Volkswagen is in a lot of trouble for installing software on some of its diesel cars that figures out when they are undergoing emissions tests so it can adjust the cars to put out nitrogen oxide at acceptable levels.
That’s likely to win the company billions of dollars in fines, but it’s not the first time the company has hidden problems rather than fix them.
Just last month, security researchers delivered a paper that showed three ways to get around the Volkswagen lockout system that prevents its cars from being started unless the correct key with the correct chip embedded is used to crank it over.
The paper was noteworthy for the ingenuity of the three attacks it outlines but also for the length of time it sat on the shelf before being delivered to the public. It was ready to go back in 2013 but Volkswagen got a court order to block it then, and that was nearly a year after the researchers had told the manufacturers of the hardware about it under the principle of responsible disclosure.
So Volkswagen knew about the hackability of their vehicle immobilizing system but rather than fix it decided to hide details of the problem using court orders to do so.
There is a good reason for this stance - economic. Fixing the problem would mean massive recalls to swap out the keys but also the transponders attached to the ignition system that talk to the keys – a labor-intensive and therefore costly process.
Meanwhile Volkswagen held the injunction against the researchers, and only after two years of negotiations was the paper finally read at the 22nd USENIX Security Symposium last month with a single line deleted that would have revealed a crucial piece of data so someone else could to carry out the attacks.
The flaw being exploited was with the hardware and its implementation and was not limited to Volkswagens, but Volkswagen was the point company to block the paper.
Hiding a flaw is not a way to fix it. If white-hat researchers can figure out an exploit, so can attackers looking to steal cars, and who’s to say they haven’t?