Weaknesses in Volkswagen’s wireless security leaves 100 million cars at risk for being unlocked and started remotely, researchers say. The problem could affect Volkswagens going back to 1995. VW managed to delay publication of a University of Birmingham (UK) paper for two years, though the remote start hack has been out for about a year. More recent digging, just now made public, by Birmingham’s Flavio Garcia and fellow researchers, determined VW car doors are vulnerable to hacking with a simple $40 Arduino radio device.
Researchers from the University of Birmingham and from Kasper & Oswald, a German engineering group, were in Austin, TX, at the Usenix security conference this week unveiling their findings. There are two separate weaknesses, according to a report in Wired: one affecting the keyless entry systems of an estimated 100 million vehicles, including VW and its subsidiaries such as Audi and Skoda, and another affecting the likes of Alfa Romeo, Citroen, Fiat, Ford, Mitsubishi, Nissan, Opel, and Peugeot. This is atop the previously disclosed VW Group ignition system hack.
All that’s required to get into the car door hacking business is an Arduino board with a radio receiver attached, or a software-defined radio linked to a laptop. Birmingham’s Garcia called the board design “trivial.” The result functions “exactly like the original remote.”
The researchers say the VW vulnerability is especially troubling. There are a relatively few handful of shared encryption keys embedded in various different modules on Volkswagens. (The researchers aren’t saying which modules.) It’s a “tedious” but doable task to extract the shared key. They estimate just four shared key codes are used in 100 million Volkswagens.
Having those codes in hand, the hacker needs only to head to a parking lot with VWs and be within about 300 feet to intercept the encrypted key code that’s specific to each car. By appending the car specific code to each of those four master codes, the hacker may have a code that locks and unlocks the car repeatedly. The hacker could port the code to a electronic key fob. It was noted that newer VWs have unique keys that make them immune to attack.
Another hack targets the aging (but still used) HiTag2 cryptographic scheme. Rather than extract part of the key from an internal component, hackers grab a rolling key code. Intercept eight such codes, and it may be possible to break the encryption within one minute. To get a bunch of codes in a hurry, it’s suggested that the attacker would jam the car’s receiver so the owner tries again and again.
Fixes for existing cars aren’t easy or inexpensive. If enough cars get broken into or stolen, the lawsuits will follow, and the automakers may be forced to fix old cars. (Buybacks, anyone?) For cars not yet designed, it’s a matter of invoking better encryption techniques and constantly enhancing them, not relying on recycled 1990s encryption schemes.
Cars have been successfully hacked in the past because automakers didn’t have enough devious-minded people on their engineering staffs — or else they trusted humans too much. For instance, a decade ago, automakers didn’t envision the massive rolling attacks that tried code after code. The car’s response should be to shut down the remote door locks if the car received, for instance, 10 different key codes inside of 30 seconds. That allows for a reasonable number of neighboring cars’ remote unlock signals, but not the massive attack that sends out hundreds of key code attempts per minute.