A Fresh Wireless Hack Can Unlock one hundred Million Volkswagens, WIRED

A Fresh Wireless Hack Can Unlock one hundred Million Volkswagens

Get The

6 months for $Five – plus a FREE Portable

WIRED’s largest stories, delivered to your inbox.
  • Trio hours

“The budge to end DACA isn’t just a deepthroat to its 800,000 participants, it’s a direct onslaught on the US economy.” wrd.cm/2wCvrYN

Go after Us

Don’t miss our latest news, features and movies.

We’re On

See what’s inspiring us.

Go after Us

Don’t miss out on WIRED’s latest movies.

Slide: one / of two . Caption: KAZUHIRO NOGI/AFP/Getty Photos

Slide: two / of two . Caption: Caption: The $40 Arduino radio device the researchers used to intercept codes from vehicles’ key fobs. TK

A Fresh Wireless Hack Can Unlock one hundred Million Volkswagens

In 2013, when University of Birmingham computer scientist Flavio Garcia and a team of researchers were preparing to expose a vulnerability that permitted them to commence the ignition of millions of Volkswagen cars and drive them off without a key, they were hit with a lawsuit that delayed the publication of their research for two years. But that practice doesn’t seem to have deterred Garcia and his colleagues from probing more of VW’s flaws: Now, a year after that hack was ultimately publicized, Garcia and a fresh team of researchers are back with another paper that shows how Volkswagen left not only its ignition vulnerable but the keyless entry system that unlocks the vehicle’s doors, too. And this time, they say, the flaw applies to practically every car Volkswagen has sold since 1995.

Later this week at the Usenix security conference in Austin, a team of researchers from the University of Birmingham and the German engineering rock-hard Kasper & Oswald plan to expose two distinct vulnerabilities they say affect the keyless entry systems of an estimated almost one hundred million cars. One of the attacks would permit resourceful thieves to wirelessly unlock practically every vehicle the Volkswagen group has sold for the last two decades, including makes like Audi and Škoda. The 2nd attack affects millions more vehicles, including Alfa Romeo, Citroen, Fiat, Ford, Mitsubishi, Nissan, Opel, and Peugeot.

Both attacks use a cheap, lightly available lump of radio hardware to intercept signals from a victim’s key fob, then employ those signals to clone the key. The attacks, the researchers say, can be performed with a software defined radio connected to a laptop, or in a cheaper and stealthier package, an Arduino board with an affixed radio receiver that can be purchased for $40. “The cost of the hardware is petite, and the design is trivial,” says Garcia. “You can indeed build something that functions exactly like the original remote.”

100 Million Vehicles, four Secret Keys

Of the two attacks, the one that affects Volkswagen is arguably more troubling, if only because it offers drivers no warning at all that their security has been compromised, and requires intercepting only a single button press. The researchers found that with some “tedious switch sides engineering” of one component inwards a Volkswagen’s internal network, they were able to extract a single cryptographic key value collective among millions of Volkswagen vehicles. By then using their radio hardware to intercept another value that’s unique to the target vehicle and included in the signal sent every time a driver presses the key fob’s buttons, they can combine the two supposedly secret numbers to clone the key fob and access to the car. “You only need to eavesdrop once,” says Birmingham researcher David Oswald. “From that point on you can make a clone of the original remote control that locks and unlocks a vehicle as many times as you want.”

The attack isn’t exactly plain to pull off: Radio eavesdropping, the researchers say, requires that the thief’s interception equipment be located within about three hundred feet of the target vehicle. And while the collective key that’s also necessary for the theft can be extracted from one of a Volkswagen’s internal components, that collective key value isn’t fairly universal; there are several different keys for different years and models of Volkswagen vehicles, and they’re stored in different internal components.

The researchers aren’t exposing which components they extracted the keys from to avoid tipping off potential car hackers. But they warn that if sophisticated switch sides engineers are able to find and publicize those collective keys, each one could leave ems of millions of vehicles vulnerable. Just the four most common ones are used in close to all the one hundred million Volkswagen vehicles sold in the past twenty years. They say that only the most latest VW Golf seven model and others that share its locking system have been designed to use unique keys and are thus immune to the attack.

Cracked in sixty Seconds

The 2nd technology that the researchers plan to expose at Usenix attacks a cryptographic scheme called HiTag2, which is decades old but still used in millions of vehicles. For that attack they didn’t need to extract any keys from a car’s internal components. Instead, a hacker would have to use a radio setup similar to the one used in the Volkswagen hack to intercept eight of the codes from the driver’s key fob, which in modern vehicles includes one rolling code number that switches unpredictably with every button press. (To speed up the process, they suggest that their radio equipment could be programmed to jam the driver’s key fob repeatedly, so that he or she would repeatedly press the button, permitting the attacker to quickly record numerous codes.)

With that collection of rolling codes as a beginning point, the researchers found that flaws in the HiTag2 scheme would permit them to break the code in as little as one minute. “No good cryptographer today would propose such a scheme,” Garcia says.

Volkswagen didn’t instantaneously react to WIRED’s request for comment, but the researchers write in their paper that VW acknowledged the vulnerabilities they found. NXP, the semiconductor company that sells chips using the vulnerable HiTag2 crypto system to carmakers, says that it’s been recommending customers upgrade to newer schemes for years. “[HiTag2] is a legacy security algorithm, introduced eighteen years ago,” writes NXP spokesperson Joon Knapen. “Since two thousand nine it has been step by step substituted by more advanced algorithms. Our customers are aware, as NXP has been recommending not to use HT2 for fresh projects and design-ins for years.”

While the researchers’ two attacks both concentrate on merely unlocking cars rather than stealing them, Garcia points out that they might be combined with mechanisms like the one he and different teams exposed at the Usenix conferences in two thousand twelve and last year. That research exposed vulnerabilities in the HiTag2 and Megamos “immobilizer” systems that prevent cars from being driven without a key, and would permit millions of Volkswagens and other vehicles ranging from Audis to Cadillacs to Porsches to be driven by thieves, provided they could get access to the inwards of the vehicle.

Black Boxes and Mysterious Thefts

Slew of evidence suggests that sort of digitally enabled car theft is already occurring. Police have been stumped by movies of cars being stolen with little more than a mystery electronic device. In one case earlier this month thieves in Texas stole more than thirty Jeeps using a laptop, seemingly connected to the vehicle’s internal network via a port on its dashboard. “I’ve personally received inquiries from police officers,” says Garcia, who added they had footage of thieves using a “black box” to break into cars and drive them away. “This was partly our motivation to look into it.”

For car companies, a fix for the problem they’ve uncovered won’t be effortless, Garcia and Oswald contend. “These vehicles have a very slow software development cycle,” says Garcia. “They’re not able to react very quickly with fresh designs.”

Until then, they suggest that car owners with affected vehicles–the utter list is included in the researchers’ paper (see below)–simply avoid leaving any valuables in their car. “A vehicle is not a safebox,” says Oswald. Careful drivers, they add, should even consider providing up on their wireless key fobs altogether and instead open and lock their car doors the old-fashioned, mechanical way.

But indeed, they point out, their research should signal to automakers that all of their systems need more security scrutiny, lest the same sort of vulnerabilities apply to more critical driving systems. “It’s a bit worrying to see security mechanisms from the 1990s used in fresh vehicles,” says Garcia. “If we want to have secure, autonomous, interconnected vehicles, that has to switch.”

Here’s the researchers’ utter paper:

Related movie:

Leave a Reply

Your email address will not be published. Required fields are marked *