If you drive a VW, almost any VW from 1995 onwards, its remote key lock system can be hacked. Well that’s just another reason to take a bath, especially if you drive an emission cheating diesel too.
Researchers from the School of Computer Science at the University of Birmingham have found that VW is a major “lock it and lose it” risk due to vulnerabilities in its remote keyless entry systems.
They say the security of remote keyless entry systems (to lock, unlock and start a car) based on rolling codes is fatally flawed. They exposed the vulnerabilities for most VW Group vehicles manufactured between 1995 and today (including Seat, Skoda, and Audi but did not test Porsche, Bentley, Lamborghini or Bugatti) relying on a just four global master keys that can be hacked and easily cloned.
The researchers built a piece of Arduino-based radio hardware costing under US$40 attached to a laptop, that could eavesdrop up to 100 metres away on the signal sent from a key fob to the car and once decrypted could open and start the car.
{loadposition ray}
VW Group has about a 23% market share in Europe and 11% worldwide. It uses its own RKE (remote key entry) and OOK (on-off-keying) system and four different variations of that.
Researchers found that the following – at least 100 million cars - are affected.
- Audi: A1, Q3, R8, S3, TT, various other Audi with remote control part number 4D0837231
- VW: Amarok, Beetle, Bora, Caddy, Crafter, e-Up, Eos, Fox, Golf4, Golf5, Golf6, Golf Plus, Jetta, Lupo, Passat, Polo, T4, T5, Scirocco, Sharan, Tiguan, Touran, Up
- Seat: Alhambra, Altea, Arosa, Cordoba, Ibiza, Leon, MII, Toledo
- Skoda: CityGo, Roomster, Fabia1, Fabia2, Octavia, SuperB, Yeti
They concluded that it is conceivable that all VW Group cars relying on a “constant-key” scheme are vulnerable except for the latest platform - Golf7.
There are no known hacks yet, but the researchers state that there has been a raft of unexplained thefts of the affected models and theft of goods from locked vehicles – with no apparent break-in.
But it is what VW will do with this information – and they have had it for two years - that is the billion-dollar question? At the very least VW will need to offer a patch and reprogram hundreds of millions of keys.
It will likely affect other manufacturers. They are currently working on a second project that potentially affects Alfa Romeo, Citroen, Fiat, Ford, Mitsubishi, Nissan, Opel, and Peugeot.
You can guarantee that cyber-car criminals are working on monetising this as you read.