Car Thieves Can Unlock 100 Million Volkswagens with a Simple Wireless Hack

In Brief

Some 100 Million cars made by Volkswagen are vulnerable to a key cloning attack that could allow thieves to unlock the doors of most popular cars remotely through a wireless signal, according to new research.

Next time when you leave your car in a parking lot, make sure you don't leave your valuables in it, especially if it's a Volkswagen.

What's more worrisome?

The new attack applies to practically every car Volkswagen has sold since 1995.

There are two distinct vulnerabilities present in almost every car sold by Volkswagen group after 1995, including models from Audi, Skoda, Fiat, Citroen, Ford and Peugeot.

Computer scientists from the University of Birmingham and the German engineering firm Kasper & Oswald plan to present their research [PDF] later this week at the Usenix security conference in Austin, Texas.

Attack 1 — Using Arduino-based RF Transceiver (Cost $40)

The first attack can be carried out using a cheap radio device that can be made for just $40 with a small control board and a radio receiver, but is capable of eavesdropping and recording the rolling code values used by keyless entry systems.

The code values are included in the signal sent every time a driver presses the key fob's buttons, which is then used together to emulate a key that is unique to every vehicle.

The researchers then managed to reverse engineer one component inside a Volkswagen's network and were able to extract a cryptographic key that is shared among millions of Volkswagen vehicles.

Now, combining the two supposedly secret keys, the researchers were able to clone the key fob and access to the car.
"With the knowledge of these keys, an adversary only has to eavesdrop a single signal from a target remote control," the researchers wrote in their paper. "Afterwards, he can decrypt this signal, obtain the current UID and counter value, and create a clone of the original remote control to lock or unlock any door of the target vehicle an arbitrary number of times."
Although the team did not reveal the components they used to extract the keys to prevent potential car hackers from exploiting the weakness.
πŸ” Mastering API Security: Understanding Your True Attack Surface

Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!

Join the Session

However, they warned that if skilled hackers find and publicize those shared keys, each one could leave tens of Millions of cars vulnerable.

In past 20 years, just the four most common keys are used in all the 100 Million cars sold by Volkswagen. Only the most recent VW Golf 7 model and others that use unique keys are immune to the attack.

Attack 2 — Hijack with HiTag2 and A Radio Device in 60 Seconds

In the second attack, the team managed to attack a cryptographic scheme called HiTag2 -- decades old rolling code scheme but still used in Millions of vehicles, including Alfa Romeo, Chevrolet, Peugeot, Lancia, Opel, Renault, and Ford.

To carry out this attack, all a hacker needs is a radio setup similar to the one used in the above hack.

Using a radio device, the researchers were able to intercept and read a string of the coded signals (rolling code number that changes unpredictably with every button press) from the driver's key fob.

With the collection of rolling codes, the researchers discovered that flaws in the HiTag2 scheme would allow them to crack the cryptographic key in as little as one minute.

Since the above two attacks focus on unlocking cars rather than stealing them, the lead researcher Flavio Garcia told Wired these attacks might be combined with already exposed bugs in the HiTag2 and Megamos 'immobilizer' systems, allowing "Millions of Volkswagens and other vehicles ranging from Audis to Cadillacs to Porsches to be driven by thieves."

Also Read: RollJam — $30 Device That Unlocks Almost Any Car And Garage Door

This is not the first time this team of researchers has targeted Volkswagen, it discovered a way to start Volkswagen cars' ignitions in 2013, but had to withhold their findings for two years because VW Group threatened to sue them.

The researchers have reported the flaws to VW Group and agreed not to disclose the cryptographic keys, part numbers of vulnerable components, and how they reverse-engineered the processes.

Car hacking is a hot topic today. Recently, security researcher Benjamin Kunz Mejri disclosed zero-day flaws resided in the official BMW web domain and ConnectedDrive portal that allowed attackers to tamper remotely with BMW's In-Car Infotainment System.

Previous research demonstrated hackers capabilities to hack a car remotely and control its steering and brakes and to disable car's critical functions like airbags by exploiting security bugs affecting significant automobiles.

Keeping these risks in mind, in April this year, the Michigan state Senate proposed two bills that introduce life sentences in prison for people who hack into cars' electronic systems. Also, the FBI issued a public announcement warning people about the risks of car hacking.

So, folks, your cars are not a safe place.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.