Warning: This wireless hack could unlock 100mn Volkswagens

By : |August 11, 2016 0

Almost a year back, University of Birmingham computer scientist Flavio Garcia and a team of researchers published a research that revealed a vulnerability that allowed them to start the ignition of millions of Volkswagen cars and drive them off without a key. Now, a year later, Garcia and a new team of researchers are back with another paper that shows that vulnerability isn’t just limited to the ignition but extends to the keyless entry system that unlocks the vehicle’s doors. And this time, they say, the error applies to practically every car Volkswagen has sold in the last two decades. Thank God, I don’t own one.

According to a report in Wired, the team from the University of Birmingham and the German engineering firm Kasper & Oswald are planning to reveal at the Usenix security conference in Austin two distinct vulnerabilities they say affect the keyless entry systems of nearly 100 million cars not just from Volkswagen group but also others like Audi, Alfa Romeo, Citroen, Fiat, Skoda and others.

All one needs is a cheap, easily available piece of radio hardware to intercept signals from a victim’s key fob and then employ those signals to clone the key. The attacks, the researchers say, can be performed with a software defined radio connected to a laptop, or in a cheaper and stealthier package, an Arduino board with an attached radio receiver that can be purchased for $40. “The cost of the hardware is small, and the design is trivial,” says Garcia speaking to Wired. “You can really build something that functions exactly like the original remote.”

Hack 1
According to the researchers, to extract a single cryptographic key value shared among millions of Volkswagen vehicles, they did some “tedious reverse engineering” of one component inside a Volkswagen’s internal network. They, then used their radio hardware to intercept another value that’s unique to the target vehicle and included in the signal sent every time a driver presses the key fob’s buttons, after which you combine the two supposedly secret numbers to clone the key fob and access to the car. “You only need to eavesdrop once,” says Birmingham researcher David Oswald. “From that point on you can make a clone of the original remote control that locks and unlocks a vehicle as many times as you want.”

The process, however, isn’t as easy as it may sound. The tough part is Radio eavesdropping that requires that the thief’s interception equipment be located within about 300 feet of the target vehicle. And while the shared key that’s also necessary for the theft can be extracted from one of a Volkswagen’s internal components, that shared key value isn’t quite universal; there are several different keys for different years and models of Volkswagen vehicles, and they’re stored in different internal components.

Though the researchers refuse to get into technical details of the components they extracted the keys from to avoid tipping off potential car hackers, they warn that if sophisticated reverse engineers are able to find and publicize those shared keys, each one could leave tens of millions of vehicles vulnerable. Thankfully, the most recent VW Golf 7 model and others that share its locking system have been designed to use unique keys and are thus immune to the attack.

Hack 2
The second hack relates to the decade old cryptographic scheme called HiTag2. This one didn’t need any key extraction from a car’s internal components. Instead, a hacker would have to use a radio setup similar to the one used in the Volkswagen hack to intercept eight of the codes from the driver’s key fob, which in modern vehicles includes one rolling code number that changes unpredictably with every button press. With that collection of rolling codes as a starting point, the researchers found that flaws in the HiTag2 scheme would allow them to break the code in as little as one minute. “No good cryptographer today would propose such a scheme,” Garcia says.

Volkswagen didn’t immediately respond to WIRED’s request for comment, but the researchers write in their paper that VW acknowledged the vulnerabilities they found. NXP, the semiconductor company that sells chips using the vulnerable HiTag2 crypto system to carmakers, says that it’s been recommending customers upgrade to newer schemes for years. “[HiTag2] is a legacy security algorithm, introduced 18 years ago,” writes NXP spokesperson Joon Knapen. “Since 2009 it has been gradually replaced by more advanced algorithms. Our customers are aware, as NXP has been recommending not to use HT2 for new projects and design-ins for years.”

Noticeably, what Garcia and his team are talking about is happening on the streets. Many Police cases suggest cars being stolen with little more than a mystery electronic device. In one case earlier this month thieves in Texas stole more than 30 Jeeps using a laptop, seemingly connected to the vehicle’s internal network via a port on its dashboard. “I’ve personally received inquiries from police officers,” says Garcia, who added they had footage of thieves using a “black box” to break into cars and drive them away. “This was partly our motivation to look into it.”

A fix for the problem, unfortunately, isn’t simple. “These vehicles have a very slow software development cycle,” says Garcia. “They’re not able to respond very quickly with new designs.”

Until then, simply avoid leaving any valuables in the car, they contend. “A vehicle is not a safebox,” says Oswald. Careful drivers, they add, should even consider giving up on their wireless key fobs altogether and instead open and lock their car doors the old-fashioned, mechanical way.

No Comments so fars

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.