Incident Details

Incident: Security Flaw in Car Immobiliser Systems Leads to Vulnerability

Published Date: 2015-08-18

Postmortem Analysis
Timeline	1. The software failure incident happened in 2013 [38774].
System	1. Swiss-made immobiliser system, Megamos Crypto [38774]
Responsible Organization	1. Volkswagen [38774]
Impacted Organization	1. Car manufacturers including Audi, Citroën, Fiat, Honda, Volvo, and Volkswagen were impacted by the software failure incident [38774].
Software Causes	1. Vulnerabilities in the Swiss-made immobiliser system, Megamos Crypto, which allowed for close-range wireless communication attacks [38774].
Non-software Causes	1. Lack of proper security measures in the design of the Swiss-made immobiliser system, Megamos Crypto, which allowed for vulnerabilities to be exploited [38774]. 2. Inadequate communication and collaboration between the researchers and car manufacturers, leading to a delay in addressing the security flaws [38774]. 3. Legal actions taken by Volkswagen to suppress the publication of the academic paper, hindering the dissemination of crucial security information [38774].
Impacts	1. The software failure incident exposed a major security flaw in over 100 car models, making them vulnerable to "keyless theft" due to weaknesses in the Swiss-made immobiliser system, Megamos Crypto [38774]. 2. The incident led to a delay in the publication of the academic paper by the researchers due to a high court injunction obtained by Volkswagen, impacting the dissemination of crucial security information [38774]. 3. The vulnerability in the car security systems highlighted by the incident raised concerns about electronic hacking of vehicles, with electronic hacking accounting for four out of 10 car thefts in London [38774]. 4. The incident prompted Fiat Chrysler to recall about 1.4 million cars and trucks in the US after hackers demonstrated the ability to take control of a Jeep over the internet, showcasing the broader impact of software vulnerabilities in the automotive industry [38774].
Preventions	1. Implementing stronger encryption protocols and security measures in the Swiss-made immobiliser system, Megamos Crypto, to prevent unauthorized access and attacks [38774]. 2. Conducting thorough security testing and audits on the car models' software systems to identify and address vulnerabilities before they can be exploited by malicious actors [38774]. 3. Enhancing communication and collaboration between researchers, manufacturers, and regulatory bodies to responsibly disclose and address security flaws in a timely manner, rather than suppressing research findings [38774].
Fixes	1. Implementing a software update or patch to fix the security flaw in the Swiss-made immobiliser system, Megamos Crypto, identified by the research team [38774].
References	1. Flavio Garcia, computer scientist at the University of Birmingham 2. Roel Verdult and Bariş Ege, colleagues from Radboud University in Nijmegen 3. Researchers from the University of California, San Diego 4. Fiat Chrysler announcement about recalling cars and trucks in the US [38774]

