100 million Volkswagen vehicles can be unlocked wirelessly by hacker thieves

remote key fobs vulnerable vw 100 million volkswagen vehicles hacked
dambuster/123RF
Is your keyless remote safe? Connected cars face increasing threats as new technologies present hackers and thieves with additional ways to access vehicles. One vulnerability, though, involves older tech — remote key fobs used to unlock cars. Researchers at the Usenix security conference in Austin will soon present a paper outlining two remote unlocking vulnerabilities, one of which puts nearly every Volkswagen Group vehicle manufactured since 1995 in jeopardy, as reported in Wired.

The researchers said VW’s latest Golf 7 model and others that use the same locking system are immune to the hack because they use unique security keys. Most VWs, however, still use the older, vulnerable tech. Neither of the two hacks, which use different methods, do more than let thieves unlock and enter the cars, which of course would enable them to steal the contents. They’d have to use other tricks to start the engine and steal the car.

“It’s a bit worrying to see security techniques from the 1990s used in new vehicles.”

The research team, lead by Flavio Garcia of the University of Birmingham, discovered the ability to start millions of VW Group cars in 2013 but due to a lawsuit didn’t make that potential hack public until 2015. Now the team is back and, with the German engineering firm Kasper & Oswald, are reporting another hack to wirelessly unlock doors that affects nearly 100 million VWs.

A similar hack found by the team works with millions of other vehicles including Alfa Romeo, Citroen, Fiat, Ford, Mitsubishi, Nissan, Opel, and Peugeot.

The researchers did not fully disclose in the public paper exactly how they broke into the systems, not wanting to give real thieves that edge. They did, however, say that after “tedious reverse engineering” of a single component of VW’s onboard vehicle network, they found a cryptographic key value used by millions of vehicles. With remote radio eavesdropping, they could then discover the second “secret” key used by an owner when locking and unlocking a car. The first cryptographic key, the one stored in an internal component, is one of four common keys used in most of nearly 100 million VWs. The four crypto keys are stored in different components, but Garcia and his team found them all.

The researchers didn’t use crazy complex technology to break the vehicle codes. Garcia said it can be done with a “software-defined radio” connected to a laptop. And an even smaller device could be constructed for about $40 using an Arduino board  — a programmable circuit board — connected to a radio receiver.

For the second hack, the one that works with millions of vehicles from other manufacturers, Garcia’s team took advantage of an out-of-date cryptographic method called HiTag2. In this case, they didn’t need to find internal keys but were able to use the same radio scanning setup to find one of eight rolling codes to discover the codes used by a vehicle owner.

According to Wired, the researchers said VW acknowledged the vulnerability they discovered. The semiconductor company that sells chips with the HiTag2 legacy crypto system, NXP, said it has been recommending that customers use newer algorithms for years.

Commenting on the current state of vehicle locking system vulnerabilities, Garcia said, “It’s a bit worrying to see security techniques from the 1990s used in new vehicles. If we want to have secure, autonomous, interconnected vehicles, that has to change.”

For now, however, if you have one of the vulnerable vehicles, the researchers suggest people not assume their cars and trucks are “safeboxes” and avoid leaving valuables inside. Even greater security would involve leaving remote keyfobs at home and manually unlocking and locking cars with physical keys — a strategy that won’t work with newer cars that are totally keyless.

Cars

Lamborghini transforms the Urus SUV into a dual-purpose race car

Breaking stereotypes and tradition, Lamborghini has turned the Urus SUV into a race car that's equally at home on a paved track and on a dirt trail. The ST-X concept gets bigger air intakes, a full roll cage, and center-locking alloy…
Digital Trends Live

DT Daily: D-Wave wants to help developers make the leap into quantum computing

If you are curious about quantum computing but don't know where to start, you're not alone. D-Wave has a platform for people to learn quantum computing, and the company's Murray Thom appeared on Digital Trends Live to talk about it.
Deals

Save up to $850 with the best smartphone deals for November 2018

Need a better phone but don't want to spend a fortune? It's never a bad time to score a new smartphone and save some cash. We rounded up the best smartphone deals available that can save you as much as $850.
Deals

The best iPhone deals for November 2018

Apple devices can get expensive, but if you just can't live without iOS, don't despair: We've curated an up-to-date list of all of the absolute best iPhone deals available for November 2018.
Cars

Born to run (forever): The most reliable cars you can buy right now

We all dread the thought of our car turning into a money pit, but choosing a dependable vehicle from the start can help us rack up countless care-free miles. Here, we've rounded up some of the most reliable cars available.
Cars

Jaguar’s V2X technology will keep you from getting stuck at red lights

Jaguar wants to make sure you never have to rush through a yellow light again. The carmaker is building tools that will tell you what speed you'll need to drive to avoid getting stuck at a red light.
Product Review

While other crossovers dabble in dirt, Toyota's truck-like RAV4 doubles down

The 2019 Toyota RAV4 gets a clean-sheet redesign, ditching the previous generation’s car-like styling for truck-like toughness. Toyota’s compact crossover also gets more tech and new powertrains.
Cars

Drool over Lamborghini’s latest dream machine: The one-off SC18

The Lamborghini SC18 was built by the automaker's Squadra Corse racing department at the request of a customer. Based on the Lamborghini Aventador, it features upgraded aerodynamic aids and reduced weight.
Cars

Nissan chairman Carlos Ghosn ousted, arrested after whistleblower cries foul

Nissan will oust chairman Carlos Ghosn after an internal investigation revealed he underreported his salary to Japan's financial authorities for years. Greg Kelly, one of Nissan's representative directors, will leave for the same reason.
Cars

Tesla owners will soon be able to summon a repair van in a few taps

Tesla CEO Elon Musk tweeted out plans to expand the Tesla mobile app so Tesla owners can request on-demand service for common problems from Tesla Ranger mobile service vehicles in just a few taps.
Cars

2019 Crosstrek Hybrid has something no Subaru has ever had

The 2019 Subaru Crosstrek Hybrid is the Japanese automaker's first production plug-in hybrid vehicle. It will go on sale before the end of the year. Subaru relied on plug-in hybrid tech from Toyota to make the Crosstrek Hybrid a reality.
Digital Trends Live

Digital Trends Live: Nissan turmoil, product designer Jae Yoo of Nerf, and more

For today's episode of Digital Trends Live, we turn our attention to the L.A. Auto Show and Lamborghini's race-ready version of the Urus. We also speak with Jae Yoo of Nerf and MLS defender Zarek Valentin about their origins, modern tech…
Cars

Mini’s most extreme hot hatchback will hit the streets in 2020

The Mini John Cooper Works GP concept first seen at the 2017 Frankfurt Motor Show will go into production in 2020, Mini has confirmed. The John Cooper Works GP is the ultimate performance version of the basic Mini Cooper.
Cars

Jaguar can take the next F-Type in one of two completely different directions

Jaguar needs to decide what the future has in store for the F-Type. Its options include turning the next-generation model into an electric car aimed at the Tesla Roadster or pelting it into the ring with a twin-turbocharged V8 from BMW.