
VW Has Spent Two Years Trying to Hide a Big Security Flaw - Sami_Lehtinen
http://www.bloomberg.com/news/articles/2015-08-14/vw-has-spent-two-years-trying-to-hide-a-big-security-flaw
======
le_clochard
These recurring events (of auto makers exposed for not owning up to faults)
reminds me of is the Fight Club description of the recall formula.

------
bro-stick
Off topic but a point about the persistence of cults around unreliable
vehicles:

<rant>As owner of an 1985 Westfalia, I have nothing but contempt for the
inconsistent and poor engineering of this beast. Even with the factory Digijet
pro training materials and factory service manual and several mechanics later,
this thing still won't idle right when cold or warm. Systemically went through
each system (fuel, air, electrical, mechanical, vacuum) individually and
triple-checked per procedures and looked at general stuff like grounds and
wiring too. Maybe the community factor akin to Mini Cooper owners: ostensible
value built on hazing by ostentatious, expensive repairs due to substandard
engineering. Sure VW has/had the hippie thing too, perhaps also due to them
being difficult/expensive to maintain or being less powerful.</rant>

I'm grateful though the beastie doesn't have OBDII or keyless entry. (Like
most German vehicles of this vintage, the drivers' side door doesn't lock
without the key to avoid locking oneself out.)

------
ibejoeb
If I read this correctly, the vulnerable vehicles are not really left in a
worse state because of this defect. If they did not have cryptographic
electronic start, they'd simply be vulnerable to old-fashioned hotwiring. I
could be wrong, as I haven't been in a recent model, but I assume there is
still a physical steering column lock that needs to be disabled, no?

~~~
coldpie
No. The whole point of keyless entry is that you don't need to physically
handle a key to enter and start the car. Its presence in your pocket is
sufficient to enable the Start button to work. Or, as this article
demonstrates, the car's _belief_ that the key is in your pocket is sufficient.

~~~
ibejoeb
Oh, right, I do remember now. I had a CC for a bit. I was always leaving the
fob in the cupholder.

------
cblock811
Articles like this make me love my 2000 Subaru even more. I'm gonna hate
getting a newer car one day, but maybe by then manufacturers will better
secure their cars.

~~~
Nadya
You should look at crash tests results of your 2000 Subaru and a car more
modern than 2013 and decide which you'd rather be in in the result of a crash.
I'm less scared of a potential hacker cutting power to my car than I am of the
millions of poor drivers cutting lanes and changing lanes without signals (or
even looking) resulting in an auto accident.

Things started improving in the 90's (falling from 143m to 115m). In 2000 it
was at 112m. 2008 saw the sharpest decline - down to 78m. In 2012 it was 65m.

The difference between 112m and 65m is staggering - and is largely due to
newer, safer cars being on the road.

All figures above are driver deaths per million for registered vehicles taken
from:
[http://www.iihs.org/iihs/sr/statusreport/article/50/1/1](http://www.iihs.org/iihs/sr/statusreport/article/50/1/1)

E:

Although Subaru has a good track record of safety. I just think the fear is
misplaced. For _most_ people driving older cars, I'd be far more scared about
my safety during a crash than my safety from a potential hacker.

Both are of concern, of course.

~~~
commandar
Newer safety regulations definitely help, but at the same time, I almost feel
like we're reaching a point where we're at pendulum overswing to some degree.

That biggest change since 2012 has been increased roof strength requirements.
This was driven at least in part due to the popularity of top-heavy, rollover
prone vehicles.

Meeting these requirements have required cars to get heavier and incorporate
massive roof pillars. This negatively impacts gas mileage (relatively minor
concern), but, far more importantly IMO, means that nearly every new car out
there has _awful_ rear visibility. So we've bandaided that by requiring backup
cameras, but those don't help when you're moving in traffic. We've created a
situation where most new cars on the road have huge, terrible blindspots by
trying to make the cars safer.

