Almost all cars sold by VW Group since 1995 at risk from unlock hack

Graham Cluley

Cluley 250 thumb

Wired writes:

Later this week at the Usenix security conference in Austin, a team of researchers from the University of Birmingham and the German engineering firm Kasper & Oswald plan to reveal two distinct vulnerabilities they say affect the keyless entry systems of an estimated nearly 100 million cars. One of the attacks would allow resourceful thieves to wirelessly unlock practically every vehicle the Volkswagen group has sold for the last two decades, including makes like Audi and Skoda. The second attack affects millions more vehicles, including Alfa Romeo, Citroen, Fiat, Ford, Mitsubishi, Nissan, Opel, and Peugeot.

The researchers are led by University of Birmingham computer scientist Flavio Garcia, who was previously blocked by a British court, at the behest of Volkswagen, from giving a talk about weaknesses in car immobilisers.

At the time Volkswagen argued that the research could “allow someone, especially a sophisticated criminal gang with the right tools, to break the security and steal a car.” That researchers finally got to present their paper a year ago, detailing how the Megamos Crypto system – an RFID transponder that uses a Thales-developed algorithm to verify the identity of the ignition key used to start motors – could be subverted.

The team’s latest research doesn’t detail a flaw that in itself could be exploited by car thieves to steal a vehicle, but does describe how criminals located within 300 feet of the targeted car might use cheap hardware to intercept radio signals that allow them to clone an owner’s key fob.

The researchers found that with some “tedious reverse engineering” of one component inside a Volkswagen’s internal network, they were able to extract a single cryptographic key value shared among millions of Volkswagen vehicles. By then using their radio hardware to intercept another value that’s unique to the target vehicle and included in the signal sent every time a driver presses the key fob’s buttons, they can combine the two supposedly secret numbers to clone the key fob and access to the car. “You only need to eavesdrop once,” says Birmingham researcher David Oswald. “From that point on you can make a clone of the original remote control that locks and unlocks a vehicle as many times as you want.”

Sounds to me like it’s time to turn to the car manufacturers to ask what on earth they are going to do to fix the millions of potentially vulnerable vehicles they have sold in the last couple of decades.

Read more, including the researcher’s paper, on Wired.

Graham Cluley Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy. Follow him on Twitter at @gcluley, or drop him an email.

2 Replies to “Almost all cars sold by VW Group since 1995 at risk from unlock hack”

  1. The biggest shame is that VW tried to keep the researchers from publishing their results. I am looking forward to hearing what they are going to do about it, too!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.