Millions of Volkswagen Vehicles at Risk of Being Hacked by Key-Cloning
More than one hundred million vehicles manufactured over the past 20 years may be at risk
Fewer and fewer people are using actual keys to unlock their cars these days. Normally, keyless entry to a vehicle is seen as nothing more than a modern convenience; however, Consumerist reported today that it may actually make more than one hundred million Volkswagen (VW) vehicles vulnerable to hackers.
The consumer advocacy site said that the flaw was detected by a group of security researchers collaborating from the University of Birmingham in the U.K. and the security firm Kasper and Oswald in Germany, who have issued a report on the vulnerability. The report states that the affected vehicles include, but are not limited to, the following vehicles manufactured between 1995 and 2016: the Audi A1, Q3, R8, S3, and TT, as well as the VW Beetle, Golf 4, Golf 5, Golf 6, Golf Plus, Jetta, Passat, Tiguan, and Touran.
The researchers discovered the problem by reverse-engineering the keyless-entry systems in the above and other vehicles.
"As a result," Consumerist said, "the engineers found that an attack could be carried out using commercially available radio and a laptop to capture the signal sent when an owner hits the 'unlock' button on a key fob and cryptographic key value that is shared among millions of VW vehicles."
The hacker can then use this signal and key value to effectively create a key of his or her own, enabling access to the vehicle.
VW's main mistake, according to the researchers, was relying on just a few types of cryptographic key values for use in the keyless systems of most of its vehicles sold over the past 20 years. They have notified the company of the vulnerability, and they have also agreed not to share the keys or the methods they used to reverse-engineer the systems.
The researchers also say that, unfortunately for VW, it will be difficult to fix the flaw. In the meantime, they suggest that drivers and passengers do not keep valuables inside the vehicle until the repair is complete.
This is the latest report of a vulnerability in a series of recent discoveries of security flaws that leave vehicles open to hackers.