Volkswagen Group sold about 100 million cars since 1995 and many of these are vulnerable to a hack that can unlock them remotely. A team of researchers from the security firm Kasper & Oswald (German) and University of Birmingham say that the vulnerability affects vehicles made in the last decade (1995 – 2016) including “millions” of VWs and also Seat, Skoda and Audi – among the company’s other brands. The researchers say that the potential hacker just needs a £30 homemade radio to unlock the cars.
The research paper documents two separate attacks on different VW models. In one method, the team showed how an old cryptographic scheme used in some vehicles have a complex vulnerability. A hacker can get key fob signals to target a car using a homemade radio. VW said that they were in touch with the researchers to eliminate the vulnerability and added that many newer cars were not affected by the problem.
‘Cryptographic catastrophe’
The researchers cloned the digital keys and realized that they can now unlock a variety of cars by VW Group. How they did it? They used a reverse-engineering process that gave them some master cryptographic keys to unlock the digital entry system. Before publishing the paper, the team agreed not to publish some sensitive information – e.g. the master cryptographic keys’ encryption – at the request of Volkswagen.
“We were kind of shocked,” said Timo Kasper at Kasper & Oswald. “Millions of keys using the same secrets – from a cryptography point of view, that’s a catastrophe.”
After discovering the problem, the researchers contacted Volkswagen in November 2015 and had a series of meeting with the company to make them understand the vulnerability of the cars.
“We had very fruitful discussions – there was a very good atmosphere,” he said.
‘Constructive exchange’
Volkswagen spokesperson said that many of the new-generation cars like the Tiguan, Touran, Golf and Passat are safe from the hacking problem. He also added that the hack only means unlocking the car, there is still no way that the hacker can start the engine of the car using the hack.
“The responsible department at Volkswagen Group is in contact with the academics mentioned and a constructive exchange is taking place,” he said.
Ken Munro, security analyst at Pen Test Partners said that the essentials of the hack were excluded from the paper
“You’d need some academic-level knowledge of cryptography to be able to do this,” he added.
However, this research highlights how many digital systems in modern cars were vulnerable and unsafe when it comes to security. Similar findings have also been published and come to light. This begs the question on what to do next? Is there a need to make better, more secure cars? Is it possible to make cars that no one can break into? What is your opinion?