Hack Can Unlock 'Millions' Of Volkswagen Cars

By Edwin Kee
Volkswagen
Raindrops are seen on the badge of a diesel Volkswagen Passat in central London, Britain September 22, 2015. REUTERS/Stefan Wermuth

If you drive a Volkswagen car that was purchased from 1995 onward, you might want to look over your shoulders or consider changing rides. A team of researchers have stepped forward, claiming that they have stumbled upon a hack that can unlock the affected vehicles remotely. If one were to take into consideration all the cars sold by Volkswagen since 1995, that would amount to millions, as a whopping 100 million rides or so made their way from showrooms to garages for the past two decades plus.

This particular security loophole affects a wide range of vehicles that were manufactured between 1995 and 2016. These include Volkswagens and models from the Audi, Seat and Skoda brands. All that is required to unlock the affected vehicle is a homemade radio that should not cost more than £30. That would be pretty sad then, if it were to be true -- so much for security!

Thankfully, the folks over at Volkswagen claim that they are working alongside the researchers who discovered this remote unlocking hack, and that some of their newer rides remain unaffected -- although they did not list down which rides were immune to such an ‘attack’. However, it does seem as though word on the street has it that current-generation vehicles like the Golf, Tiguan, Touran and Passat are exempt from this form of 'attack'.

A paper that was done by researchers from the University of Birmingham and German security firm Kasper & Oswald cited two separate examples that affected various models. In the second method, an older cryptographic scheme in different brands was also discovered to feature a somewhat similar vulnerability, except that it is a wee bit more complex in nature.

Basically, anyone with the homemade radio allows the malicious hacker to spy on key fob signals, enabling one to target cars easily. Cloning such digital keys allowed the researchers to unlock a range of VW Group vehicles. This could be achieved after successfully reverse-engineering the keyless entry system in the affected models, and in the due course of such a process, several master cryptographic keys were discovered.

Of course, the team who published such findings did come to an agreement with Volkswagen that important information like the value of the master cryptographic keys will remain a secret. Timo Kasper at Kasper & Oswald mentioned to the BBC, "We were kind of shocked. Millions of keys using the same secrets - from a cryptography point of view, that's a catastrophe." Hey Timo, we’ve got news for you -- you aren’t the only one who is shocked with this discovery!

The researchers performed their civic duty by alerting Volkswagen to the issue in November last year, having met up with the key players in the organization to help them understand such a vulnerability. The discussions were said to be ‘very fruitful’ and performed in ‘a very good atmosphere’. On the flipside, it looks like there is a minimum of at least ten more, very widespread hacking schemes that also affect different car brands out there. We will not know about it until Kasper & Oswald publishes such findings, but that will only happen after appropriate disclosure to the companies have been made.