Report: 100M VW Vehicles Vulnerable To Remote Hack

Image courtesy of frankieleon

Owning a vehicle with keyless entry is often a convenience: Forget your key? Just enter a code. But for the owners of more than 100 million Volkswagen vehicles, that convenience has been turned into a doorway for hackers. 

A group of security researchers from the University of Birmingham in the UK and German security firm Kasper & Oswald released a report [PDF] on Thursday detailing what they believe is a massive security flaw in millions of VW vehicles made during the past two decades, Wired reports.

According to the report, certain Audi A1, Q3, R8, S3, TT, as well as VW Beetle, Golf 4, Golf 5, Golf 6, Golf Plus, Jetta, Passat, Tiguan, and Touran vehicles sold from 2005 to 2016 are vulnerable to key-cloning attacks that leave the ignition and keyless entry system open to hacks.

The researchers first discovered the hack after reverse-engineering the keyless entry systems in a variety of VW models.

As a result, the engineers found that an attack could be carried out using commercially available radio and a laptop to capture the signal sent when an owner hits the “unlock” button on a key fob and cryptographic key value that is shared among millions of VW vehicles.

With this information, the hacker can create its own “key” to access the vehicle.

“You only need to eavesdrop once,” Birmingham researcher David Oswald said. “From that point on you can make a clone of the original remote control that locks and unlocks a vehicle as many times as you want.”

The crux of the issue, researchers say is the fact that VW relied on just four types of cryptographic key values for the keyless systems for most vehicles sold over the last two decades.

VW has been notified of the issue, the engineers say, noting that they have agreed not to share the specific keys or how they reverse-engineered the process.

As for fixing the issue, the researchers say it won’t be easy for the car company.

“These vehicles have a very slow software development cycle,” Flavio Garcia, another researcher on the project, tells Wired. “They’re not able to respond very quickly with new designs.”

The researchers suggest that owners of potentially affected vehicles avoid leaving valuables inside.

New Wireless Hack Can Unlock 100 Million Volkswagens [Wired]

Want more consumer news? Visit our parent organization, Consumer Reports, for the latest on scams, recalls, and other consumer issues.