Again, better safety is a good thing, i just think that we just need to do a
better job of balancing it with the usability of the vehicles.

~~~
superuser2
Perhaps - but the numbers don't indicate the pendulum swinging back. It looks
to be a net gain, even despite that.

Interesting, though. I had noticed this trend - coming from a 2002 Outback,
most of the ZipCars I drove seemed to have terrible rear visibility. Now I
know why.

------
JamesBaxter
So has VW taken advantage of the time given to them by the courts to release
fixed transponders in new vehicles and slowly replace the current defective
ones as part of a routine service?

Otherwise they've just delayed the information getting out which seems
pointless?

~~~
Hermel
Yes, that flaw has been fixed in the latest models.

~~~
mzs
Source please, as I understand it VW cars themselves are not vulnerable but
some other VAG brands still use these vulnerable immobilizers to this day.

------
marze
Is it just me, or is the peak of stupidity in this episode the fact that the
car will verify/reject a few hundred thousand passwords in 30 minutes?

Shouldn't that be security 101, limiting the rate to a couple per minute, max?
Why allow such brute force attacks in the first place?

EDIT:

Or in other words, why is the phrase "brute force password attack" still even
heard in 2015?

------
genericuser
So why were the researchers willing to publish a redacted version now, but
were not willing to publish the redacted version 3 years ago when they were
researching the issue?

I am actually curious because this is the only part of this whole thing that
does not make sense to me. Even if I disagree with Volkswagon's decision to
not notify existing owners that there was a vulnerability known or eventually
provide them with a fix, the decision at least makes sense because it probably
was deemed more profitable for VW.

"The scientists wanted to publish their paper at the well-respected Usenix
Security Symposium in Washington DC in August, but the court has imposed an
interim injunction. Volkswagen had asked the scientists to publish a redacted
version of their paper – Dismantling Megamos Crypto: Wirelessly Lockpicking a
Vehicle Immobiliser – without the codes, but they declined."

[http://www.theguardian.com/technology/2013/jul/26/scientist-...](http://www.theguardian.com/technology/2013/jul/26/scientist-
banned-revealing-codes-cars)

~~~
vilhelm_s
Is it the same redacted version? Maybe Volkswagen asked more more extensive
redactions back then, and they now reached a compromise?

~~~
genericuser
It sounds like the same thing was redacted from this version that they asked
be redacted from that version as this one doesn't have the specific codes
necessary to make it work.

------
davidgerard
ITT: nobody so far advocating "responsible disclosure", because this is the
sort of vendor abusiveness that made "full disclosure" clearly a good idea,
and an essential protection for the interests of the _end user_.

The Internet of Things will recapitulate all the painful experience of how
this stuff works out we just spent twenty years getting sorted out in the
software field.

~~~
theandrewbailey
Even though these cars aren't a part of the internet of things (yet),
situations like these are the exact reasons why I'm not enthusiastic about it.
Honestly, I hate it.

~~~
davidgerard
In the future, your Internet-enabled fridge will get hijacked by Russian
spammers ... if the future is 2013.
[http://www.bbc.co.uk/news/technology-25780908](http://www.bbc.co.uk/news/technology-25780908)

Whenever anyone says "Internet of Things", reply "unfixable Heartbleed
everywhere forever."

Sysadmins will be in work until we're 100 if we want to be, cleaning up after
this rubbish. Like elderly COBOL programmers, making the big bucks after
retirement.

------
acd
For an analogy you can look inside a car engine take it appart verify its
components. But if you take a look inside the software and take it apart you
are suddenly potentially breaking license agreements. This agreements violate
free speech if you find something you may not tell others about it or risk
getting sued.

------
Havoc
Honestly I'm not really bothered about the whole "hacking cars" thing. I've
spent enough years in dangerous countries that this seems like a non-issue.

I do object to car companies knowing about a safety issue & keeping quiet due
to it being "cheaper" to accept a couple of deaths than fix it. That kind of
thing should be punished with eye watering fines in my view - not to save
those 12 lives but to put the message out there that car companies need to get
it right instead of playing the odds.

