agent Entrepreneur logo
MenuMENU
SearchSEARCH

VW Spent Two Years Trying to Hide a Security Flaw

LONDON (Bloomberg) – Thousands of cars from a host of manufacturers have spent years at risk of electronic car-hacking, according to expert research that Volkswagen has spent two years trying to suppress in the courts, reports Automotive News. “Keyless” car theft, which sees hackers target vulnerabilities in electronic locks and immobilizers, now accounts for 42 ... Read More »

August 14, 2015
4 min to read


LONDON (Bloomberg) – Thousands of cars from a host of manufacturers have spent years at risk of electronic car-hacking, according to expert research that Volkswagen has spent two years trying to suppress in the courts, reports Automotive News.

“Keyless” car theft, which sees hackers target vulnerabilities in electronic locks and immobilizers, now accounts for 42 percent of stolen vehicles in London. BMWs and Range Rovers are particularly at-risk, police say, and can be in the hands of a technically minded criminal within 60 seconds.

Ad Loading...

Security researchers have now discovered a similar vulnerability in keyless vehicles made by several carmakers. The weakness — which affects the Radio-Frequency Identification (RFID) transponder chip used in immobilizers — was discovered in 2012, but carmakers sued the researchers to prevent them from publishing their findings.

This week the paper, by Roel Verdult and Baris Ege from Radboud University in the Netherlands and Flavio Garcia from the University of Birmingham, U.K., is being presented at the USENIX security conference in Washington, D.C. The authors detail how the cryptography and authentication protocol used in the Megamos Crypto transponder can be targeted by malicious hackers looking to steal luxury vehicles.

The Megamos is one of the most common immobilizer transponders, used in Volkswagen-owned luxury brands including Audi, Porsche, Bentley and Lamborghini, as well as Fiats, Hondas, Volvos and some Maserati models.

‘Serious flaw’

“This is a serious flaw and it’s not very easy to quickly correct,” explained Tim Watson, Director of Cyber Security at the University of Warwick. “It isn’t a theoretical weakness, it’s an actual one and it doesn’t cost theoretical dollars to fix, it costs actual dollars.”

Ad Loading...

Immobilizers are electronic security devices that stop a car’s engine from running unless the correct key fob (containing the RFID chip) is in close proximity to the car. They are supposed to prevent traditional theft techniques like hot-wiring, but can be bypassed, for example by amplifying the signal.

In this case, however, researchers broke the transponder’s 96-bit cryptographic system, by listening in twice to the radio communication between the key and the transponder. This reduced the pool of potential secret key matches, and opened up the “brute force” option: running through 196,607 options of secret keys until they found the one that could start the car. It took less than half an hour.

“The attack is quite advanced, but VW produces a lot of very high-end vehicles that get stolen to order. The criminals involved are more sophisticated than the sorts who just steal your keys and drive off with your car,” said security researcher Andrew Tierney.

There’s no quick fix for the problem — the RFID chips in the keys and transponders inside the cars must be replaced, incurring significant labor costs.

One sentence removed

Ad Loading...

The research team first took its findings to the manufacturer of the affected chip in February 2012 and then to Volkswagen in May 2013. The car-maker filed a lawsuit to block the publication of the paper, arguing that it would put the security of winning an injunction in the U.K.’s High Court. Now, after lengthy negotiations, the paper is finally in the public domain — with just one sentence redacted.

“This single sentence contains an explicit description of a component of the calculations on the chip,” Verdult said, adding that by removing the sentence it was much more difficult to recreate the attack.

While challenging, determined “organized gangs” may persevere, said Watson.

“If you’re a maker of high-end cars I would suggest that the onus is on you to look after your customers’ purchases after they’ve bought them to make sure your systems are resistant to attack,” he added.

A VW spokesman responded: “Volkswagen maintains its electronic as well as mechanical security measures technologically up-to-date and also offers innovative technologies in this sector.”

Ad Loading...

Anti-theft protection is generally still ensured, he added, even for older models, because criminals need access to the key signal to hack the immobilizer. “Current models, including the current Passat and Golf, don’t allow this type of attack at all,” he said.

The Megamos Crypto is not the only immobilizer to have been targeted in this way – other popular products including the DST transponder and KeeLoq have both been reverse-engineered and attacked by security researchers.

Topics:VWIndustry

More Industry

Foreign Cars Italia dealership store in front of sunset
Industryby Hannah MitchellJuly 2, 2026

Luxe N.C. Dealerships Change Hands

A collection of Italian and English brand franchises were handed off to the owner’s friend in the business and include the Carolinas’ only Ferrari retail stores.

Read More →
inside of car, person with hands on black steering wheel
Industryby Lauren LawrenceJuly 2, 2026

Exposure Drives Interest in Chinese Cars

At a recent demonstration, consumers had the chance to ride in a Chinese-branded vehicle, a firsthand experience that improved their perceptions and purchase intent.

Read More →
Woman's hands holding an wallet empty of cash
Industryby Hannah MitchellJuly 1, 2026

Automotive Consumers Sink Further in Debt

Most financing metrics hit records in the second quarter as more buyers locked themselves into long terms and high monthly payments.

Read More →
Ad Loading...
Rob Mancuso sitting in a chair on stage
Industryby Hannah MitchellJuly 1, 2026

Agent Advocate

Rob Mancuso, who comes from a long line of auto dealers, values general agents’ place in the industry and makes a case for them taking an even bigger seat at the table.

Read More →
Photo of a touchscreen on a car's dashboard
Industryby Hannah MitchellJune 25, 2026

Driving Under Distraction

Though consumers gave higher marks to new vehicles in JD Power’s most recent initial-quality poll, high-tech interference worsened, pointing to craving for simplicity.

Read More →
split background green and blue. 2019 to 2025 with car going from starting location to end point. $37,310 and $48,402. Agent Entrepreneur logo
Industryby Lauren LawrenceJune 25, 2026

Affordable New Cars a Thing of the Past

More than one out of five new vehicles sell for more than $60,000, according to Edmunds. That's up 7% compared to prepandemic 2019.

Read More →
Ad Loading...
Photo of multiple new SUVs on a car dealership lot
Industryby Hannah MitchellJune 22, 2026

State Follows Federal Warning on Auto Ads

The Massachusetts attorney general cautioned the state’s automotive dealers to be upfront with the consuming public about their vehicle prices or risk punishment.

Read More →
Gas pumps.
Industryby Lauren LawrenceJune 15, 2026

Consumer Outlook on the Rise

Younger generations are feeling more positive about their financial futures and current affordability pressures than older generations, according to recent TransUnion data.

Read More →
Group photo of men outside storefront.
Industryby Hannah MitchellMay 28, 2026

Pennsylvania Dealership Under New Retailers

The sale of the Chrysler Dodge Jeep Ram store puts a family auto group on a leaner path as first-time dealers take the helm.

Read More →
Ad Loading...
Hallway with lockered wiring and computer
Industryby Lauren LawrenceMay 28, 2026

Battery Storage Takes Priority Over EVs

U.S. automakers are prioritizing battery energy stationary storage over electric-vehicle production as the consumer demand for EVs lags the rest of the world.

Read More →
Ad Loading...