Hacked: Your VW is not that secure says study

Hacked: Your VW is not that secure says study

If you own a VW or were planning to get one soon, well you deserve to know this. Your car is not as secure as you might have previously thought. According to a research by three Birmingham University (England) researchers and an expert from security company Kasper and Oswald GmbH (Germany), more than 100million VW cars are vulnerable to theft by their keyless entry systems. $40 is all it takes to create a device capable of this hideous hack (or genius hack if you like). The attack applies to every Volkswagen manufactured in 1995 and beyond!

Cars built on VW’s latest MQB production platform are not vulnerable to this hacking technique, said the reseachers. MQB is the platform used on the top-selling model, the Golf VII. VW’s luxury brands such Porsche, Bentley, Lamborghini and Bugatti were however not considered in the study. The reseachers reverse-engineered an undisclosed Volkswagen component and extracted a cryptographic key value that is common to many of the company’s vehicles. It is this value combined with the right encoding that creates a functional clone that will lock or unlock the car.

arduino_vw_hack
The $40 device used for the hack

What VW said

VW has apparently acknowledged the vulnerability. Volkswagen however suggested the flaw, discovered by the researchers was mostly of academic interest.

Security catastrophe

Now I will make this as simple as possible. The car manufacturers generally made security systems for millions of cars from a ‘template.’ From a cryptographic point of view that is a disaster. It simplifies a hacker’s job. Once one figures out the ‘pattern’ that’s it, what follows is simpler.

Should you panic?

Should owners of VWs panic? Maybe, Maybe not. The hack sound pretty simple without the finer details. However, there is quite a size-able amount of work that needs to be done to achieve the hack.

  • intercept the radio signal sent from a key fob to the car
  • get the cryptographic “password” associated with the vehicle
  • pair cryptographic password with another special key

The bad news is the Cryptographic password is shared among large numbers of vehicles. This password is not very easy to get. While an amateur hacker would possibly not be able to perform the hack, it would not be as difficult for a pro.

A second hack

As is one is not bad enough, there is another hack. The second one targets the HiTag2 cryptographic scheme. Instead of extracting part of the key from an internal component, hackers grab a rolling key code. Intercepting eight such codes makes encryption very easy. To get a bunch of codes in a hurry, it’s suggested that the attacker would jam the car’s receiver so the owner tries again and again.

Well after all has been said an done we stand to see if any more and more VWs will be stolen. Meanwhile watchout for geeky looking guys too close to your Vida!

 

Leave a Reply