~~~
alxndr
> "companies need to get it right instead of playing the odds"

Doesn't sound cost-effective.

------
tempestn
FTA:

"There's no quick fix for the problem - the RFID chips in the keys and
transponders inside the cars must be replaced, incurring significant labor
costs." ... "A VW spokesman responded: 'Volkswagen maintains its electronic as
well as mechanical security measures technologically up-to-date and also
offers innovative technologies in this sector.'"

Since they haven't recalled the vehicles and replaced the chips, that would
be... not precisely true?

------
wepple
paper:
[https://www.usenix.org/sites/default/files/sec15_supplement....](https://www.usenix.org/sites/default/files/sec15_supplement.pdf)

"The transponder uses a 96-bit secret key and a proprietary cipher in order to
authenticate to the vehicle."

not sure there's anything more you need to know than "rolled their own crypto"

------
JoachimS
The question I have is what VW did after receiving the injunction? Did they
work with their customers for the last two years to fix the vulnerability? Or
was the injunction their solution by itself?

If it was the latter case, somebody should really serve them a class action
suit. Security by gag is not helping the end customer.

------
devy
There was a talk about the paper of breaking Megamos crypto in 2013.
[https://www.youtube.com/watch?v=R_8eYSJlWic](https://www.youtube.com/watch?v=R_8eYSJlWic)

------
jshelly
In VW's defence it sounds like they just sourced the parts from Megamos who is
ultimately responsible for the flaw

~~~
developer1
Right, because VW should blindly build parts into their vehicles without
vetting the security they bring (especially when said part is in fact a
security component). Tougher to do when vetting such a part requires expertise
in the field, but blindly trusting the supplier is never a good practice.

~~~
jshelly
Isn't the whole reason you farm out parts is because you don't have the
expertise internal?

------
probablyfiction
96-bit keys??? Even in 2012 when VW released the feature, 96 bits was
laughably weak.

------
x0054
Why on earth are they using 96-bit cryptography in 2012?

------
DIVx0
Besides locking your car into a garage, is there anything a VW owner can do to
make it more difficult for these types of thefts to occur?

~~~
binarymax
You could always use a club: [http://www.amazon.com/Club-1000-Original-
Steering-Wheel/dp/B...](http://www.amazon.com/Club-1000-Original-Steering-
Wheel/dp/B0000CBILL)

But anyone waiting to spend 30 minutes with an electronic crack is also smart
enough to use liquid nitrogen to crack this too.

The difference is that a keyless hack can look natural since there is no
physical force for entry or ignition. A funnel and chisel would raise some
eyebrows.

~~~
bri3d
This attack is against the RFID immobilizer for the engine, which means an
attacker would have to break into the car, break the steering wheel lock and
break the physical ignition lock prior to starting the car.

The full paper here:
[https://www.usenix.org/sites/default/files/sec15_supplement....](https://www.usenix.org/sites/default/files/sec15_supplement.pdf)
has a lot better detail.

~~~
gambiting
No, it's also an attack on the actual wireless key which is used to open and
start the car. It's just making the car "think" that the key is inside, so you
just press the Start button and the car starts, after which you drive it away
like normal.

~~~
bri3d
Fair, but only on cars which have only passive security (that is - where you
don't need to use the fob to unlock the car and you don't need to use a
physical key to turn the ignition).

~~~
Elepsis
Which is of course the stock configuration on most modern luxury vehicles.

~~~
gambiting
Most new cars which have keyless systems work exactly like that, nothing to do
with luxury cars.

------
circa
Happy to see the GTI not listed on there but why would that be any different
from the other models? You think they would use the same across the board.

~~~
greg5green
I'm pretty sure they sell them as the Golf GTI in Europe where the research
was done, so probably included under the Golf model.

~~~
circa
Ah, right. Good point.

