back to article Veedub flub hubbub stubs car-jack hack flap

Dutch and British researchers Roel Verdult and Baris Ege, the duo behind the revelation that many VW cars have a security flaw, have now revealed that Ferraris, Maseratis, Pontiacs, and Porches that use Megamos Crypto transponders can be stolen. The duo demonstrated how the Megamos engine immobiliser, which unlocks when an …

  1. Dr Scrum Master
    Coat

    So I could rent a car for one day, duplicate its keys, then steal it the next day?

    That's me looking for my car keys...

  2. Voland's right hand Silver badge

    Physical access required

    If you have the key in your (temporary) possession there are easier ways for most cars.

    EBD-II port is your friend. Just program a new key. Very few cars require a PIN and/or using a master key instead of the "mere mortal" key to perform this operation and the gadget to do it costs 20 Eu.

    So frankly, if your car does not have special "valet" mode and if it is not documented to turn off all key programming functionality in that mode I suggest you park it yourself.

    Oooopps... Sorry... forgot... Luxury vehicle. Parking it yourself is an insult to the snobbishness of the driver. Oh well, do not complain it got nicked then.

    1. Mark 85

      Re: Physical access required

      Maybe it's me... but if have a Ferrari, no one is going to park it but me. Yeah... selfish am.

      1. Voland's right hand Silver badge

        Re: Physical access required

        @Mark 85

        You quite clearly DO NOT have a Ferrari.

        If you have a Ferrari making a point of giving the cerf at the Casino door your keys comes with the territory. After all, what would be your priority - the Ferrari or the "accessory" which came with it.

        1. Dr Who

          Re: Physical access required

          Why would you want to give your car to one of the fathers of the Internet? Or did you mean serf?

          I know, sarcasm gets you nowhere, but I couldn't resist.

        2. Steven Raith

          Re: Physical access required

          "If you have a Ferrari making a point of giving the cerf at the Casino door your keys comes with the territory."

          Fuck that balls, I'd be blipping and revving it in the car park and making the exhaust note reverberate off the walls, lowering the property prices of every building within aural range.

          Some of us like cars as something more than a status symbol (although fewer and fewer of us these days, it seems :-( )

          Steven "vroom" R

        3. Mark 85

          Re: Physical access required

          erm... Correct I don't have one. But to me it would be for the driving pleasure.. the engine sounds, etc. and not the status. My reasoning for not letting the pimply faced kid park it for me (or take it for a joyride) is one of not wanting to have to fix whatever they break. I have had high-performance cars in the past, and no one, absolutely no one was ever allowed to drive it but me. Picky I am.

    2. Captain Scarlet
      Trollface

      Re: Physical access required

      Get a chauffeur, first world problem resolved

  3. Anonymous Coward
    Anonymous Coward

    Rather than running to the courts why don't vw just fix the problem?

    1. Anonymous Coward
      Anonymous Coward

      Rather than running to the courts why don't vw just fix the problem?

      It could be because the security researcher needs the publicity quicker than it takes to fix the problem. This means the company is told "here is the problem and I'm going to publish this in xx days" rather than "here is the problem and I also have the skills to fix it" (which is IMHO a heck of a lot more impressive).

      It's only an assumption, of course, but I have seen a number of disclosures of late that have more to do with ego tripping than honest work to improve security.

      1. Anonymous Coward
        Anonymous Coward

        2 years to fix the issue?

        1. Alan Brown Silver badge

          "2 years to fix the issue?"

          No, 2 years trying to cover it up. It hasn't been fixed.

  4. frank ly

    There's a lesson

    Don't tell the manufacturer what you've found about problems with their product. Just publish your findings.

  5. Pascal Monett Silver badge

    Interesting

    Ferarri, Maserati, etc...

    In other words, people with money, meaning people with influence and, perhaps more importantly, people who know just how influential they are.

    I wonder how quickly said manufacturers will pony up that additional $1 to solve this problem. For a business based on image, this is one heck of a smear.

    1. Anonymous Coward
      Anonymous Coward

      Re: Interesting

      Ferarri, Maserati, etc...

      In other words, people with money, meaning people with influence and, perhaps more importantly, people who know just how influential they are.

      I wonder how quickly said manufacturers will pony up that additional $1 to solve this problem. For a business based on image, this is one heck of a smear.

      The issue is not the brand, it's the make of the component they all share (a bit like Hella lights or Bosch electronics). That supplier has to come up with a fix, and then handle the enormous blowback from all these car manufacturers for exposing their customers. It could get very costly because as far as I can see it requires a recall and the exchange of a part (read: labour & operational costs, and we all know what a garage bill looks like when there is labour involved), so I suspect the fight will be as to who will pay for all that.

      Having said that, they knew who they were selling to. If they didn't bother doing some basic security testing they were really asking for it.

  6. Anonymous Coward
    Anonymous Coward

    If that sounds too much like hard work for appx £10 you can buy a "VAG drive box" off ebay and just turn the immo off if its an older VAG group car.

    Quite handy when the rfid coil in the steering column dies and you don't fancy dismantling the dash or paying the pisstake price of a replacement.

  7. Anonymous Coward
    Anonymous Coward

    Do Lamborghini use the same system?

    If so, this plank could have kept it:

    http://www.cambridge-news.co.uk/Driver-180-000-Lamborghini-Luton-hire-firm/story-27584268-detail/story.html

    1. Peter Ford

      Re: Do Lamborghini use the same system?

      Lamborghini is a VW Group brand (as is Bugatti) - so probably...

