Keyless car theft, in which hackers worm their way into electronic locks and immobilizers, now accounts for 42 percent of stolen vehicles in London.
BMWs and Range Rovers are particularly at risk, police say, and can be in the hands of a technically minded criminal within 60 seconds.
Officers in Kensington & Chelsea are being instructed to stop all drivers of Range Rovers to check they own the vehicle because of the number of the cars being stolen using “keyless” entry methods.
This followed the borough topping the league for “car hacking” thefts in London.
Now Bloomberg has revealed that thousands of cars from a host of manufacturers have spent years at risk of electronic car-hacking, according to expert research that Volkswagen has spent two years trying to suppress in the courts.
Apart from BMWs and Range Rovers, security researchers have discovered a similar vulnerability in keyless vehicles made by several carmakers.
The weakness affects the Radio-Frequency Identification (RFID) transponder chip used in immobilizers It was discovered in 2012, says Bloomberg, but carmakers sued the researchers to prevent them from publishing their findings.
This week the paper – by Roel Verdult and Baris Ege from Radboud University in the Netherlands and Flavio Garcia from the University of Birmingham, U.K. – is being presented at the USENIX security conference in Washington, D.C.
The authors detail how the cryptography and authentication protocol used in the Megamos Crypto transponder can be targeted by malicious hackers looking to steal luxury vehicles.
The Megamos is one of the most common immobilizer transponders, used in Volkswagen-owned luxury brands including Audi, Porsche, Bentley and Lamborghini, as well as Fiats, Hondas, Volvos and some Maserati models.
"This is a serious flaw and it's not very easy to quickly correct," explained Tim Watson, Director of Cyber Security at the University of Warwick. "It isn't a theoretical weakness, it's an actual one and it doesn't cost theoretical dollars to fix, it costs actual dollars."
Immobilizers are electronic security devices that stop a car's engine from running unless the correct key fob (containing the RFID chip) is in close proximity to the car. They are supposed to prevent traditional theft techniques like hot-wiring, but can be bypassed, for example by amplifying the signal.
In this case, however, researchers broke the transponder's 96-bit cryptographic system, by listening in twice to the radio communication between the key and the transponder. This reduced the pool of potential secret key matches, and opened up the "brute force" option: running through 196,607 options of secret keys until they found the one that could start the car. It took less than half an hour.
"The attack is quite advanced, but VW produces a lot of very high-end vehicles that get stolen to order. The criminals involved are more sophisticated than the sorts who just steal your keys and drive off with your car," said security researcher Andrew Tierney, quoted by Bloomberg,
There's no quick fix for the problem - the RFID chips in the keys and transponders inside the cars must be replaced, incurring significant labor costs, says the report.
The research team first took its findings to the manufacturer of the affected chip in February 2012 and then to Volkswagen in May 2013. The car-maker filed a lawsuit to block the publication of the paper - arguing that its vehicles would be placed at risk of theft - and was awarded an injunction in the U.K.'s High Court. Now, after lengthy negotiations, the paper is finally in the public domain - with just one sentence redacted.
"This single sentence contains an explicit description of a component of the calculations on the chip," Verdult said, adding that by removing the sentence it was much more difficult to recreate the attack.
A VW spokesman is quoted: "Volkswagen maintains its electronic as well as mechanical security measures technologically up-to-date and also offers innovative technologies in this sector."
Anti-theft protection is generally still ensured, he added, even for older models, because criminals need access to the key signal to hack the immobilizer. "Current models, including the current Passat and Golf, don't allow this type of attack at all," he said.
The Megamos Crypto is not the only immobilizer to have been targeted in this way – other popular products including the DST transponder and KeeLoq have both been reverse-engineered and attacked by security researchers.
Scotland Yard says thefts of Range Rovers now make up 10 per cent of all “keyless” thefts in London - while BMW makes up 15 per cent of the total.
The Evening Standard has highlighted the new surge in thefts of luxury Range Rovers in Kensington & Chelsea last month. In one Chelsea street residents said four luxury vehicles, including three Range Rovers, were stolen within weeks.
Met chief Sir Bernard Hogan-Howe told a meeting of the Mayor’s Office for Policing that in some boroughs ten vehicles were being stolen using the new tactic every night.