Key Fob Hack Allows Attackers To Unlock Millions Of Cars

Researchers claim a hack of Volkswagen’s keyless entry systems leave millions of cars vulnerable to attack by an “unskilled adversary.”

Academic researchers added another hack to a growing list of compromises involving vehicles, and this one should give drivers pause the next time they leave valuables locked in their trunk.

This hack involves millions of Volkswagen, Ford and Chevrolet vehicles that rely on an outdated key fob technology, which creates an opportunity for even an “unskilled adversary” to get past a car’s keyless entry system to unlock it.

“Our findings affect millions of vehicles worldwide and could explain unsolved insurance cases of theft from allegedly locked vehicles,” according to a technical paper describing the hack (PDF) . The researchers, Flavio D. Garcia, David Oswald, Timo Kasper and Pierre Pavlidès, are scheduled to discuss the research at the USENIX Security Symposium, in Austin, TX this week.

Volkswagen, reached by the Reuters news agency, did not dispute the claim and said its, “current vehicle generation is not afflicted by the problems described.”

The researchers purposely omitted some technical details, but said keyless entry systems can be hacked using inexpensive technical devices. “For our analyses, we used various devices, including Software-Defined Radios (SDRs) (HackRF, USRP, rtl-sdr DVB-T USB sticks) and inexpensive RF modules. Our simple setup which costs $40, is battery powered, can eavesdrop and record rolling codes, emulate a key, and perform reactive jamming.”

The attack exploits two vulnerabilities; one allows an attacker to unlock nearly every model VW made since 1995, according to researchers, while the other technique impacts key fobs used with Alfa Romeo, Citroen, Fiat, Ford, Mitsubishi, Nissan, Opel, and Peugeot vehicles.

Both hacks use a modified Arduino radio device within a 300-foot radius of the targeted vehicle to intercept codes from a car’s key fob. The first involved using the eavesdropping device to recover a fixed global set of cryptographic keys used in all VW cars. Using the Arduino, researchers said they only needed to eavesdrop once while someone opened their car with a key fob to crack the code.

The second vulnerability is tied to a weaknesses in the key fob’s cryptographic scheme called HiTag2. Researchers were able to easily crack the HiTag2 crypto system because of what they said were flaws in the algorithm. Using the Arduino radio device, researchers intercepted eight key codes used in a rolling code pattern by the key fob to open the door. “On average, our attack implementation recovers the cryptographic key in approximately 1 minute computation, requiring a few eavesdropped rolling codes (between 4 and 8),” the researchers wrote.

Car hacking experts say that lax or non-existent security with Volkswagen’s key-fob technology is endemic of the entire auto industry. “Volkswagen is far from alone. In virtually every system that we have looked at, we see automakers guilty of some variants of Volkswagen’s problem. They are either reusing keys, relying on hard-coded credentials or leaving systems with developer backdoors still enabled,” said Corey Thuen, senior security consultant with IOActive that recently published a report on car security.

Researchers say the necessary equipment to perpetrate above hacks are widely available at low cost, and are also sold as black box kits on underground markets. “The attacks are hence highly scalable and could be potentially carried out by an unskilled adversary,” they conclude.

The bad news is any retro-fix to the problem will be extremely difficult, Thuen said. “The fix is non-trivial requiring an update to tens of millions of components affected by this. Volkswagen’s biggest mistakes were demonstrating a lack of understanding and lack of effort for property implementing cryptography.” He added that car maker’s such as Volkswagen should never have the assumption that the data in their devices is unattainable.

Suggested articles