Skip to main content

100 million Volkswagen vehicles can be unlocked wirelessly by hacker thieves

remote key fobs vulnerable vw 100 million volkswagen vehicles hacked
dambuster/123RF
Is your keyless remote safe? Connected cars face increasing threats as new technologies present hackers and thieves with additional ways to access vehicles. One vulnerability, though, involves older tech — remote key fobs used to unlock cars. Researchers at the Usenix security conference in Austin will soon present a paper outlining two remote unlocking vulnerabilities, one of which puts nearly every Volkswagen Group vehicle manufactured since 1995 in jeopardy, as reported in Wired.

The researchers said VW’s latest Golf 7 model and others that use the same locking system are immune to the hack because they use unique security keys. Most VWs, however, still use the older, vulnerable tech. Neither of the two hacks, which use different methods, do more than let thieves unlock and enter the cars, which of course would enable them to steal the contents. They’d have to use other tricks to start the engine and steal the car.

“It’s a bit worrying to see security techniques from the 1990s used in new vehicles.”

The research team, lead by Flavio Garcia of the University of Birmingham, discovered the ability to start millions of VW Group cars in 2013 but due to a lawsuit didn’t make that potential hack public until 2015. Now the team is back and, with the German engineering firm Kasper & Oswald, are reporting another hack to wirelessly unlock doors that affects nearly 100 million VWs.

A similar hack found by the team works with millions of other vehicles including Alfa Romeo, Citroen, Fiat, Ford, Mitsubishi, Nissan, Opel, and Peugeot.

The researchers did not fully disclose in the public paper exactly how they broke into the systems, not wanting to give real thieves that edge. They did, however, say that after “tedious reverse engineering” of a single component of VW’s onboard vehicle network, they found a cryptographic key value used by millions of vehicles. With remote radio eavesdropping, they could then discover the second “secret” key used by an owner when locking and unlocking a car. The first cryptographic key, the one stored in an internal component, is one of four common keys used in most of nearly 100 million VWs. The four crypto keys are stored in different components, but Garcia and his team found them all.

The researchers didn’t use crazy complex technology to break the vehicle codes. Garcia said it can be done with a “software-defined radio” connected to a laptop. And an even smaller device could be constructed for about $40 using an Arduino board  — a programmable circuit board — connected to a radio receiver.

For the second hack, the one that works with millions of vehicles from other manufacturers, Garcia’s team took advantage of an out-of-date cryptographic method called HiTag2. In this case, they didn’t need to find internal keys but were able to use the same radio scanning setup to find one of eight rolling codes to discover the codes used by a vehicle owner.

According to Wired, the researchers said VW acknowledged the vulnerability they discovered. The semiconductor company that sells chips with the HiTag2 legacy crypto system, NXP, said it has been recommending that customers use newer algorithms for years.

Commenting on the current state of vehicle locking system vulnerabilities, Garcia said, “It’s a bit worrying to see security techniques from the 1990s used in new vehicles. If we want to have secure, autonomous, interconnected vehicles, that has to change.”

For now, however, if you have one of the vulnerable vehicles, the researchers suggest people not assume their cars and trucks are “safeboxes” and avoid leaving valuables inside. Even greater security would involve leaving remote keyfobs at home and manually unlocking and locking cars with physical keys — a strategy that won’t work with newer cars that are totally keyless.

Bruce Brown
Digital Trends Contributing Editor Bruce Brown is a member of the Smart Homes and Commerce teams. Bruce uses smart devices…
2021 Volkswagen ID.4 AWD first drive review: Gaining traction
A 2021 Volkswagen ID.4 AWD front three quarter view.

Volkswagen launched the 2021 ID.4 electric car earlier this year with an ambitious mission: To take on popular gasoline crossover SUVs like the Honda CR-V and Toyota RAV4 in a bid to capture the heart of the new-car market. However, the ID.4 was missing one thing.

One of the main reasons buyers choose crossovers over sedans and hatchbacks is the availability of all-wheel drive. At launch, the ID.4 didn’t have that. VW said an all-wheel-drive ID.4 was on the way, though, and now the wait is over.

Read more
Inside the lab teaching Volkswagen’s born-again Bus how to drive itself
volkswagen unveils argo ai powered id buzz ad electric van

Previewed by the heritage-laced ID.Buzz concept, Volkswagen's born-again Bus will arrive in 2022 with a few cool tech tricks up its sleeve. It will be fully electric, it will ride on the MEB architecture already found under the EVs like the ID.3 and the ID.4, and it will spawn an autonomous shuttle scheduled to start carrying passengers in 2025. Argo A.I. is helping Volkswagen teach the Bus how to drive itself, and Digital Trends got an inside look at the project.

Volkswagen unveiled the first ID.Buzz-based prototype on the sidelines of the 2021 Munich auto show. Fully draped in camouflage to mask its final design, the van is fitted with an armada of sensors, radars, cameras, microphones, and lidars that paint a digital picture of the world around it. Argo A.I. — which Volkswagen and Ford jointly own a stake in — argues its technology is highly advanced: its lidar can detect and avoid potholes by scanning the road surface, and it can see objects that are about 1,300 feet away, even if they're dark (like a black car). Powering this hardware requires tremendous computing power, several backup systems, and a mammoth amount of data.

Read more
Volkswagen’s electric ID.Life concept car doubles as a gaming console
Volkswagen ID.Life

One major issue continues to stand in the way of electric cars: Cost. They tend to be more expensive than comparable gasoline-powered vehicles. Volkswagen plans to make EVs relatively affordable in the not-too-distant future, and it unveiled a small, city-friendly concept called ID.Life at this week's 2021 Munich auto show to illustrate what it has in store.

Volkswagen is thinking small: The ID.Life measures 161.6 inches from bumper to bumper, 72.6 inches wide, and 63 inches tall. Put another way, it's a couple of inches longer and narrower than a Hyundai Venue. It's characterized by a pure, simple exterior design and a silhouette that blurs the line between a hatchback and a crossover. Users can remove the roof panel — the design of which can be personalized — to transform the ID.Life into a quasi-convertible.

Read more