------
known
Closed source software does the same;

------
usrusr
So the immobilizer does not immobilize as much as expected/hoped. While that
sure isn't something the manufacturer should be proud of, it is hardly a
really critical problem, nowhere close to "stop driving until resolved".
Immobilizers may have lowered car theft before, but never fully stopped it.
The incentive situation for thieves has shifted a bit, that's all, a gradual
change, not a 180 degree bit flip.

The bigger mistake than sourcing imperfect components is the attempted cover-
up and I am positively surprised that this is even reflected in the headline.
(at least theoretically: the first glance takeaway message for this story will
always be "security hole in car!", no matter how much the author tries to put
the cover-up in focus)

~~~
kllrnohj
The title seems to just be the standard clickbait approach to titles.

They got an injuction so that's a pretty public way to go about trying to do a
"cover-up".

~~~
scott_karana
They've had the injunction for two years, but haven't initiated a recall in
the meantime!

"Cover up" sounds accurate to me.

~~~
kllrnohj
A recall for what? There's no safety issue here. There's no functional loss.

Unless they advertised the car as being unstealable or anything close there's
not even a marketing point that's not working as one could reasonably expect.
Carmakers call this a theft-deterrant feature, they don't even call it anti-
theft or similar.

The immobilizer is not as secure as one would hope, but nobody ever promised
you anything here in the first place.

What keeps your car from being stolen is not the immobilizer. The government
and laws are what keep your car from being stolen.

~~~
scott_karana
It's obviously not a safety recall, but that doesn't mean it isn't serious.

Other companies have been known to do voluntary recalls defective locks, why
is VAG exempted in your mind?

"It barely can even be considered an immobiliser" is almost certainly contrary
to reasonable consumer expectations, and it wouldn't surprise me if the EU, at
least, had laws regarding this kind of issue.

~~~
kllrnohj
It's not serious. It still requires someone to specifically target you & your
car with special gear and know-how far outside the realm of the typical car
thief.

~~~
shawn-furyan
IDK about "far outside the realm of the typical car thief". Not that the
typical car thief is going to be trailblazing the research, but once the
research is done, it just takes someone putting a black box VW keyless
unlocker together, and then it's in the realm of the typical car thief. In
fact, at that point you're talking about the break in being the simplest part
of the theft, with fencing being much more difficult.

~~~
kllrnohj
You really think your typical car thief is going to go find _and purchase_
specialized tools?

As always, relevant XKCD: [https://xkcd.com/538/](https://xkcd.com/538/)

~~~
shawn-furyan
Uhm... these sort of tools are being developed and purchased all the time in
black markets.

See [http://krebsonsecurity.com/](http://krebsonsecurity.com/) for plenty of
examples.

------
toyg
I have a Passat from late 2013 -- it cannot be remotely started but doors are
keyless. Twice in the last 16 months, somebody rummaged through it overnight,
without breaking anything. We religiously close the car every night,
especially after the first occurrence, but still it happened again. After it
happened to my next-door neighbor's 2013 Golf as well, I reported it to VW and
they never even bothered getting back to me.

I'm not surprised in the slightest, I think this sort of news will keep
popping up all over the place and manufacturers will keep trying hard to
suppress it. We know it will never end: good crypto is hard and inconvenient,
so it's unlikely that car manufacturers will ever implement it properly. Bad
guys get all the info they need, eventually, so it's just a matter of time
before any digital lock is broken.

~~~
djrogers
Your anecdote doesn't share anything in common with the article. One of two
things are likely - your car wasn't actually locked this nights, or the theirs
used a signal amplifier to make the car think your keys inside the house were
next to your car.

Neither of those things is VW's fault - if you don't like the wireless
automatic door unlocking because the signal can be boosted maliciously, then
you should disable it. Otherwise live with the consequences.

~~~
toyg
No, my anecdote is more about a data point (well, three actually) indicating
we don't really know how many ways there are to break into these cars, and
that manufacturers are playing dumb, hence me not being surprised at the news
that another one was found.