Software Taxonomy of Faults

Category	Option	Rationale
Recurring	one_organization, multiple_organization	(a) The software failure incident related to car security vulnerabilities due to a major security flaw in the Megamos Crypto immobiliser system has happened again within the same organization, Volkswagen. The incident involved vulnerabilities in the immobiliser system that could be exploited for "keyless theft" [38774]. (b) The software failure incident has also happened at multiple organizations, including Audi, Citroën, Fiat, Honda, and Volvo, in addition to Volkswagen. These car manufacturers were found to have models vulnerable to the same "keyless theft" due to weaknesses in the Swiss-made immobiliser system [38774].
Phase (Design/Operation)	design	(a) The software failure incident in the article is related to the design phase. The security flaw in more than 100 car models was due to weaknesses in the Swiss-made immobiliser system, called Megamos Crypto, which was designed to prevent the engine from starting when the corresponding transponder is not present. The researchers discovered vulnerabilities in the system that allowed for "close-range wireless communication" attacks, enabling potential theft of the vehicles [38774].
Boundary (Internal/External)	within_system, outside_system	(a) within_system: The software failure incident related to the security flaw in more than 100 car models was primarily due to weaknesses found in the Swiss-made immobiliser system, called Megamos Crypto. The researchers discovered vulnerabilities in the system that allowed for "close-range wireless communication" attacks, enabling potential theft of vehicles. This flaw originated from within the system itself, highlighting a critical issue in the design and implementation of the security features [38774]. (b) outside_system: The software failure incident also involved external factors such as the legal battle between the researchers and Volkswagen. The manufacturer suppressed the academic paper for two years by winning a case in the high court to ban its publication. This external factor hindered the disclosure of the security flaw to the public and delayed the necessary actions to address the vulnerability in the affected car models [38774].
Nature (Human/Non-human)	non-human_actions, human_actions	(a) The software failure incident in this case is primarily due to non-human actions. The vulnerability in the Swiss-made immobiliser system, Megamos Crypto, allowed for close-range wireless communication attacks on the vehicles, making them susceptible to theft without direct human involvement [38774]. (b) However, human actions also played a role in this software failure incident. Volkswagen initially suppressed the academic paper exposing the security flaw in various car models by winning a court case to ban its publication. The decision to prevent the release of the information was a human action that delayed the mitigation of the vulnerability [38774].
Dimension (Hardware/Software)	hardware, software	(a) The software failure incident related to hardware: - The article reports a major security flaw in more than 100 car models due to a vulnerability in the Swiss-made immobiliser system, called Megamos Crypto, which is a hardware device designed to prevent the engine from starting when the corresponding transponder is not present [38774]. (b) The software failure incident related to software: - The vulnerability in the immobiliser system was exploited by the researchers through software-based attacks that involved listening to signals sent between the security system and key, making the vehicles vulnerable to close-range wireless communication attacks [38774].
Objective (Malicious/Non-malicious)	malicious	(a) The software failure incident described in the articles is malicious in nature. The security flaw in the car immobiliser system was discovered by researchers who found weaknesses in the system that could be exploited by criminals to steal cars through "keyless theft" [38774]. The incident involved vulnerabilities in the Swiss-made immobiliser system, allowing for close-range wireless communication attacks that could potentially be used by sophisticated criminal gangs to break the security and steal cars [38774]. Volkswagen initially suppressed the publication of the research paper, fearing that it could enable criminals to exploit the security flaws in the system [38774]. The incident highlights how the software vulnerability could be exploited for malicious purposes, indicating a malicious software failure.
Intent (Poor/Accidental Decisions)	unknown	(a) The intent of the software failure incident: - The software failure incident related to the security flaw in car immobiliser systems was not due to poor decisions but rather intentional suppression of the academic paper by Volkswagen. The company won a case in the high court to ban the publication of the paper revealing the vulnerabilities in the Megamos Crypto system used in various car models [38774]. - The researchers involved in uncovering the security weaknesses in the immobiliser system were described as "responsible, legitimate academics doing responsible, legitimate academic work" with the aim to improve security for everyone [38774].
Capability (Incompetence/Accidental)	development_incompetence	(a) The software failure incident related to development incompetence is evident in the article. The academic paper exposing a major security flaw in over 100 car models was suppressed by a major manufacturer for two years. The research team, including Flavio Garcia and his colleagues, discovered vulnerabilities in the Swiss-made immobiliser system used in various car models. Despite the researchers' aim to improve security for everyone, Volkswagen went to court to ban the publication of the paper, citing concerns that it could aid sophisticated criminal gangs in stealing cars [38774]. (b) The software failure incident related to accidental factors is also present in the article. The vulnerabilities in the car immobiliser system, known as Megamos Crypto, were unintentionally discovered by the research team led by Flavio Garcia and his colleagues. The researchers found weaknesses in the system that could be exploited through close-range wireless communication attacks, highlighting how vulnerabilities can be accidentally uncovered during security research efforts [38774].
Duration	temporary	The software failure incident described in the articles can be categorized as a temporary failure. The security flaw in the car models, specifically related to the vulnerability of the Megamos Crypto immobiliser system, was not a permanent issue but rather a temporary one that could be addressed. The incident was not a fundamental flaw in the design of the system but rather a specific weakness that could be exploited under certain circumstances, such as close-range wireless communication attacks [38774]. The fact that the researchers were able to propose a solution by removing one sentence from the original manuscript indicates that the issue was not a permanent failure but rather a specific vulnerability that could be mitigated.
Behaviour	omission, value, other	(a) crash: The articles do not mention a software failure incident related to a crash where the system loses state and does not perform any of its intended functions. (b) omission: The software failure incident mentioned in the articles is related to omission. The vulnerability in the car immobiliser system allowed for the omission of its intended function to prevent the engine from starting when the corresponding transponder was not present. This omission led to the vulnerability of the vehicles to "keyless theft" [Article 38774]. (c) timing: The articles do not mention a software failure incident related to timing, where the system performs its intended functions correctly but too late or too early. (d) value: The software failure incident mentioned in the articles is related to value. The Megamos Crypto immobiliser system performed its intended function incorrectly, allowing for the disabling of the security system and making the vehicles vulnerable to theft [Article 38774]. (e) byzantine: The articles do not mention a software failure incident related to a byzantine behavior, where the system behaves erroneously with inconsistent responses and interactions. (f) other: The other behavior described in the articles is related to a security flaw in the car immobiliser system that allowed for close-range wireless communication attacks, enabling potential theft of vehicles. This behavior falls under the category of a security vulnerability or flaw in the system [Article 38774].

