VW Conceals Security Flaw for Two Years: WIRED
#1
AudiWorld Super User
Thread Starter
VW Conceals Security Flaw for Two Years: WIRED
Security News This Week... WIRED
"Volkswagen Spent Two Years Hiding This Security Flaw
Volkswagen apparently spent two years trying to suppress this car hacking vulnerability in court: the cryptography and authentication protocol used in Megamos Crypto transponders can be targeted by attackers looking to get their paws on a fancy new Audi or Lamborghini. (Other models are affected as well—police warn that tech-savvy criminals can steal BMWs and Range Rovers within 60 seconds.) A paper describing the vulnerability, presented at the USENIX security conference this week, was originally disclosed to Volkswagen in May 2013, but VW filed a lawsuit to block the publication of the paper. Now, the research—except for one redacted sentence—is out to the public. The researchers listened to communications between the key and transponder and brute forced the transponder’s 96-bit crypto system open. It took less than 30 minutes to run through fewer than 200,000 secret key options until the right one was found. The attack is advanced and requires some level of skill (and access to the key signal, according to VW), but it has no easy fix—the actual RFID chips in the keys and transponders in the cars must be replaced."
In the words of Tina Turner, "Deutschmarks or dollars will do."
Sounds like intentional concealment, which tends to get federal agencies talking about very large fines in addition to retrofits and recalls.
"Volkswagen Spent Two Years Hiding This Security Flaw
Volkswagen apparently spent two years trying to suppress this car hacking vulnerability in court: the cryptography and authentication protocol used in Megamos Crypto transponders can be targeted by attackers looking to get their paws on a fancy new Audi or Lamborghini. (Other models are affected as well—police warn that tech-savvy criminals can steal BMWs and Range Rovers within 60 seconds.) A paper describing the vulnerability, presented at the USENIX security conference this week, was originally disclosed to Volkswagen in May 2013, but VW filed a lawsuit to block the publication of the paper. Now, the research—except for one redacted sentence—is out to the public. The researchers listened to communications between the key and transponder and brute forced the transponder’s 96-bit crypto system open. It took less than 30 minutes to run through fewer than 200,000 secret key options until the right one was found. The attack is advanced and requires some level of skill (and access to the key signal, according to VW), but it has no easy fix—the actual RFID chips in the keys and transponders in the cars must be replaced."
In the words of Tina Turner, "Deutschmarks or dollars will do."
Sounds like intentional concealment, which tends to get federal agencies talking about very large fines in addition to retrofits and recalls.
#4
Audiworld Junior Member
Join Date: Jan 2012
Location: Buffalo, NY
Posts: 25
Likes: 0
Received 0 Likes
on
0 Posts
In the story you provided, about halfway through. This may take you right to it
VW Has Spent Two Years Trying to Hide a Big Security Flaw - Bloomberg Business
VW Has Spent Two Years Trying to Hide a Big Security Flaw - Bloomberg Business
#5
AudiWorld Super User
Thread Starter
Ah. Interesting, that so many models including the Q7 would have the unsecure system, so I'd also question whether someone just forgot about the Q5 when compiling that list.
Perhaps we all should email AoA and have them come on the record.
Perhaps we all should email AoA and have them come on the record.
#6
AudiWorld Senior Member
All of the Audi models on the chart are pre-2009 model year, the 1st year for the Q5. It could be why the Q5 isn't on the list. Just a guess though.
#7
AudiWorld Super User
So what does the VW rep comment mean...........
"Current models, including the current Passat and Golf, don't allow this type of attack at all," he said."
What year did they change things?
"Current models, including the current Passat and Golf, don't allow this type of attack at all," he said."
What year did they change things?
Trending Topics
#8
AudiWorld Super User
Thread Starter
So nice to know The Nooze still hasn't recovered from the crippling damage they all took in the 70's when the beancounters decided Nooze should be first and foremost a profit.
If VW hid the problem for two years, counting back from now, it would mean ~2013~2105 models were affected. 2009 models make absolutely no sense unless they're talking about six years of hiding, which they say they aren't.
You'd think that corporations would just remember, it is always cheaper to FIX THINGS than to wait for the customers to get upset (and leave, often for good) and for some bored politician running for re-election to start levying big federal fines.
Bob, Pete, listen, I'll need until Wednesday to get my tux out of the cleaners, this has been a busy weekend. How about we all get dressed up appropriately and go visit AoA?
Or maybe...I can just call a couple of guys from Jersey, you know, knuckledraggers who still own wooden baseball bats and prefer to get answers using small words.
I'm flexible, I don't mind sending the hired help...
If VW hid the problem for two years, counting back from now, it would mean ~2013~2105 models were affected. 2009 models make absolutely no sense unless they're talking about six years of hiding, which they say they aren't.
You'd think that corporations would just remember, it is always cheaper to FIX THINGS than to wait for the customers to get upset (and leave, often for good) and for some bored politician running for re-election to start levying big federal fines.
Bob, Pete, listen, I'll need until Wednesday to get my tux out of the cleaners, this has been a busy weekend. How about we all get dressed up appropriately and go visit AoA?
Or maybe...I can just call a couple of guys from Jersey, you know, knuckledraggers who still own wooden baseball bats and prefer to get answers using small words.
I'm flexible, I don't mind sending the hired help...
#9
2 yrs. may be referencing the date from which researchers discovered and notified vw about the vulnerability in 2012 and 2013. As well, not sure about accuracy, but this site AUDI ? TRANSPONDER CHIP CATALOG seems to indicate starting in 2010, the q5 doesn't use megamos crypto (though not sure why there is a line item for 2006-2010 unless the q5 was sold prior to 2009)
#10
AudiWorld Super User
2 yrs. may be referencing the date from which researchers discovered and notified vw about the vulnerability in 2012 and 2013. As well, not sure about accuracy, but this site AUDI ? TRANSPONDER CHIP CATALOG seems to indicate starting in 2010, the q5 doesn't use megamos crypto (though not sure why there is a line item for 2006-2010 unless the q5 was sold prior to 2009)