Owners of Volkswagen automobiles and SUV’s may be unwittingly giving away the code to open the doors of their vehicle each time they use the keyless entry system, according to a new study submitted to the USENIX Security Symposium being held in Austin this week.
The study, titled “Lock it and Still Lose It – on the (In)Security of Automotive Remote Keyless Entry Systems,” showed that “the security of the keyless entry systems of most VW group vehicles manufactured between 1995 and today relies on a few, global master keys.”
The authors said that using “cryptographic algorithms and keys from electronic control units,” a person can “clone a VW Group remote control and gain unauthorized access to a vehicle by eavesdropping on a single signal sent by the original remote.”
In the study, the authors stated that car manufacturers have “used insecure schemes over more than 20 years” and that “Owners of affected vehicles should be aware that unlocking the doors of their car is much simpler than commonly assumed.”
The study said the technology used to commit the attacks are “widely available at low cost” and that the attacks could be committed on a large scale. In addition, “Since they are executed solely via the wireless interface, with at least the range of the original remote control (i.e. a few tens of meters), and leave no physical traces, they pose a severe threat in practice.”
Among the issues the authors said the vulnerability could open up more cars to thefts because the cloned remote would disable the alarm systems; could allow a criminal to hack the computer of a car and do something like deactivate the brakes; place an object or person in the car and then lock the doors again; or other crimes.
According to the study, anyone who owns a car from the VW family, including Audi and Porsche among others, should, “stop using or disable/remove the RKE (remote keyless entry) part of the car and fall back to the mechanical lock.”
The authors said they contacted VW about the vulnerability in November 2015, met with the company in February and submitted a draft version and final version of the paper. According to the authors, “VW Group acknowledged the vulnerabilities.” The authors said they left out key details that were used to expose the problems.
For a second hack, Hitag2, the company informed consumers about the problem previously and is offering news remote keyless entry systems that are not impacted by the vulnerabilities and “many car manufacturers have already started using the more secure chips for new designs.”