A universal VW key, just $40

News

Sometimes car security experts specialize, focusing on one vehicle brand or model. For example, Charlie Miller and Chris Valasek spent two years investigating Fiat Chrysler’s Jeep Cherokee. Their choice was logical — they had a Jeep.

Other researchers take a global approach. For example, in 2015, Flavio Garcia and his team at the University of Birmingham freaked out almost half of the entire car industry when they revealed how to open cars that have keyless entry systems — without any key at all. These were autos developed at Audi, Citroën, Fiat, Honda, Skoda, and Volvo as well as some other brands.

Recently, the researchers, together with experts from the German engineering firm Kasper & Oswald, reported on two new vulnerabilities.

This time Volkswagen came under fire: Its cars can also be opened without a key. The scale of the threat is enormous: The researchers claim that almost 100 million cars, most VW models produced since 1995, are at risk. Only new autos, starting with the Golf VII, are free of this vulnerability.

A universal VW key, just $40

The attack is amazingly accessible, requiring only simple equipment: a laptop and a software-defined radio — or, even cheaper, a $40 Arduino board with an attached radio receiver.

How to steal 100 million Volkswagens

Having dug into an undisclosed component of the autos, the researchers discovered that Volkswagen used a single cryptographic key in all of its cars starting in 1995 and continuing up to the production of the seventh Golf. Though there are a few keys in use it’s not hard to sort them out — this would take literally seconds.

Knowing that key is half the battle. Then, with the help of an Arduino board with an attached radio receiver, hackers can “eavesdrop” to obtain a car’s unique key, which is transmitted when the owner locks or unlocks the car. Using the two cryptographic keys, criminals can make a copy of the key fob to open the car.

Criminals “only need to eavesdrop once,” the researchers say, and they need to be within about 100 meters of the target vehicle — certainly far enough not to be noticed or raise any suspicions.

The researchers aren’t revealing which components contain the precious keys. Their research wasn’t meant to help would-be thieves steal cars. They say only that the components vary by model. Volkswagen is aware of the threat but can do little to fix the vulnerability.

There is some good news here: This method lets criminals unlock the car but not drive it away; immobilizers protect car by keeping it from moving in the absence of the (physical) key. But there’s also more bad news: Immobilizers are also vulnerable. Criminals using both methods will jack the VW they want — with the exception, of course, of modern Volkswagen cars, starting with the Golf VII, where instead of shared keys individual unique keys are used.

Expert comments

Kaspersky Lab expert Sergey Zorin explains the situation as follows:

This story shows that everything can be compromised if the attacker has enough time and professionals in their team. It is possible that with a certain amount of additional investment, this research could be reproduced for other car manufacturers. However, with this example, the research shows that car manufacturers are actually thinking about the information security of their products and, luckily, it is not very easy to break through the security of modern cars. So we wouldn’t say that this car manufacturer, or any others, has a bad attitude to security.

Nevertheless, there are some problems in the automotive industry that may cause trouble.

The first problem is that, traditionally, car manufacturers have to plan everything, including security, five to seven years ahead of time, because this is the typical cycle of development of a new car model — obviously security and hacking methods develop much faster than this.

Another problem is that due to technological limitations it is not always possible to implement security fixes fast and wide enough to totally eliminate risks. Both of these issues actually can be solved by implementing update mechanisms in the next generations of car electronics. This makes it possible to patch unexpected vulnerabilities soon after they are discovered. We expect that new generations of cars, planned for production five years from now, will be equipped with such technologies.

The third security problem that car manufacturers are already facing is connectivity in cars. The connected car concept suggests that multiple modules inside the car have a data exchange channel with outside domains. Some vulnerabilities have already been discovered in these data exchange channels. As a security company, we’ve been researching this area for several years now, and we see that there are more vulnerabilities emerging. The development of trusted communications technologies for cars is something that both the security and automotive industries should be focusing on in coming years.