Millions of Volkswagen cars vulnerable to a simple keyless entry hack

Researchers have discovered a vulnerability in the keyless entry system of vehicles sold by Volkswagen AG over the past two decades which could allow hackers to remotely unlock almost every car VW has produced since 1995.

The hack can be performed with easily available cheap technical devices to intercept the signal emitted from a victim’s key fob.

Flavio D. Garcia, David Oswald, Timo Kasper and Pierre Pavlidès, computer security experts at the University of Birmingham, exposed the vulnerability in a paper titled “Lock It and Still Lose It – On the (In)Security of Automotive Remote Keyless Entry Systems”.

The researchers did not fully disclose details of the hack in their paper to prevent savvy criminals from using it to break into cars.

The team said that “by recovering the cryptographic algorithms and keys from electronic control units, an adversary is able to clone a VW Group remote control and gain unauthorized access to a vehicle by eavesdropping a single signal sent by the original remote.”

Garcia was quoted by Wired as saying: “The cost of the hardware is small, and the design is trivial. You can really build something that functions exactly like the original remote.”

The researchers said that the vulnerability was identified in models as recent as the 2016 model year Audi Q3.

“It is conceivable that all VW Group (except for some Audi) cars manufactured in the past and partially today rely on a ‘constant-key’ scheme and are thus vulnerable to the attacks,” the paper said.

According to Reuters, a VW spokesman said that the current Golf, Tiguan, Touran and Passat models are not vulnerable to this form of attack.

“This current vehicle generation is not afflicted by the problems described,” VW spokesman Peter Weisheit said in a statement.

The researchers are going to present their paper on Friday at the Usenix security conference in Austin, Texas.