How to open 100 Million Volkswagen cars with a cheap wireless device

August 12, 2016  By Pierluigi Paganini


A new hack leveraging on two distinct vulnerabilities could be exploited to open every Volkswagen vehicles that have been sold since 1995

Do you have a Volkswagen? A new hack leveraging on two distinct vulnerabilities could be exploited to open every Volkswagen vehicles that have been sold since 1995, including models from Audi, Citroen, Fiat, Ford, Peugeot, and  Skoda.
Researchers from the University of Birmingham and the German engineering firm Kasper & Oswald will present their study, titled “Lock It and Still Lose It—On the (In)Security of Automotive Remote Keyless Entry Systems” this week at the Usenix security conference.
In a first attack devised by the researchers, the experts used an Arduino-based RF Transceiver (Cost $40) to eavesdrop and record the rolling codes used by keyless entry systems that are sent by car owners when they press the key fob’s buttons.
Volkswagen arduino hack

The researchers made a reverse engineering of a component inside a Volkswagen’s network and identified and extracted a cryptographic key that is shared among millions of Volkswagen cars. The scientists did not reveal the exact procedure to extract the keys avoiding crooks to exploit the same technique.

The knowledge of the two secret keys allowed the team to clone the key fob and open the car.

“we discovered that the RKE systems of the majority of VW Group vehicles have been secured with only a few cryptographic keys that have been used worldwide over a period of almost 20 years.” wrote the researchers in the paper. “With the knowledge of these keys, an adversary only has to eavesdrop a single signal from a target remote control. Afterwards, he can decrypt this signal, obtain the current UID and counter value, and create a clone of the original remote control to lock or unlock any door of the target vehicle an arbitrary number of times”

The impact could be severe for the Volkswagen, if hackers will be able to reproduce the process, millions of cars will be exposed to the risk of theft.

According to the researchers in past 20 years, the four most common keys are used in all the 100 Million cars sold by the German car vendor. Only the most recent VW Golf 7 model and others that use unique keys are immune to the attack.

Most recent models like Golf 7 use unique keys so they are not vulnerable to the hack.

The researchers devised also a second attack method that targets the HiTag2, an old cryptographic scheme used to generate rolling codes and that is still used in millions of vehicles.

Car vendors like Alfa Romeo, Chevrolet, Peugeot, Lancia, Opel, Renault, and Ford users HiTag2.

The equipment used by the researchers is quite similar to the one used in the previous attack scenario.

The researcher used a radio device to capture the rolling code number sent by the driver’s key fob.

Once collected a number of rolling codes, the researchers exploited the flaws in the HiTag2 scheme to crack the cryptographic key in less than a minute.

The researchers have already reported the flaws to the VW Group and avoided to disclose any information to reproduce the attack (i.e. cryptographic keys, part numbers of vulnerable components).

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Volkswagen , car hacking)



Pierluigi Paganini
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.








  • Digging the Deep Web: Exploring the dark side of the web

    Digging The Deep Web

  • Center for Cyber Security and International Relations Studies

  • Subscribe Security Affairs Newsletter

    newsletter

  • SecurityAffairs awarded as Best European Cybersecurity Tech Blog at European Cybersecurity Blogger Awards

    EU Sec Bloggers Awards 22


More Story

Patch your vBulletin forum asap to avoid being hacked

 vBulletin forums need to be patched asap to avoid attackers to scan servers hosting the CMS and remotely execute arbitrary...