The researchers said VW’s latest Golf 7 model and others that use the same locking system are immune to the hack because they use unique security keys. Most VWs, however, still use the older, vulnerable tech. Neither of the two hacks, which use different methods, do more than let thieves unlock and enter the cars, which of course would enable them to steal the contents. They’d have to use other tricks to start the engine and steal the car.
“It’s a bit worrying to see security techniques from the 1990s used in new vehicles.”
The research team, lead by Flavio Garcia of the University of Birmingham, discovered the ability to start millions of VW Group cars in 2013 but due to a lawsuit didn’t make that potential hack public until 2015. Now the team is back and, with the German engineering firm Kasper & Oswald, are reporting another hack to wirelessly unlock doors that affects nearly 100 million VWs.
A similar hack found by the team works with millions of other vehicles including Alfa Romeo, Citroen, Fiat, Ford, Mitsubishi, Nissan, Opel, and Peugeot.
The researchers did not fully disclose in the public paper exactly how they broke into the systems, not wanting to give real thieves that edge. They did, however, say that after “tedious reverse engineering” of a single component of VW’s onboard vehicle network, they found a cryptographic key value used by millions of vehicles. With remote radio eavesdropping, they could then discover the second “secret” key used by an owner when locking and unlocking a car. The first cryptographic key, the one stored in an internal component, is one of four common keys used in most of nearly 100 million VWs. The four crypto keys are stored in different components, but Garcia and his team found them all.
The researchers didn’t use crazy complex technology to break the vehicle codes. Garcia said it can be done with a “software-defined radio” connected to a laptop. And an even smaller device could be constructed for about $40 using an Arduino board — a programmable circuit board — connected to a radio receiver.
For the second hack, the one that works with millions of vehicles from other manufacturers, Garcia’s team took advantage of an out-of-date cryptographic method called HiTag2. In this case, they didn’t need to find internal keys but were able to use the same radio scanning setup to find one of eight rolling codes to discover the codes used by a vehicle owner.
According to Wired, the researchers said VW acknowledged the vulnerability they discovered. The semiconductor company that sells chips with the HiTag2 legacy crypto system, NXP, said it has been recommending that customers use newer algorithms for years.
Commenting on the current state of vehicle locking system vulnerabilities, Garcia said, “It’s a bit worrying to see security techniques from the 1990s used in new vehicles. If we want to have secure, autonomous, interconnected vehicles, that has to change.”
For now, however, if you have one of the vulnerable vehicles, the researchers suggest people not assume their cars and trucks are “safeboxes” and avoid leaving valuables inside. Even greater security would involve leaving remote keyfobs at home and manually unlocking and locking cars with physical keys — a strategy that won’t work with newer cars that are totally keyless.
