NEW YORK (CNNMoney) — Researchers just revealed that technology used in 126 types of cars makes them easier to steal, and that Volkswagen went to court two years ago to keep their discovery a secret.
Three European computer scientists knew about the flaws since 2012, and they warned automakers. But Volkswagen used its lawyers to keep the research under wraps until now, when a legal settlement allowed the documents to go public.
It’s all about the high-tech keys used in today’s cars.
In the past, thieves could hot-wire a car to get it to start. But now, there are computer chips inside the key and car ignition switch. A car only starts if the chips are near each other and send just the right code.
This stops thieves, even those who make a physical copy of the metal key. No chip, no start.
But there’s a flaw in the way the chips guard their communication, according to researchers. The chips use outdated encryption. If someone can listen to them talk to each other — just twice — they can use a computer to figure out the pattern. Then it’s easy to make a copy of the key and the chip.
“It’s a bit like if your password was ‘password,'” said one of the researchers, Flavio D. Garcia of the University of Birmingham in the United Kingdom.
A hacker could become a valet driver and steal a fleet of cars, or steal a rental long after returning it.
This flaw was discovered by Garcia, as well as Bariş Ege and Roel Verdult of the Radboud University Nijmegen in the Netherlands.
Better encryption makes it impossible to crack codes. The researchers were astonished to find that even luxury cars used outdated encryption.
“You would expect that expensive cars used the better alternative,” Verdult told CNNMoney on Friday.
The list of affected cars included several models made by Audi, Fiat, Honda, Kia, Volkswagen, Volvo and many others. They all rely on chips made by EM Microelectronic in Switzerland.
Researchers listed them in a paper released this week. They presented their findings on Wednesday at the Usenix conference in Washington, D.C.
But there’s an odd reason why they waited more than two years to present their discovery. Volkswagen shut them up.
The researchers say they gave the Swiss chip maker nine months to fix the problem in late 2012 before they would go public with their discovery.
Then in 2013, Volkswagen sued the universities — and the researchers personally — to block them from publishing their discovery to fellow academics, according to court documents.
Initially, a British court sided with the automaker, writing: “I recognise the high value of academic free speech, but there is another high value, the security of millions of Volkswagen cars.”
Eventually, both sides settled when the researchers agreed to omit a single line from their report — a pivotal detail which could allow a non-technical person to figure out this hack.
In a statement to CNNMoney, Volkswagen acknowledged the technological flaw in its cars. But the company stressed that the hack takes “considerable, complex effort” that’s unlikely to be used except by tech-savvy, organized crime syndicates.
Volkswagen also said its latest cars, including the Golf 7 and Passat B8, aren’t vulnerable.
It didn’t comment on its attempt to silence researchers, though.
“We think people who own these cars should know their cars aren’t as protected as they think they are,” Verdult said. “We were surprised the judge said you can’t tell these factual things out loud.”
CNNMoney reached out to Audi, Fiat, Honda, Kia and Volvo. None of them immediately replied with a comment.