The curious case of Volkswagen's fight with the car hacking scientists

Was Volkswagen right to request an injunction against the car hacking scientists? Caroline Donnelly's not so sure.

Car keys

If you're in the business of making top-end sports cars that people typically shell out hundreds of thousands of pounds on, you'd probably feel duty bound to do everything in your power to help your customers keep them safe and secure.

This was undoubtedly Volkswagen Group's motivation for taking out an interim injunction against a research paper that reportedly details the algorithm used to help cars verify the identity of an ignition key.

Advertisement - Article continues below

Gone In Sixty Seconds was a diverting enough addition to Nicolas Cage's illustrious movie career, but no-one wants to see a similar scenario played out for real on the streets.

The banned academic paper in question was written by a trio of scientists. It's understood to have shown the inner workings of the Megamos Crypto algorithm, which is used to work out the codes that are sent between the key and the car.

VW, which owns the Porsche, Audi, Bentley and Lamborghini brands claimed publishing the paper could allow a "sophisticated criminal gang" to override the security system to steal cars. Not just its cars, but those made by other manufacturers, too.  

The case has sparked plenty of debate, especially among the members of the IT Pro editorial team, about whether the court was right to ban the paper's publication.

Advertisement - Article continues below

The University of Birmingham, where one of the scientists involved is understood to work as a lecturer, released a statement this week expressing its disappointment at the ruling.

Advertisement - Article continues below

"The judgment...did not uphold the defence of academic freedom and public interest, but [the university] respects the decision," the statement read.

Perhaps it's because I'm a journalist, and find myself regularly butting heads with the public interest defence, that I initially found myself sympathising with the scientists' plight.

After all, a scientist's reputation rests on the quality of their research and discoveries, and if someone bans them from telling anyone about them, it is a rather impotent position to be in.

The scientists claimed their research is designed to demonstrate the lack of security of car immobilisers, which rely on the Megamos chip, but strongly deny it could lead to car theft.

"The paper reveals the inherent weaknesses, on the basis of mathematical calculations, and is based on an analysis of publicly available information," read a further statement released this week by Stichting Katholieke Universiteit, where the remaining two scientists worked.

Advertisement - Article continues below

"The publication in no way describes how to easily steal a car, as additional and different information is needed to do this," it added.

That may be the case, but there's no mention of how easily that additional data would be to come by.

Even so, according to a report this week in the The Guardian, the scientists curiously notified the maker of the chip nine months ago about the report so they could take action.

Responsible publication

It's not hard to see why Volkswagen decided to pursue the case. Gone In Sixty Seconds was a diverting enough addition to Nicolas Cage's illustrious movie career, but no-one wants to see a similar scenario played out for real on the streets.

Advertisement - Article continues below

But is holding back this information really the best way of protecting millions of people from the threat of car theft? Well, that depends on what Volkswagen intends to do with it.

Advertisement - Article continues below

If Volkswagen's intention is to privately seize on the findings of the car hacking scientists, as several national newspapers have dubbed them, to beef up security around this system, more power to them.

And, in Volkswagen's defence, it did offer the scientists the option of publishing a partially redacted version of the report without the codes, but they declined on public interest grounds.

Personally, I think that was the wrong decision. While I appreciate that academic freedom is important, it has to be exercised in a responsible way.

Let's use Barnaby Jack, the renowned computer hacker who sadly passed away last week, as an example.

One of his most talked about pieces of work was the discovery of an insulin pump security flaw that could allow a hacker to administer a fatal dose of the hormone, despite being around 300 feet away from the victim.

His work is reported to have prompted at least one well-know manufacturer of the devices to re-evaluate the security measures it had in place.

Advertisement - Article continues below

But despite doing high-profile demonstration of how the attack would work at a hacker conference last year he stopped short of releasing full details of the vulnerabilities that made it possible.

He proved it could be done, and that was enough to initiate change within the medical industry.

The fact this paper exists, and has been extensively written about in the press, means people will be aware of the risk.

And, by requesting the release of a redacted version of the paper, it suggests to us Volkswagen is not against people knowing the algorithm's been cracked, they just don't want people to be able to use it for criminal ends.

Although, without meaning to trivialise the obvious brainpower of the scientists involved, if they've acquired knowledge of this system, what's to stop someone else?  Someone who might not be planning to speak so openly about their findings, and with dastardly deeds in mind...

Featured Resources

Preparing for long-term remote working after COVID-19

Learn how to safely and securely enable your remote workforce

Download now

Cloud vs on-premise storage: What’s right for you?

Key considerations driving document storage decisions for businesses

Download now

Staying ahead of the game in the world of data

Create successful marketing campaigns by understanding your customers better

Download now

Transforming productivity

Solutions that facilitate work at full speed

Download now



University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020
Policy & legislation

Senators propose a bill aimed at ending warrant-proof encryption

24 Jun 2020

Most Popular


How to find RAM speed, size and type

24 Jun 2020
Google Android

Over two dozen Android apps found stealing user data

7 Jul 2020

The road to recovery

30 Jun 2020