IoT System Layer

Layer	Option	Rationale
Perception	sensor, processing_unit, network_communication, embedded_software	(a) sensor: The software failure incident mentioned in the articles is related to a vulnerability in the Swiss-made immobiliser system, called Megamos Crypto, which is a security system designed to prevent the engine from starting when the corresponding transponder (embedded in the key) is not present. The researchers discovered weaknesses in this system that allowed for "close-range wireless communication" attacks, indicating a potential sensor error in detecting the presence of the key transponder [38774]. (b) actuator: The articles do not specifically mention any failure related to actuator errors. (c) processing_unit: The software failure incident discussed in the articles involves vulnerabilities in the immobiliser system's processing unit, which interacts with the transponder in the key. The researchers were able to intercept signals between the security system and key, indicating potential processing errors in the system that could be exploited for theft [38774]. (d) network_communication: The software failure incident involves vulnerabilities in the communication between the immobiliser unit and the transponder in the key, which allowed for close-range wireless communication attacks. This indicates a potential network communication error that could be exploited by attackers [38774]. (e) embedded_software: The vulnerability in the Swiss-made immobiliser system, Megamos Crypto, suggests a potential error in the embedded software of the system. The researchers were able to exploit weaknesses in the system's software to disable the security features and make the vehicles vulnerable to theft [38774].
Communication	link_level	The software failure incident described in the articles is related to the communication layer of the cyber physical system that failed at the link_level. The researchers discovered weaknesses in the Swiss-made immobiliser system, Megamos Crypto, which works by preventing the engine from starting when the corresponding transponder is not present. They were able to exploit close-range wireless communication vulnerabilities to disable the security system and steal cars [38774].
Application	TRUE	The software failure incident described in the provided article [38774] was related to the application layer of the cyber physical system. The failure was due to a major security flaw in the Swiss-made immobiliser system, called Megamos Crypto, used in more than 100 car models. The researchers discovered weaknesses in the system that allowed for "close-range wireless communication" attacks, enabling potential theft of vehicles through disabling the security system. This vulnerability was exploited by intercepting signals between the security system and the key, showcasing a flaw at the application layer of the system [38774].

Other Details

Category	Option	Rationale
Consequence	property, non-human, theoretical_consequence	(a) unknown (b) unknown (c) unknown (d) Property: The software failure incident led to the vulnerability of car models to "keyless theft" due to a major security flaw in the immobiliser system, potentially impacting people's material goods (cars) [38774]. (e) unknown (f) Non-human: The software failure incident affected car models from various manufacturers, making them vulnerable to hacking and theft due to weaknesses in the security system [38774]. (g) unknown (h) Theoretical_consequence: There were discussions about potential consequences of the software failure incident, such as enabling sophisticated criminal gangs to break the security and steal cars, although there were no reported real observed consequences [38774]. (i) unknown
Domain	transportation	(a) The failed system was related to the transportation industry as it involved vulnerabilities in the security systems of various car manufacturers, making the vehicles vulnerable to theft [Article 38774]. (j) The incident also highlighted the impact on the transportation industry as electronic hacking of vehicles has become a rising concern, with researchers demonstrating the ability to remotely control car functions like windscreen wipers and brakes [Article 38774].

Sources

Security flaw affecting more than 100 car models exposed by scientists - The Guardian - Published on: 2015-08-18
Article ID: 38774

Back to List