100 million VWs can be unlocked with a $40 cracker (and other cars aren't much better)

In Lock It and Still Lose It—On the (In)Security of Automotive Remote Keyless Entry Systems, a paper given at the current Usenix Security conference in Austin, researchers with a proven track record of uncovering serious defects in automotive keyless entry and ignition systems revealed a technique for unlocking over 100,000 million Volkswagen cars, using $40 worth of hardware; they also revealed a technique for hijacking the locking systems of millions of other vehicles from other manufacturers.

The Volkswagen attack involves eavesdropping on one signal between a remote and its associated car, then combining this with cryptographic keys shared among all Volkswagen cars to clone the remote, using a cheap software defined radio and a moderately powerful laptop.

The vulnerability in other manufacturers' cars turns on a newly discovered flaw in Hitag2, a decades-old cryptographic algorithm that is widely used in several current vehicle brands. In this exploit, attackers have to capture eight of the "rolling codes" (randomly changed codes that vary with each button-press), possibly by jamming the fob's signals, causing the driver to mash the button repeatedly.

Using these eight intercepted values, the cracking program can clone the fob in less than a minute.

The researchers suggest that these techniques may account for a string of unsolved car-thefts, especially those where CCTV footage shows thieves monkeying briefly with a laptop or small gadget and then entering the car and/or driving it away. They advise not leaving your valuables in your vehicle, ever.

For car companies, a fix for the problem they’ve uncovered won’t be easy, Garcia and Oswald contend. “These vehicles have a very slow software development cycle,” says Garcia. “They’re not able to respond very quickly with new designs.”

Until then, they suggest that car owners with affected vehicles—the full list is included in the researchers’ paper (see below)—simply avoid leaving any valuables in their car. “A vehicle is not a safebox,” says Oswald. Careful drivers, they add, should even consider giving up on their wireless key fobs altogether and instead open and lock their car doors the old-fashioned, mechanical way.

But really, they point out, their research should signal to automakers that all of their systems need more security scrutiny, lest the same sort of vulnerabilities apply to more critical driving systems. “It’s a bit worrying to see security techniques from the 1990s used in new vehicles,” says Garcia. “If we want to have secure, autonomous, interconnected vehicles, that has to change.”

Lock It and Still Lose It—On the (In)Security of Automotive Remote Keyless Entry Systems [Flavio D. Garciam, David Oswald, Timo Kasper and Pierre Pavlidès/Usenix Security]

A New Wireless Hack Can Unlock 100 Million Volkswagens [Andy Greenberg/Wired]