The research, done by Roel Verdult and Baris Ege from Radboud University in the Netherlands and Flavio Garcia from the University of Birmingham, U.K. - is being presented at the USENIX security conference in Washington, D.C. The authors detail how the cryptography and authentication protocol used in the Megamos Crypto transponder can be targeted by malicious hackers looking to steal luxury vehicles.
The Megamos Crypto transponder is one of the most common immobilizer transponders and theives looking to steal luxury vehicles can be looking for these vehicles. It is used in VW-owned luxury brands like Audi, Porsche, Bentley and Lamborghini, as well as in some Fiat, Honda, Kia, Volvo and Maserati models.
A VW spokesman responded, "Volkswagen maintains its electronic as well as mechanical security measures technologically up-to-date and also offers innovative technologies in this sector." Anti-theft protection is generally still ensured, he added, even for older models, because criminals need access to the key signal to hack the immobilizer. "Current models, including the current Passat and Golf, don't allow this type of attack at all," he said.
Immobilizers are electronic security devices that prevent a car's engine from running unless the correct key fob (containing the RFID chip) is in close proximity to the car. The researchers broke the transponder’s 96-bit cryptographic system by listening in twice to the radio communication between the key and the transponder.