    2. VinceH

      Re: Do Lamborghini use the same system?

      When reading that, an item in the 'related content' caught my eye.

      Extreme porn charge as man caught with video of sex with a fish

      1. Michael Wojcik Silver badge

        Re: Do Lamborghini use the same system?

        Sir:

        Many of my best friends are fish-sex fetishists, and only a few own Lamborghinis.

        Yours faithfully, Brigadier Sir Charles Arthur Strong (Mrs.)

        P.S. I have never kissed the editor of the Reg.

  8. TeeCee Gold badge
    Facepalm

    Typical.

    after Volkswagen spent some two years suppressing the work discovered in 2012.

    They have form here. There are at least two cases of nailed-on candidates for recall[1] that VW spent years resisting claims from affected owners and baffling the regulators with bullshit over, rather than just take it on the chin.

    They're also one of the worst manufacturers for getting "goodwill" out of (a contribution to the costs associated with a major component failure when the vehicle is just out of warranty)[1].

    I'm amazed anyone touches the ruddy things with a bargepole.

    They must have the world's best PR department, as the actual quality of their products and their attitude to customer service is pretty much the exact opposite of public perception. Presumably their legal department is always busy keeping a lid on anyone or thing trying to tell the truth. If everything in life really were as reliable as a Volkswagen, the human race would have died out eons ago.

    [1] Look up VW ABS/ESP unit failures (mainly Golf models, but most affected) and Passat injector failures here.

    [2] Exploding 1.4TSI engines for a start. Those make the legendarily iffy Rover "K" series look like a paragon of reliability.

    1. Vic

      Re: Typical.

      the actual quality of their products and their attitude to customer service is pretty much the exact opposite of public perception.

      Indeed.

      I laid out my past grief with VW in a post here. The actual fault was that they had cheapskated on the wiring - all the connectors had barbed bits to accept a rubber strain-relief boot, but they hadn't fitted any. This probably saved about £2 per car - at the cost of problems later in life.

      The bigger issue, IMHO, was the run-around the stealr gave us whilst fialing to fix the (somewhat obvious) problem...

      Vic.

      1. Alan Brown Silver badge

        Re: Typical.

        "The actual fault was that they had cheapskated on the wiring"

        A lot of current VAG models have the engine control and other computers in the bottom of the footwells.

        Where water can build up.

        Without being IP67 rated.

  9. John Geek
    Pint

    I think I'll stick with my 20 year old Mercedes, and its real key, with no remote-unlock at all. the key arms and disarms the alarm system, and if you somehow get into the car when its armed (maybe I left the top down?) the starter motor is disabled. the ignition lock and whole under-dash are well armored so the old hollywood trope of riping out the wires to hotwire it doesn't work so good.

    oh, and the keys are a tricky steel side-milled key most key machines can't duplicate.

    1. Yugguy

      Aye, I might well stick with my old but low mileage and well-maintained Ford Focus TDCI, a car literally NOONE wants to steal.

    2. Anonymous Coward
      Anonymous Coward

      Alarm? Luxury!

      There is really no point in having an alarm in my 2CV.

      Or locks, for that matter, as you can roll open the roof.

      Yet, it's one of the brands seen in a leading role in a Bond movie (admittedly quite a while back, but hey, I take what I can get :) ).

      1. Ed 13
        Go

        Re: Alarm? Luxury!

        I even heard Roger Moore say that it was his favourite Bond Car!

    3. Michael Wojcik Silver badge

      Indeed. I like my Volvo (insofar as I like any car, which is grudgingly), and it has a lovely engine and other nice features. But oh how I wish I could have gotten it with a mechanical ignition switch and locks rather than the stupid transponder.

    4. 404
      Pirate

      'oh, and the keys are a tricky steel side-milled key most key machines can't duplicate.'

      Hmm, I'm thinking I could 3d print it... would need a good image though.

      edit... holy shit this is old! lol

  10. Kubla Cant
    FAIL

    Security by obscurity

    Did nobody explain to the dotards in the UK High Court of Justice that by granting VW an injunction they were enforcing security by obscurity, and that it never works?

    1. Alan Brown Silver badge

      Re: Security by obscurity

      The lesson here for critical security issues is to arrange embargoed copies somewhere else in the world which will be published anyway.

      And tell the judge that it's already been distributed PRIOR to the order being sought.

      Or simply not bother to tell VW in advance - they've amply demonstrated that they don't give a shit about anthing except PR and profit. (I'd still put embargoed copies out, in case they get wind of the paper and take action)

      Bear in mind that next time, VW or its ilk will go for ex-parte orders complete with gagging superinjunctions.

  11. Gruezi
    Trollface

    Beware the porch stealers!

    "...and Porches that use Megamos Crypto transponders can be stolen."

    Thankfully our Porch has a screen door with a latch so I guess we are safe.

    *phew*

    ;-)

  12. ravenviz Silver badge
    Devil

    I use double security: first cover the steering wheel in shit, second fill the car with wasps.

    1. jackandhishat
      Flame

      May as well set the thing on fire while you're at it!

    2. Steven Raith

      My car will never be stolen as

      A: It's a girls car, apparently

      B: It's one of three of the colour and type within 100 square miles

      C: It's a complete bloody shed. Haven't washed it in about five months as doing 100 miles a day means it's covered in flies after a week anyway. It's due a wash really, before it turns even more brown (the other brown is rust).

      Never had anyone mess with it. My Micra got more trouble.

      Steven R

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like