Basically, Every Car Is Now Vulnerable To Hacking

August 20, 2015

The auto world has been thinking a lot about hacking lately. For years, it wasn't much of a concern, but now that many new cars are connected to telematics networks like Uconnect and OnStar and to cellular networks via dongles attached to their onboard diagnostics ports, our rides are becoming increasingly vulnerable.

READ: 2016 Toyota Tacoma: First Drive

As proof, consider recent stories about Volkswagen (including Audi and Porsche), BMW, and Mercedes-Benz. We have a feeling that this is just the tip of the proverbial iceberg.


Volkswagen's story is perhaps the more troubling, and it's definitely the harder to repair. That may explain why the automaker spent two years trying to hide the information from the public. 

VW's vulnerability is rooted in radio-frequency identification (RFID) chips manufactured by Megamos Crypto. Those chips help keep VW vehicles locked up tight and prevent them from starting without the proper key fob.

Unfortunately, at least one team of researchers has broken Megamos' cryptographic system, making it possible to carry out brute force attacks on vehicles equipped with the chips. Brute force attacks are basically automated trial-and error attempts to break through security walls. They can take time, sifting through all the possible combinations of "passwords", but eventually, they find a way through.

How much time do they need? Researchers Roel Verdult, Baris Ege, and Flavio Garcia rammed through one of Megamos' chip systems in about 30 minutes.

On the upside, that's a long time for just one break-in. For most thieves, the return isn't worth that kind of effort or risk.

CHECK OUT: Would You Buy A Chinese-Made Car? Buick May Want To Know

On the downside, plenty of luxury vehicles like Bentleys and Lamborghinis use Megamos RFID chips, and those cars are often targeted by car thieves looking to steal very specific vehicles. In such cases, 30 minutes is nothing, given the cash that thieves can score in exchange for a boosted ride.

Also on the downside: Megamos chips are found in plenty of other cars, too, including some made by Fiat Chrysler and Honda.

But the biggest problem of all is that fixing these systems isn't just a matter of rewriting a few lines of code and sending out an over-the-air update. The chips themselves and the transponders with which they communicate have to be removed and replaced, which is time-consuming and costly.

Volkswagen was told about the problem in 2013 and sued the researchers to keep their findings out of public view. The group has been negotiating with VW for the past two years to publish their work. They're sharing it this week at a conference in Washington, D.C., with one key sentence redacted.


The problem with BMW and Mercedes-Benz vehicles is just as dangerous -- maybe even more so -- but it's easier to fix.

It was identified by Samy Kamkar -- the same Samy Kamkar who found the hole in OnStar's RemoteLink app (which has since been patched). That vulnerability could be exploited to give ne'er-do-wells with the right equipment access to a range of GM vehicles, allowing thieves to start, stop, and open the cars.

On a hunch that similar problems might affect apps from other automakers, Kamkar carried out tests on BMW’s Remote app and the Mercedes-Benz mbrace app using his homemade "OwnStar" hacking tool. To no one's surprise, he discovered that he could grab app users' login information and gain some degree of control over their vehicles. He found similar problems in the Chrysler Uconnect app and the Viper Smartstart app. As Wired's Andy Greenberg reports:

Those four apps each have different capabilities that could allow a hacker using OwnStar to pull some nasty pranks or even break into a compromised vehicle. All four iOS apps allow remote locking and unlocking. The BMW, Mercedes-Benz, and Viper apps all allow the car to be located and tracked, too. And all but the Viper app allow a vehicle’s ignition to be remotely started, though as with GM vehicles, it’s likely the driver’s key would have to be physically present to put the car into gear and drive away.

The good news is that Kamkar hasn't conducted real-world trials of his hacks, as he did with OnStar. Nor has he released information about the security flaws yet. (He wants to give BMW, Mercedes-Benz, Chrysler, and Viper a chance to patch them first.)

DON'T MISS: Nissan Rogue Vs. Honda CR-V: Compare Cars

The better news is that fixing these problems is relatively simple. In theory, it's not much more complicated than updating the affected apps and forcing users to download new versions before using them.

But again, this is probably just the tip of the iceberg -- the beginning of a decades-long struggle between automakers who want to make drivers' lives easier and hackers who want to do just the opposite.

The Car Connection
See the winners »
The Car Connection
Ratings and Reviews
Rate and review your car for The Car Connection
Review your car
The Car Connection Daily Headlines
I agree to receive emails from The Car Connection. I understand that I can unsubscribe at any time. Privacy Policy.
Thank you! Please check your email for confirmation.