has this massive security flaw

A paper called “Dismantling Megamos Crypto: Wirelessly Lockpicking a Vehicle Immobilizer” reveals massive weaknesses in the security systems used by many car manufacturers.

The vulnerabilities were uncovered by researchers two years ago, but because of legal action the findings could not be published at the time.

The research focusses on the Megamos Crypto transponder, which is used in electronic vehicle immobilizers. This transponder is a passive RFID tag which is embedded in the key of the vehicle.

The immobilizer is an anti-theft device, preventing the engine of a vehicle from starting when the key transponder is not present.

It is used by Audi, Fiat, Honda, Volkswagen and Volvo cars, as well as some models of Alfa Romeo, Chevrolet, Citroen, Isuzu, Kia, Opel, Porsche, and Ssangyong.

The researchers have reverse-engineered all proprietary security mechanisms of the transponder, including the cipher and the authentication protocol.

The paper reveals several weaknesses in the design of the cipher and the authentication protocol, and in their implementation.

“We exploit these weaknesses in three attacks that recover the 96-bit transponder secret key,” said the researchers. “These three attacks only require wireless communication with the system.”

  • The first attack exploits weaknesses in the cipher design and in the authentication protocol. They show that having access to two eavesdropped authentication traces is enough to recover the 96-bit secret key with a computational complexity of 256 cipher ticks (equivalent to 249 encryptions).
  • The second attack exploits a weakness in the key update mechanism of the transponder. This attack recovers the secret key after 3×216 authentication attempts with the transponder and negligible computational complexity. They have executed this attack in practice on several vehicles. They were able to recover the key and start the engine with a transponder-emulating device. Executing this attack takes 30 minutes.
  • The third attack exploits the fact that some car manufacturers set weak cryptographic keys in their vehicles. They propose a time-memory trade-off which recovers a weak key after a few minutes of computation on a standard laptop.

The researchers warned that the implications of these attacks are serious for those vehicles with keyless ignition.

“At some point, the mechanical key was removed from the vehicle, but the cryptographic mechanisms were not strengthened to compensate.”

Megamos Crypto vulnarability
Make Model
Alfa Romeo 147, 156, GT
Audi A1, A2, A3, A4 (2000), A6, A8, Allroad, Cabrio, Coupe, Q7, S2, S3, S4, S6, S8, TT (2000)
Buick Regal
Cadillac CTS-V, SRX
Chevrolet Aveo, Kalos, Matiz, Nubira, Spark, Evanda, Tacuma
Citroen Jumper (2008), Relay
Daewoo Kalos, Lanos, Leganza, Matiz, Nubira, Tacuma
DAF CF, LF, XF
Ferrari California, 612 Schaglietti
Fiat Albea, Dobl `o, Idea, Mille, Multipla, Palio, Punto (2002), Seicento, Siena, Stilo, Ducato (2004)
Holden Barina, Frontera
Honda Accord, Civic, CR-V, FR-V, HR-V, Insight, Jazz (2002), Legend, Logo, S2000, Shuttle, Stream
Isuzu Rodeo
Iveco Eurocargo, Daily
Kia Carnival, Clarus, Pride, Shuma, Sportage
Lancia Lybra, Musa, Thesis, Y
Maserati Quattroporte
Opel Frontera
Pontiac G3
Porsche 911, 968, Boxster
Seat Altea, C ´ordoba, Ibiza, Leon, Toledo
Skoda Fabia (2011), Felicia, Octavia, Roomster, Super, Yeti
Ssangyong Korando, Musso, Rexton
Tagaz Road Partner
Volkswagen Amarok, Beetle, Bora, Caddy, Crafter, Cross Golf, Dasher, Eos, Fox, Gol, Golf (2006, 2008), Individual, Jetta, Multivan, New Beetle, Parati, Polo, Quantum, Rabbit, Saveiro, Santana, Scirocco (2011), Touran, Tiguan, Voyage, Passat (1998, 2005), Transporter
Volvo C30, S40 (2005), S60, S80, V50, V70, XC70, XC90, XC94

More on car security

Here’s how easy it is for criminals to break into your car

Watch how easy it is for criminals to jam your car remote

Hackers can remotely hijack the Jeep Cherokee

Latest news

Partner Content

Show comments

Recommended

Share this article
Check if your car has this massive security flaw