Thieves can wirelessly unlock up to 100 million Volkswagens, each at the press of a button

Shared global security keys blamed

By John Leyden

Posted in Security, 11th August 2016 16:00 GMT

Security researchers will demonstrate how crooks can break into cars at will using wireless signals that can unlock millions of vulnerable vehicles.

The eggheads, led by University of Birmingham computer scientist Flavio Garcia alongside colleagues from German engineering firm Kasper & Oswald, have managed to clone a VW Group remote control key fob after eavesdropping on the gizmos' radio transmissions.

The hack can be used by thieves to wirelessly unlock as many as 100 million VW cars, each at the press of a button. Almost every vehicle the Volkswagen group has sold for the past 20 years – including cars badged under the Audi and Skoda brands – is potentially vulnerable, say the researchers. The problem stems from VW’s reliance on a “few, global master keys.”

El Reg asked Volkswagen to comment on the findings, but we didn’t hear back at the time of going to press. We’ll update this story as and when we hear anything more.

During an upcoming presentation, titled Lock It and Still Lose It — on the (In)Security of Automotive Remote Keyless Entry Systems at the Usenix security conference (abstract below) – the researchers are also due to outline a different set of cryptographic flaws in keyless entry systems as used by car manufacturers including Ford, Mitsubishi, Nissan and Peugeot.

The two examples are designed to raise awareness and show that keyless entry systems are insecure and ought to be re-engineered in much the same way that car immobilisers were previously shown to provide less than adequate protection.

While most automotive immobiliser systems have been shown to be insecure in the last few years, the security of remote keyless entry systems (to lock and unlock a car) based on rolling codes has received less attention. In this paper, we close this gap and present vulnerabilities in keyless entry schemes used by major manufacturers.

In our first case study, we show that the security of the keyless entry systems of most VW Group vehicles manufactured between 1995 and today relies on a few, global master keys. We show that by recovering the cryptographic algorithms and keys from electronic control units, an adversary is able to clone a VW Group remote control and gain unauthorised access to a vehicle by eavesdropping a single signal sent by the original remote.

Secondly, we describe the Hitag2 rolling code scheme (used in vehicles made by Alfa Romeo, Chevrolet, Peugeot, Lancia, Opel, Renault, and Ford among others) in full detail. We present a novel correlation-based attack on Hitag2, which allows recovery of the cryptographic key and thus cloning of the remote control with four to eight rolling codes and a few minutes of computation on a laptop. Our findings affect millions of vehicles worldwide and could explain unsolved insurance cases of theft from allegedly locked vehicles.

Garcia was previously blocked from giving a talk about weaknesses in car immobilisers following a successful application to a British court by Volkswagen. This earlier research on how the ignition key used to start cars might be subverted was eventually presented last year, following a two year legally enforced postponement.

The latest research shows how tech-savvy thieves might be able to unlock cars locked by the vehicles' owners without covering how their engines might subsequently be turned on.

WiReD reports that both attacks might be carried out using a cheap $40 piece of radio hardware to intercept signals from a victim’s key fob. Alternatively, a software defined radio rig connected to a laptop might be employed. Either way, captured data can be used to make counterfeit kit.

Jason Hart, CTO data protection at Gemalto, said: “The security of connected cars is one of the biggest issues that manufacturers are faced with today as it has the potential to be one of the most dangerous connected ecosystems. While no car, or device for that matter, can ever be 100% unhackable, there are some key security precautions that original equipment manufacturers must incorporate.

“Tamper-proof hardware and software is essential, and manufacturers should ensure that operating software has encryption built in and is signed with securely managed encryption keys, as well as use strong two-factor authentication solutions. To ensure the best protection, authentication and authorisation between the entities and devices exchanging data within the connected car is mandatory and ultimately, it’s about end-to-end security by design – it should never be an afterthought," Hart concluded. ®

Sign up to our NewsletterGet IT in your inbox daily

98 Comments

More from The Register

Google's PHP API client has XSS vulnerability

Patch promised

Oracle point-of-sale system vulnerabilities get Big Red cross

Patched, Oracle? Speedily

Beware the IDEs of Android: three biggies have vulnerabilities

Android Studio, Eclipse, and IntelliJ IDEA stabbed in the back by an XML parser

OpenFlow protocol has a switch authentication vulnerability

It's old, it's everywhere and it's not likely to be fixed in a hurry

US cops go all Minority Report: Google told to cough up info on anyone near a crime scene

Police cyber-hunt reveals massive gap in legal protections

Cisco waves swatter at ten new vulnerabilities

It's 2017, and UPnP is still a critical attack vector

Oracle corrals and patches Struts 2 vulnerabilities

Big Red issues out-of-band patch for Apache and a few other urgent issues

Most vulnerabilities first blabbed about online or on the dark web

Official bug notice? Sure, but not before I get cred and LOLs

VoIP bods Fuze defuse triple whammy of portal security vulnerabilities

Researchers using the service found a bunch of flaws

Map app chaps Waze add shout-at-sat-nav support for Ford cars

You better reel in that unsolicited backseat driving