If really the problem was relatively trivial, VW should have warned me on how
to avoid it, and they didn't. It can't be a simple amplifier: it's not just
proximity, you actually have to press a button on the dongle to open a door,
so whatever they were doing, it wasn't just repeating an existing signal; and
as I said, I can tell you that making sure the car is locked has become a
nightly ritual.

~~~
selimthegrim
Well sure, but this is just a RF signal here, the objection to your anecdote
is that on the face of it it has nothing whatsoever to do with good crypto

~~~
toyg
But my point is _that it should_. Any digital lock should use good crypto, it
doesn't matter if for ignition or doors. The fact that it's been proven that
they did it badly even when they tried, aligns with my experience that their
digital locks are not secure.

Whether my locks open with an easily-spoofable RF signal or with a
bruteforceable key, the bottom line is still that they are not doing good
crypto in situations where it's clearly necessary.

------
larrys
Non issue to me. Typical media and security professionals hyperbole.

I have car insurance _for my Porsche_. According to the list it's vulnerable.

Chance of getting stolen? Quite small. If it does insurance pays in my case
the full value not the depreciated value (age of car as only one reason). Not
something I am worrying about.

How many cars are actually stolen as a result of this flaw?

Just another example of the security industrial complex fanning the flames...

~~~
davidgerard
It wasn't the "security-industrial complex" that caused a security-incompetent
vendor to use legal threats to try to suppress disclosure. That's the story
here.

------
_nedR
Honestly, everytime I hear about the latest new-and-shiny that car
manufacturers try to put in new cars (such as stop-start, keyless ignition) I
can't help but roll my eyes at the inevitable fail that this is going to
bring. Sure these knick-knacks might look cool now, but what happens eight
years down the line, when your electric system goes belly up in middle of the
highway or at a traffic signal? VW is one of the worst offenders in this
regard. They are quick to implement useless features without giving any regard
to reliability or the idea of graceful failure. The greatest achievement of VW
marketing has been in perpetuating the myth about the infallibility of German
Engineering. German cars seem to have some of the worst electrical problems
which is at least in part due to all the electric and electronic equipment
they cram into their cars. I would put greater confidence in the reliability
of Japanese or even Korean engineering over them (although even the usually
conservative Japs have been tempted to follow these fads of late). One less
button on the dash of your bland Toyota, means one less thing that is going to
break five years down the line.

~~~
Johnny555
I don't think start/stop belongs in your list of useless knick-knacks that are
prone to failure -- the Prius has been in production for about 18 years, and
it's used start/stop from the beginning to save fuel. But you don't hear of
large numbers of Priuses stuck at red lights when their engine computer forgot
how to start the engine.

Start-stop can save significant fuel - 3% - 12% by some estimates, and it
comes at very little cost and complexity.

~~~
_nedR
True. stop-start might have not been the best example in this case. But still,
i would be quite apprehensive of buying a 10-year old european car that has
stop-start built in - Much more than an equivalent toyota. Japanese are quite
slow to follow in implementing new features and as a result (IMO) their
implementations seem to be more reliable. I have experienced European cars to
develop serious electrical issues over the years. Couple that with a stop-
start system, and you are looking at an undrivable car.

edit: In the past couple of years things seemed to have mixed up a bit in the
industry (for example American cars have quite improved in quality). So who
knows, maybe today's cars might hold up much better 10 years into their life ,
than their predecessors. But increasing incorporation of software and
electronics into these probably will not help them get there.

~~~
frik
The continuous start-stop wears out the engine faster, so it won't last as
long as an identical model with the same engine that hasn't that feature.

It's like switching a traditional light bulb on and off in a continuous way -
it won't last years (some 100+ old light bulbs still work fine, but the were
powered-off just a handful times).

~~~
Johnny555
Do you have a reference for that? Cold engine starts cause a lot of wear, but
warm engine starts should cause very little wear, especially in an engine
designed for start stop.

[http://www.autocar.co.uk/car-news/new-cars/stop-start-
long-t...](http://www.autocar.co.uk/car-news/new-cars/stop-start-long-term-
impact-your-car-s-engine)

While a home light bulb may not stand up to continuous on/off cycles, a bulb
that's designed to do so (like a low-voltage bulb with a heavy filament) can
last for a very long time.

So I wouldn't retrofit an existing car with a start-stop system, but I
wouldn't have any qualms about purchasing a car with a start-stop engine as it
would have been designed for the purpose.

------
callesgg
My question is if VW has switched the affected stuff in newer models since
they found out about the issues?

