How to open 100 Million Volkswagen cars with a cheap wireless device

Pierluigi Paganini August 12, 2016

A new hack leveraging on two distinct vulnerabilities could be exploited to open every Volkswagen vehicles that have been sold since 1995

Do you have a Volkswagen? A new hack leveraging on two distinct vulnerabilities could be exploited to open every Volkswagen vehicles that have been sold since 1995, including models from Audi, Citroen, Fiat, Ford, Peugeot, and  Skoda.
Researchers from the University of Birmingham and the German engineering firm Kasper & Oswald will present their study, titled “Lock It and Still Lose It—On the (In)Security of Automotive Remote Keyless Entry Systems” this week at the Usenix security conference.
In a first attack devised by the researchers, the experts used an Arduino-based RF Transceiver (Cost $40) to eavesdrop and record the rolling codes used by keyless entry systems that are sent by car owners when they press the key fob’s buttons.
Volkswagen arduino hack

The researchers made a reverse engineering of a component inside a Volkswagen’s network and identified and extracted a cryptographic key that is shared among millions of Volkswagen cars. The scientists did not reveal the exact procedure to extract the keys avoiding crooks to exploit the same technique.

The knowledge of the two secret keys allowed the team to clone the key fob and open the car.

“we discovered that the RKE systems of the majority of VW Group vehicles have been secured with only a few cryptographic keys that have been used worldwide over a period of almost 20 years.” wrote the researchers in the paper. “With the knowledge of these keys, an adversary only has to eavesdrop a single signal from a target remote control. Afterwards, he can decrypt this signal, obtain the current UID and counter value, and create a clone of the original remote control to lock or unlock any door of the target vehicle an arbitrary number of times”

The impact could be severe for the Volkswagen, if hackers will be able to reproduce the process, millions of cars will be exposed to the risk of theft.

According to the researchers in past 20 years, the four most common keys are used in all the 100 Million cars sold by the German car vendor. Only the most recent VW Golf 7 model and others that use unique keys are immune to the attack.

Most recent models like Golf 7 use unique keys so they are not vulnerable to the hack.

The researchers devised also a second attack method that targets the HiTag2, an old cryptographic scheme used to generate rolling codes and that is still used in millions of vehicles.

Car vendors like Alfa Romeo, Chevrolet, Peugeot, Lancia, Opel, Renault, and Ford users HiTag2.

The equipment used by the researchers is quite similar to the one used in the previous attack scenario.

The researcher used a radio device to capture the rolling code number sent by the driver’s key fob.

Once collected a number of rolling codes, the researchers exploited the flaws in the HiTag2 scheme to crack the cryptographic key in less than a minute.

The researchers have already reported the flaws to the VW Group and avoided to disclose any information to reproduce the attack (i.e. cryptographic keys, part numbers of vulnerable components).

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Volkswagen , car hacking)

you might also like

leave a comment