The curious case of Volkswagen's fight with the car hacking scientists

Was Volkswagen right to request an injunction against the car hacking scientists? Caroline Donnelly's not so sure.

Car keys

If you're in the business of making top-end sports cars that people typically shell out hundreds of thousands of pounds on, you'd probably feel duty bound to do everything in your power to help your customers keep them safe and secure.

This was undoubtedly Volkswagen Group's motivation for taking out an interim injunction against a research paper that reportedly details the algorithm used to help cars verify the identity of an ignition key.

Advertisement - Article continues below

Gone In Sixty Seconds was a diverting enough addition to Nicolas Cage's illustrious movie career, but no-one wants to see a similar scenario played out for real on the streets.

The banned academic paper in question was written by a trio of scientists. It's understood to have shown the inner workings of the Megamos Crypto algorithm, which is used to work out the codes that are sent between the key and the car.

VW, which owns the Porsche, Audi, Bentley and Lamborghini brands claimed publishing the paper could allow a "sophisticated criminal gang" to override the security system to steal cars. Not just its cars, but those made by other manufacturers, too.  

The case has sparked plenty of debate, especially among the members of the IT Pro editorial team, about whether the court was right to ban the paper's publication.

Advertisement - Article continues below

The University of Birmingham, where one of the scientists involved is understood to work as a lecturer, released a statement this week expressing its disappointment at the ruling.

Advertisement - Article continues below

"The judgment...did not uphold the defence of academic freedom and public interest, but [the university] respects the decision," the statement read.

Perhaps it's because I'm a journalist, and find myself regularly butting heads with the public interest defence, that I initially found myself sympathising with the scientists' plight.

After all, a scientist's reputation rests on the quality of their research and discoveries, and if someone bans them from telling anyone about them, it is a rather impotent position to be in.

The scientists claimed their research is designed to demonstrate the lack of security of car immobilisers, which rely on the Megamos chip, but strongly deny it could lead to car theft.

"The paper reveals the inherent weaknesses, on the basis of mathematical calculations, and is based on an analysis of publicly available information," read a further statement released this week by Stichting Katholieke Universiteit, where the remaining two scientists worked.

Advertisement - Article continues below

"The publication in no way describes how to easily steal a car, as additional and different information is needed to do this," it added.

That may be the case, but there's no mention of how easily that additional data would be to come by.

Even so, according to a report this week in the The Guardian, the scientists curiously notified the maker of the chip nine months ago about the report so they could take action.

Responsible publication

It's not hard to see why Volkswagen decided to pursue the case. Gone In Sixty Seconds was a diverting enough addition to Nicolas Cage's illustrious movie career, but no-one wants to see a similar scenario played out for real on the streets.

Advertisement - Article continues below

But is holding back this information really the best way of protecting millions of people from the threat of car theft? Well, that depends on what Volkswagen intends to do with it.

Advertisement - Article continues below

If Volkswagen's intention is to privately seize on the findings of the car hacking scientists, as several national newspapers have dubbed them, to beef up security around this system, more power to them.

And, in Volkswagen's defence, it did offer the scientists the option of publishing a partially redacted version of the report without the codes, but they declined on public interest grounds.

Personally, I think that was the wrong decision. While I appreciate that academic freedom is important, it has to be exercised in a responsible way.

Let's use Barnaby Jack, the renowned computer hacker who sadly passed away last week, as an example.

One of his most talked about pieces of work was the discovery of an insulin pump security flaw that could allow a hacker to administer a fatal dose of the hormone, despite being around 300 feet away from the victim.

His work is reported to have prompted at least one well-know manufacturer of the devices to re-evaluate the security measures it had in place.

Advertisement - Article continues below

But despite doing high-profile demonstration of how the attack would work at a hacker conference last year he stopped short of releasing full details of the vulnerabilities that made it possible.

He proved it could be done, and that was enough to initiate change within the medical industry.

The fact this paper exists, and has been extensively written about in the press, means people will be aware of the risk.

And, by requesting the release of a redacted version of the paper, it suggests to us Volkswagen is not against people knowing the algorithm's been cracked, they just don't want people to be able to use it for criminal ends.

Although, without meaning to trivialise the obvious brainpower of the scientists involved, if they've acquired knowledge of this system, what's to stop someone else?  Someone who might not be planning to speak so openly about their findings, and with dastardly deeds in mind...

Featured Resources

Top 5 challenges of migrating applications to the cloud

Explore how VMware Cloud on AWS helps to address common cloud migration challenges

Download now

3 reasons why now is the time to rethink your network

Changing requirements call for new solutions

Download now

All-flash buyer’s guide

Tips for evaluating Solid-State Arrays

Download now

Enabling enterprise machine and deep learning with intelligent storage

The power of AI can only be realised through efficient and performant delivery of data

Download now



10 quick tips to identifying phishing emails

16 Mar 2020
mergers and acquisitions

Panda Security to be acquired by WatchGuard

9 Mar 2020
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Server & storage

HPE warns of 'critical' bug that destroys SSDs after 40,000 hours

26 Mar 2020

These are the companies offering free software during the coronavirus crisis

25 Mar 2020

Zoom kills Facebook integration after data transfer backlash

30 Mar 2020
video conferencing

Zoom beams iOS user data to Facebook for targeted ads

27 Mar 2020