~~~
kuschku
Yes, as people mentioned above. It’s long fixed, and only a tiny set of cars
(only high-end models with keyless entry) were even affected at all.

~~~
mmarx
> It’s long fixed, and only a tiny set of cars (only high-end models with
> keyless entry) were even affected at all.

Some of the models on the list feature neither keyless entry, nor are high-end
(the Audi A2, for example). While the Audi S2 may be considered high-end, it
certainly wasn't available with keyless entry, and I wouldn't be suprised if
the Audi 80/90 (which the S2 is based on) were affected, too.

~~~
kuschku
Well, that’s nice – you have a car where you now disabled the immobilizer, but
you’ll still need at least large tools and half an hour to break the steering
wheel lock and the other stopping mechanisms.

Especially in cars without keyless entry the immobilizer is only one of dozens
of mechanisms against theft.

------
sarahprobono
So what manufacturers do seem to care about security? If I wanted to buy a car
made in the last few years, who is least likely to be cracked?

~~~
mikeash
Theft of newer-model cars is extremely rare and I don't think vulnerabilities
will change that much. Anything that requires computers at all is going to be
beyond the average car thief.

If you're worried about safety, buy a car with a good crash safety rating.
You're far more likely to get into a normal crash due to bad human drivers or
mechanical failures than you are to be hacked.

If you're worried about the financial loss from a crash or theft, your best
protection is good insurance.

~~~
ceejayoz
> Anything that requires computers at all is going to be beyond the average
> car thief.

Not for long.

~~~
mikeash
Well sure, pretty much by definition. Car thieves who can't handle technology
will eventually have to stop stealing cars. There are only so many late 90s
Honda Accords out there to be stolen, after all, and they aren't making any
more.

But I really doubt that all the thieves out there will learn fancy technology
so they can steal newer cars. A few will, but most will find other things to
steal.

Right now, popular new cars are stolen in amounts of hundreds per year in the
US. Older cars (like the Honda Accord) are stolen by the tens of thousands.
That's not because older cars are more valuable, it's just because it's a lot
easier.

~~~
leni536
Oh, then there is a pretty open market on preconfigured "thief tools".

------
altharaz
"There's no quick fix for the problem - the RFID chips in the keys and
transponders inside the cars must be replaced, incurring significant labor
costs."

What a nightmare. Car manufacturers have to design more resilient systems.

Based on the difficulty to secure hardware systems after deployment, they will
be for sure trying to put more and more features on the software-side.

If so, they will also have to think about a quick way to deploy security fixes
remotely. One way could be working with connectivity solutions for Embedded
Systems (e.g. SigFox).

~~~
kuschku
Well, the advantage of VW is that the car itself is pretty secure.

All messages on the CANBUS are securely signed, there are multiple rings of
security where data can always pass only in one direction, etc.

The only thing this exploit enables is that if you already have the car,
managed to break the steering wheel lock, managed to replicate the magnetic
signature of the key, and managed to start the motor, that you can circumvent
the immobilizer that comes after that.

This is a pretty minor flaw compared to the "full control via radio" that
competitors had.

~~~
Roodgorf
Wait, so VW has an RFID immobilizer _and_ a physical key? I've only ever seen
cars having one or the other.

~~~
bri3d
All European cars since 1998 will have both, because immobilizers are required
by law in most of Western Europe.

On most cars, you'll never notice the immobilizer as it's RFID based, passive,
and requires no batteries. The only way you'd find it is if you take apart the
key fob or have to service the ignition lock, at which point you'll find the
RFID antenna ring around it, or if you try to get the key replaced.

