Volkswagen hack renders millions of car locks useless

The keyless entry security system in nearly a hundred million Volkswagen group cars is vulnerable to a simple hack that could grant entry in under a minute, researchers have warned. Security experts at the University of Birmingham in the UK have identified a tiny handful of common codes which the automaker apparently used across cars with VW, Audi, Seat, and Skoda badges from 1995 onward, with only the very latest models switching to a more secure system.

The exploit is based on a combination of eavesdropping and reverse-engineering analysis of Volkswagen's security systems, the researchers have explained. The latter revealed a small number of cryptographic key values that are relied upon by millions of cars from the company's various brands.

On its own that would be insufficient for gaining entry to the car, but it's a different story when combined with a unique ID held by each vehicle. Unfortunately, that ID is transmitted whenever the remote unlock button on the key is pressed.

With some fairly basic equipment – you could outfit an Arduino board with the radio components required, and have something small enough to slide into a pocket – that ID could be grabbed. You'd need to be fairly close to the target vehicle to receive it, less than around 300 feet or so, but it's still distressingly straightforward.

One possibility, researcher Flavio Garcia and the team suggests, is that hackers could leave an eavesdropping device in a parking lot or at a dealership, harvesting every button press and then later unlocking multiple cars.

The security team is not revealing where it sourced the cryptographic keys from in Volkswagen's code, in an attempt to make replicating the research in the wild more difficult. Meanwhile, VW says that it has switched system in its most recent models, closing the loophole.

"This current vehicle generation is not afflicted by the problems described," a spokesperson told Reuters, naming the current Golf, Tiguan, Touran, and Passat as immune specifically.

Exactly how the automaker plans to patch the exploit for those not lucky enough to have a shiny new car on their driveway remains to be seen. VW met with the research team in February this year, having been shown an early version of the paper they produced from their findings, and the two agreed that certain key details would be omitted so as to reduce the likelihood of copycat hacks.

It's unclear whether Volkswagen's luxury and performance brands like Bugatti, Bentley, Lamborghini, and Porsche are also susceptible, since the researchers focused on the group's more mass-market vehicles.

Car hacking has become high profile in recent years, as the growth in connected car technology has spread from a handful of high-end models down into the mainstream. Volkswagen itself, for instance, is working on the so-called VW Cross-Over Program, which would see cars and other internet-connected devices such as smart home equipment and wirelessly-enabled locks communicate through the crowd.

That may be convenient, but it could also be dangerous, experts have warned. Car hacking is predicted to be the next big thing in security exploitation, the FBI said earlier this year, something which VW joins a lengthy list of automakers that have already discovered.

MORE University of Birmingham [PDF link]