100 Million Volkswagens From 1995 Onwards Are Vulnerable To An "Unlock" Hack

Seven generations of the VW Golf. The first two and the last one are immune to the hack 7 photos
Photo: Volkswagen
Volkswagen Golf MK3 - Possibly vulnerable to hackVolkswagen Golf MK4 - Potentially vulnerable to hackVolkswagen Golf MK5 - Potentially vulnerable to hackVolkswagen Golf MK6 - Potentially vulnerable to hackVolkswagen Golf MK7 - Not vulnerable to hackExamples of vulnerable vehicles to the described hack
A team of researchers from the University of Birmingham has revealed another vulnerability of Volkswagen cars, along with many other brands.
After their first reveal, which was about a loophole that could be exploited to allow the start of an engine and to unlock the doors of a Volkswagen vehicle, the team discovered another vulnerability.

The second vulnerable aspect is that the entire ensemble used to lock and unlock a vehicle with the remote control embedded in its key fob can be hacked, researchers say.

The worst part about this hack is that the team says it affects all the Volkswagen models built from 1995 to present day, except the Golf 7 and the cars that share its technology.

Furthermore, they say they discovered another vulnerability in other car models, from the 2012 Dacia Logan, to the 2010 Alfa Romeo Giulietta, and many other models.

However, first, let’s describe the hack that has the potential of opening almost any Volkswagen model built from 1995 if it features central locking with a remote control integrated in the key fob.

The researchers claim to have found a way to unlock those vehicles without the owner discovering the hack, and it can even be done without touching the car.

The cost of the hardware is less than $50, and this only allows access to the central locking system of the cars, but it is a bargain when considering the potential of theoretically being able to unlock 100 million vehicles manufactured by the Volkswagen Group.

Luckily for owners of those vehicles, few people know how to operate the Arduino boards with the required components and are also willing to unlock a car illegally, so only high-tech felons have a shot of this.

The thieves must also be skilled with coding, but this will only be required for the setup part of the device. Once that is done, the hack could work as a key once the user learns its operating procedure.

According to the researchers, the vulnerability was generated by the fact that Volkswagen shared a cryptographic key value among millions of vehicles. That value, described as a “key” by specialists, must then be used in conjunction with a particular key for each vehicle.

The said key is generated every time the driver locks or unlocks the car with the remote control. Through radio signals, the car communicates to the fob in a predetermined "language," which can be hacked through the interception of the encoded radio signal.

Some of you know that remote-control key fobs for cars use what specialists call “rolling code.” The term signifies a string of single-use “passkeys,” which are transmitted by the key fob to the car. The key to intercepting them (pun intended) is being within 300 feet of the target vehicle and using a radio-frequency receiver to capture the signal.

Once received by the Arduino-powered device, it is then decoded and used to generate an all-new code, which has not been used before, using one of the four cryptographic codes utilized by Volkswagen along with the key received by the individual device.

Researchers had to reverse-engineer several Volkswagen key fobs with radio transmitters to be able to discover how to generate the code required to open a particular vehicle.

As Wired reports, one single key is not sufficient for creating a hack valid for 100 million vehicles, as different model years have had several keys, and Volkswagen Group vehicles have switched these from one model to the other, in various combinations.

In theory, it is possible, but the practical side of the hack requires intensive work from the potential thieves, and this is what’s stopping most in exploiting the said vulnerability.

Apparently, the loophole disappears with the Volkswagen Golf 7, a car built on the MQB platform, which utilizes unique cryptography keys and is immune to this attack. The same should apply to all the similar cars that have the platform, and thus the door locking module.

During the Usenix security conference in Austin, which took place this week, the team showcased a method that applies to many other vehicles. It is called HiTag2, and is a cryptographic scheme that is 18 years old, but is still used in modern cars.

Cracking it is possible with similar hardware devices as those used to open Volkswagen Group models, and researchers say that they could do it faster. The technique suggests highjacking the connection between the vehicle and the key fob as the driver attempts to lock or unlock the doors, the perpetrator could steal one of the codes in the sequence.

Since the rolling code setup does not use the same code twice, nobody would know if the stolen codes had been used, so the cars could be unlocked with this contraption as if the original remote control was employed.

The research team’s full paper explains that the code is vulnerable, and even provides examples of a few vehicles they managed to open using their hack.

Among them, you can find four Opel models, the 2016 Fiat Punto, a 2012 Dacia Logan II, a 2010 Alfa Romeo Giulietta, a 2009 Citroen Nemo, a 2011 Renault Master and a Clio, as well as Mitsubishi, Lancia, Ford, and Peugeot cars of various model years.

The researchers have explained that these cars were hacked because their owners were friends with team members and allowed them to test their device. Other cars might also be vulnerable to this. However, using the car’s built-in deadlock will save the day, as this is just a hack to unlock the doors.

We must note that most thieves do not go for methods like these, preferring other strategies that are simpler to employ and with less technology involved. Think of the “shell game” instead of these advanced technologies.
If you liked the article, please follow us:  Google News icon Google News Youtube Instagram

 Download: Lock It and Still Lose It – On the (In)Security of Automotive Remote Keyless Entry Systems (PDF)

About the author: Sebastian Toma
Sebastian Toma profile photo

Sebastian's love for cars began at a young age. Little did he know that a career would emerge from this passion (and that it would not, sadly, involve being a professional racecar driver). In over fourteen years, he got behind the wheel of several hundred vehicles and in the offices of the most important car publications in his homeland.
Full profile


Would you like AUTOEVOLUTION to send you notifications?

You will only receive our top stories