100 million Volkswagen vehicles can be unlocked wirelessly by hacker thieves

remote key fobs vulnerable vw 100 million volkswagen vehicles hacked
Is your keyless remote safe? Connected cars face increasing threats as new technologies present hackers and thieves with additional ways to access vehicles. One vulnerability, though, involves older tech — remote key fobs used to unlock cars. Researchers at the Usenix security conference in Austin will soon present a paper outlining two remote unlocking vulnerabilities, one of which puts nearly every Volkswagen Group vehicle manufactured since 1995 in jeopardy, as reported in Wired.

The researchers said VW’s latest Golf 7 model and others that use the same locking system are immune to the hack because they use unique security keys. Most VWs, however, still use the older, vulnerable tech. Neither of the two hacks, which use different methods, do more than let thieves unlock and enter the cars, which of course would enable them to steal the contents. They’d have to use other tricks to start the engine and steal the car.

“It’s a bit worrying to see security techniques from the 1990s used in new vehicles.”

The research team, lead by Flavio Garcia of the University of Birmingham, discovered the ability to start millions of VW Group cars in 2013 but due to a lawsuit didn’t make that potential hack public until 2015. Now the team is back and, with the German engineering firm Kasper & Oswald, are reporting another hack to wirelessly unlock doors that affects nearly 100 million VWs.

A similar hack found by the team works with millions of other vehicles including Alfa Romeo, Citroen, Fiat, Ford, Mitsubishi, Nissan, Opel, and Peugeot.

The researchers did not fully disclose in the public paper exactly how they broke into the systems, not wanting to give real thieves that edge. They did, however, say that after “tedious reverse engineering” of a single component of VW’s onboard vehicle network, they found a cryptographic key value used by millions of vehicles. With remote radio eavesdropping, they could then discover the second “secret” key used by an owner when locking and unlocking a car. The first cryptographic key, the one stored in an internal component, is one of four common keys used in most of nearly 100 million VWs. The four crypto keys are stored in different components, but Garcia and his team found them all.

The researchers didn’t use crazy complex technology to break the vehicle codes. Garcia said it can be done with a “software-defined radio” connected to a laptop. And an even smaller device could be constructed for about $40 using an Arduino board  — a programmable circuit board — connected to a radio receiver.

For the second hack, the one that works with millions of vehicles from other manufacturers, Garcia’s team took advantage of an out-of-date cryptographic method called HiTag2. In this case, they didn’t need to find internal keys but were able to use the same radio scanning setup to find one of eight rolling codes to discover the codes used by a vehicle owner.

According to Wired, the researchers said VW acknowledged the vulnerability they discovered. The semiconductor company that sells chips with the HiTag2 legacy crypto system, NXP, said it has been recommending that customers use newer algorithms for years.

Commenting on the current state of vehicle locking system vulnerabilities, Garcia said, “It’s a bit worrying to see security techniques from the 1990s used in new vehicles. If we want to have secure, autonomous, interconnected vehicles, that has to change.”

For now, however, if you have one of the vulnerable vehicles, the researchers suggest people not assume their cars and trucks are “safeboxes” and avoid leaving valuables inside. Even greater security would involve leaving remote keyfobs at home and manually unlocking and locking cars with physical keys — a strategy that won’t work with newer cars that are totally keyless.


VW will use Siri as the designated driver for its connected car party

Volkswagen of America added Apple's Siri to help drivers control and interact with their cars. Owners can customize voice commands to tell Siri to change access settings such as interior climate, vehicle lock status, and fuel checks.

Born to run (forever): The most reliable cars you can buy right now

We all dread the thought of our car turning into a money pit, but choosing a dependable vehicle from the start can help us rack up countless care-free miles. Here, we've rounded up some of the most reliable cars available.

The best HTC Vive games available today

So you’re considering an HTC Vive, but don't know which games to get? Our list of 25 of the best HTC Vive games will help you out, whether you're into rhythm-based gaming, interstellar dogfights, or something else entirely.

Hacker infects 100K routers in latest botnet attack aimed at sending email spam

An attacker is trying to infect your router with malware in order to send spam emails. If your router uses a Broadcom UPnP SDK, it could become vulnerable to this attack. So far, 100,000 routers worldwide have been infected.

From Rolls-Royce to Lamborghini, these are the most expensive cars in the world

If you recently discovered an oil reserve in your backyard, you probably have some extra cash to spend. Look no further, because we’ve rounded up the most expensive cars in the world.

Lime’s first carsharing service motors into Seattle this week

Lime may be better known for its app-based bike and scooter rental services, but in Seattle, Washington this week it's launching its very first carsharing service, similar to Car2go and Zipcar.

Land Rover shows its artsy side by previewing the 2020 Range Rover Evoque

Land Rover made life-sized wire sculptures to preview the 2020 Range Rover Evoque. The all-new SUV will make its debut during a private event held in London on November 22, and deliveries will begin in 2019.

These headlights have 4 color settings to help save lives under all conditions

Boslla headlights are an easy-to-install solution to achieve all-weather lighting for your vehicle. After a quick ten-minute install, these lights have up to four settings to get you through anything.

Car parts maker ZF is using drones to deliver components to its factories

ZF recently became the first entity in Germany to receive approval to use drones to deliver spare parts, and the company now uses them to deliver parts from its central warehouses to its workshops.

The DBX SUV will go where no Aston Martin has gone before

When it launches in 2019, the Aston Martin DBX will be the British automaker's first SUV. In the meantime, camouflaged DBX prototypes will undergo strenuous testing around the world.

Ford teams up with Walmart to study consumer response to autonomous delivery

Last week it was Ford and VW, and this week Ford and Walmart are signaling a desire to work together on autonomous vehicles solutions. Ford and the giant retailer will study consumer reactions to self-driving delivery vehicles.

Our favorite fuel-efficient cars are as frugal as they are fun

You don't need to opt for a hybrid or an all-electric ride in order to achieve good fuel economy. These vehicles pack both performance and style, whether you're in the market for a luxury sedan or a game-changing pickup truck.

Out of juice? Learn how to jump-start a car with this quick guide

Jumping a car is a simple procedure, but not everyone knows how to properly do so. To make things easier, we've put together a quick-hit guide on how to fire up your vehicle using jumper cables and a second power source.

Prep your car for the coming snow and sleet with these cold weather tips

Driving in the winter, whether downtown or across the country, is rarely easy. Luckily, we've put together a quick rundown of a few things you should do to winterize your car before the snow officially hits.