~~~
mmarx
> All European cars since 1998 will have both, because immobilizers are
> required by law in most of Western Europe.

So will some cars produced before 1998. The Audi S2 (listed in the article) is
one of those, and was built from 1990 to 1995.

------
rwmj
The "new" (actually 2 years old) thing is the UK courts granting injunctions
preventing the publication of security research from a well known UK
university. WTF.

[http://www.theguardian.com/technology/2013/jul/30/car-
hackin...](http://www.theguardian.com/technology/2013/jul/30/car-hacking-
ignition-injunction)

~~~
ajross
Right, the money quote in the article is:

> _The research team first took its findings to the manufacturer of the
> affected chip in February 2012 and then to Volkswagen in May 2013. The car-
> maker filed a lawsuit to block the publication of the paper - arguing that
> its vehicles would be placed at risk of theft - and was awarded an
> injunction in the U.K. 's High Court._

But then they don't detail the legal situation that led to the two years of
litigation and the eventual release, so I don't know who to be mad at..

~~~
josu
People are usually bad understanding counter intuitive notions such as the
fact that making security flaws public actually makes consumers more secure,
not less.

~~~
Encosia
I doubt you'd say that if you owned one of the affected VWs.

~~~
jessaustin
One might, if one had _purchased_ a VW during the years this paper was
censored.

~~~
genericuser
Except that VW at somepoint quit using the transponder in question because of
this issue so new cars made are no longer susceptible.

~~~
jessaustin
Not everyone buys only new cars. Besides, in a world in which research was not
censored, do you really expect that VW would have been _slower_ to fix the
issue?

~~~
genericuser
No but I don't think they would of been faster either was my point.

Hence, to answer to the question posed "So how many vulnerable cars are on the
roads of the world right now because the UK High Court wanted to "protect
consumers""

I would answer 'possibly zero, BECAUSE of that' and once they are manufactured
and sold they exist regardless of the owner, till they are destroyed.

~~~
jessaustin
I never posed that question. (hint: sibling did)

I merely countered the plight of old VW owners with that of new VW owners.

------
coldpie
To anyone with any background at all in computer security, this is such a
"duh" moment. If Sony et al can't secure their massively important corporate
infrastructure, what are the odds your car's wireless computers are secure in
any way? They aren't, they knew it, and you knew it. Sorry.

It'll be interesting to watch the fallout from these obviously-present
vulnerabilities. I see three possible outcomes, in decreasing order of
likelihood: status quo, where they just "fix" the bugs as they hit the news;
some sort of massive push towards real computer security, in this and other
industries; or a massive reduction in features to avoid the flaws.

This is really just another symptom of the current state of computer security,
best described as "a joke." My guess is in 50 years we'll have decent computer
security. There's nothing that precludes it in theory. But it's going to be an
ugly, ugly couple of decades while we pay off the wave of computer-security-
debt that we have been riding.

~~~
CaveTech
The attack vectors available for use against a corporation is _infinitely_
larger than those available for a car. It's not really a fair comparison.

~~~
binarymax
Not only that - but the 'duh' moment for me was the 96bit key size.

~~~
mkj
96 bits by itself probably isn't within reach of brute forcing - I assume the
algorithm itself had flaws.

~~~
jacobolus
What I want to know is why the car will continue to accept 100 trial keys per
second after the first 100,000 attempts failed.

Shouldn’t there be some kind of exponential back-off after failures? If after
the first 1000 failed keys it would only accept e.g. one new try every few
seconds, it would then take 2–3 orders of magnitude more time to brute force.

~~~
lisper
That could be exploited to produce a trivial denial-of-service attack.

~~~
mturmon
I can think of other, lower tech, DoS attacks against cars -- which are also
not much exploited.

~~~
beat
Someone once DoS'd my car, by slashing two tires. On a downtown public street.

~~~
tbomb
That sucks to have happened to you, but that sentence made me lol.

