While smart cars are a 21st century thing, the convenience has a darker side. Researchers have shown that it takes a tool as cheap as $40 to bypass the “keyless system” in tens of millions of Volkswagen cars, including Audis and SEATs.Four European researchers say hackers can easily eavesdrop on the signal which is sent every time a driver presses their key fob to lock or unlock a car. All the thieves need is a cheap technical device and to be somewhere within 100 meters of a vehicle. Flavio Garcia and his team at the University of Birmingham reverse-engineered an undisclosed component of the keyless system and extracted a cryptographic code. Using that information, they say hackers can intercept a car’s unique ID sent by the fob.
It appears that there are about 100 million hack-vulnerable Volkswagen AG cars, ranging from older to the newest models. Vehicles at risk include VW, Audi, SEAT and Skoda models sold since 1995, up to and including the 2016 Audi Q3. Alfa Romeo, Citroen, Fiat, Ford, Mitsubishi, Nissan, Opel, and Peugeot models are also vulnerable to wireless hacks, researchers said. What all those cars have in common is a “constant-key” scheme.
The researchers say the VW vulnerability is especially troubling. There are a relatively few handful of shared encryption keys embedded in various different modules on Volkswagens. (The researchers aren’t saying which modules.) It’s a “tedious” but doable task to extract the shared key. They estimate just four shared key codes are used in 100 million Volkswagens. Having those codes in hand, the hacker needs only to head to a parking lot with VWs and be within about 300 feet to intercept the encrypted key code that’s specific to each car. By appending the car specific code to each of those four master codes, the hacker may have a code that locks and unlocks the car repeatedly. The hacker could port the code to a electronic key fob. It was noted that newer VWs have unique keys that make them immune to attack.
Cars have been successfully hacked in the past because automakers didn’t have enough devious-minded people on their engineering staffs — or else they trusted humans too much. For instance, a decade ago, automakers didn’t envision the massive rolling attacks that tried code after code. The car’s response should be to shut down the remote door locks if the car received, for instance, 10 different key codes inside of 30 seconds. That allows for a reasonable number of neighboring cars’ remote unlock signals, but not the massive attack that sends out hundreds of key code attempts per minute.