Wireless hack can unlock and start 100m Volkswagen vehicles

12 Aug 2016

Researchers claim thieves could potentially unlock and start 100m Volkswagen vehicles using cheap radio equipment

A team of researchers at the University of Birmingham has revealed a vulnerability that allows hackers to unlock and start the ignition of potentially hundreds of millions of Volkswagen vehicles using cheap radio equipment.

After running the gauntlet of a lawsuit that delayed the publication of its research for two years, the team’s research estimates that up to 100m vehicles – almost every car Volkswagen has sold since 1995 – can be unlocked and started using software-defined radio (SDR).

The university team of hackers, led by Flavio Garcia, was able to reverse-engineer an undisclosed Volkswagen component to extract a cryptographic code that is common to many of the vehicles, including makes like Audi and Škoda

When combined with unique information on the car’s key fob that can be obtained wirelessly, hackers and car thieves can clone the fob and unlock and start the car.

The team’s findings are to be unveiled this week at the Usenix security conference in Austin.

A second vulnerability discovered by the team affects many more makes of cars, including Alfa Romeo, Citroën, Fiat, Ford, Mitsubishi, Nissan, Opel, and Peugeot.

Electronic eavesdropping

Electronic eavesdropping can be used to access older cryptographics in key fobs called HiTag2 and the university hackers were able to crack the encryption in these fobs in under a minute.

Both attacks use a cheap and easily available piece of radio hardware that intercepts signals from a victim’s key fob and then uses the captured signal to clone a key.

The attack package, including an Arduino board and a radio receiver, can be put together from any electronics store for less than $40.

The Achilles heel appears to be the use of common codes in Volkswagen fobs – the four most common ones can be used to access 100m vehicles sold in the last 20 years.

The researchers were able to break a transponder’s 96-bit cryptographic system by listening in twice to the radio communications between the key and transponder within 300 feet.

This reduced the pool of secret matches and by using brute force and running through 196,607 options of secret keys the team was able to start the car within half an hour.

New cars with keyless systems are also vulnerable to digital car thieves

The news is little comfort to car owners who were shaken by similar research earlier this year that found hackers have cottoned on to ways of cloning fobs for car models with keyless entry systems through radio amplification attacks.

In March, German vehicle group ADAC claimed that it performed a radio amplification attack on up to 24 cars.

Keyless car keys work by being in proximity to the car door and ignition. By amplifying the signal, hackers can not only unlock target vehicles but also drive them away.

An attack device to carry out such attacks can be procured for just $225.

Volkswagen key image Via Shutterstock

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years