The curious case of Volkswagen's fight with the car hacking scientists

Was Volkswagen right to request an injunction against the car hacking scientists? Caroline Donnelly's not so sure.

Car keys

If you're in the business of making top-end sports cars that people typically shell out hundreds of thousands of pounds on, you'd probably feel duty bound to do everything in your power to help your customers keep them safe and secure.

This was undoubtedly Volkswagen Group's motivation for taking out an interim injunction against a research paper that reportedly details the algorithm used to help cars verify the identity of an ignition key.

Gone In Sixty Seconds was a diverting enough addition to Nicolas Cage's illustrious movie career, but no-one wants to see a similar scenario played out for real on the streets.

The banned academic paper in question was written by a trio of scientists. It's understood to have shown the inner workings of the Megamos Crypto algorithm, which is used to work out the codes that are sent between the key and the car.

Advertisement - Article continues below
Advertisement - Article continues below

VW, which owns the Porsche, Audi, Bentley and Lamborghini brands claimed publishing the paper could allow a "sophisticated criminal gang" to override the security system to steal cars. Not just its cars, but those made by other manufacturers, too.  

The case has sparked plenty of debate, especially among the members of the IT Pro editorial team, about whether the court was right to ban the paper's publication.

The University of Birmingham, where one of the scientists involved is understood to work as a lecturer, released a statement this week expressing its disappointment at the ruling.

"The judgment...did not uphold the defence of academic freedom and public interest, but [the university] respects the decision," the statement read.

Perhaps it's because I'm a journalist, and find myself regularly butting heads with the public interest defence, that I initially found myself sympathising with the scientists' plight.

After all, a scientist's reputation rests on the quality of their research and discoveries, and if someone bans them from telling anyone about them, it is a rather impotent position to be in.

Advertisement - Article continues below

The scientists claimed their research is designed to demonstrate the lack of security of car immobilisers, which rely on the Megamos chip, but strongly deny it could lead to car theft.

"The paper reveals the inherent weaknesses, on the basis of mathematical calculations, and is based on an analysis of publicly available information," read a further statement released this week by Stichting Katholieke Universiteit, where the remaining two scientists worked.

"The publication in no way describes how to easily steal a car, as additional and different information is needed to do this," it added.

That may be the case, but there's no mention of how easily that additional data would be to come by.

Advertisement - Article continues below

Even so, according to a report this week in the The Guardian, the scientists curiously notified the maker of the chip nine months ago about the report so they could take action.

Responsible publication

Advertisement - Article continues below

It's not hard to see why Volkswagen decided to pursue the case. Gone In Sixty Seconds was a diverting enough addition to Nicolas Cage's illustrious movie career, but no-one wants to see a similar scenario played out for real on the streets.

But is holding back this information really the best way of protecting millions of people from the threat of car theft? Well, that depends on what Volkswagen intends to do with it.

If Volkswagen's intention is to privately seize on the findings of the car hacking scientists, as several national newspapers have dubbed them, to beef up security around this system, more power to them.

And, in Volkswagen's defence, it did offer the scientists the option of publishing a partially redacted version of the report without the codes, but they declined on public interest grounds.

Personally, I think that was the wrong decision. While I appreciate that academic freedom is important, it has to be exercised in a responsible way.

Let's use Barnaby Jack, the renowned computer hacker who sadly passed away last week, as an example.

Advertisement - Article continues below

One of his most talked about pieces of work was the discovery of an insulin pump security flaw that could allow a hacker to administer a fatal dose of the hormone, despite being around 300 feet away from the victim.

His work is reported to have prompted at least one well-know manufacturer of the devices to re-evaluate the security measures it had in place.

Advertisement - Article continues below

But despite doing high-profile demonstration of how the attack would work at a hacker conference last year he stopped short of releasing full details of the vulnerabilities that made it possible.

He proved it could be done, and that was enough to initiate change within the medical industry.

The fact this paper exists, and has been extensively written about in the press, means people will be aware of the risk.

And, by requesting the release of a redacted version of the paper, it suggests to us Volkswagen is not against people knowing the algorithm's been cracked, they just don't want people to be able to use it for criminal ends.

Advertisement - Article continues below

Although, without meaning to trivialise the obvious brainpower of the scientists involved, if they've acquired knowledge of this system, what's to stop someone else?  Someone who might not be planning to speak so openly about their findings, and with dastardly deeds in mind...

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now


internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020

Dell XPS 13 (New 9300) hands-on review: Chasing perfection

14 Jan 2020
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020