A New Wireless Hack Can Unlock Almost Every Volkswagen Sold Since 1995 (arstechnica.com)

← Back to Stories (view on slashdot.org)

A New Wireless Hack Can Unlock Almost Every Volkswagen Sold Since 1995 (arstechnica.com)

Posted by msmash on Thursday August 11, 2016 @06:05AM from the bigtime-nightmare dept.

Volkswagen isn't having the best of times. Tens of millions of vehicles sold by Volkswagen AG over the past 20 years are vulnerable to theft because keyless entry systems can be hacked using cheap technical devices, reports Wired (alternate source). Security experts of the University of Birmingham were able to clone VW remote keyless entry controls by eavesdropping nearby when drivers press their key fobs to open or lock up their cars. ArsTechnica reports: The first affects almost every car Volkswagen has sold since 1995, with only the latest Golf-based models in the clear. Led by Flavio Garcia at the University of Birmingham in the UK, the group of hackers reverse-engineered an undisclosed Volkswagen component to extract a cryptographic key value that is common to many of the company's vehicles. Alone, the value won't do anything, but when combined with the unique value encoded on an individual vehicle's remote key fob -- obtained with a little electronic eavesdropping, say -- you have a functional clone that will lock or unlock that car. VW has apparently acknowledged the vulnerability, and Greenberg (writer at Wired) notes that the company uses a number of different shared values, stored on different components. The second affects many more makes, "including Alfa Romeo, Citroen, Fiat, Ford, Mitsubishi, Nissan, Opel, and Peugeot," according to Greenberg. It exploits a much older cryptographic scheme used in key fobs called HiTag2. Again it requires some eavesdropping to capture a series of codes sent out by a remote key fob. Once a few codes had been gathered, they were able to crack the encryption scheme in under a minute.

59 of 115 comments (clear)

Min score:

Reason:

Sort:

Re:New tech defeats old tech by sexconker · 2016-08-11 06:12 · Score: 3, Informative

Keyword: since
Re:New tech defeats old tech by NatasRevol · 2016-08-11 06:16 · Score: 1

Also, this is new tech defeating stupid implementations.

--
There are two types of people in the world: Those who crave closure
Re:Volkswagen, again by beelsebob · 2016-08-11 06:19 · Score: 2

If you even read the summary, you'll see that it's VW, Alfa, Citroen, Fiat, Ford, Mitsubishi, Nissan, Opel, and Peugeot.
Well, I'm in the clear. by pecosdave · 2016-08-11 06:21 · Score: 1

I only have one keyfob and it isn't actually paired with the car anyways - I have to open it old-school.

--
The preceding post was not a Slashvertisement.
1. Re:Well, I'm in the clear. by pecosdave · 2016-08-13 07:34 · Score: 1
  
  I have a toddler that LOVES to push the panic button on the Ford's remote. Nah, about the only thing I'm really missing is opening the trunk without going to the drivers side door first, or opening the rear passenger door to shove the toddler into his seat first. Guess with time they decided you only need one keyhole on the outside of the car.
  
  --
  The preceding post was not a Slashvertisement.
this is why by The-Ixian · 2016-08-11 06:23 · Score: 1

You never buy a car with power windows.... every convenience is either an attack surface and/or a money sink when it needs to be repaired.

--
My eyes reflect the stars and a smile lights up my face.
1. Re:this is why by TheGratefulNet · 2016-08-11 06:24 · Score: 1
  
  power windows and power door locks are a GOOD SAFETY FEATURE.
  ever drive thru a bad area?
  then you'll understand.
  
  --
  
  --
  "It is now safe to switch off your computer."
2. Re:this is why by The+Grim+Reefer · 2016-08-11 06:43 · Score: 2
  
  power windows and power door locks are a GOOD SAFETY FEATURE.
  ever drive thru a bad area?
  then you'll understand.
  As long as it makes you feel better, I suppose. I used to live in bad areas. You do realize that the sound of those lock actuators are very audible outside the car too, right?
  At best, it'll make a bunch of people laugh at you. I've seen guys go up and punch the side window out of people cars when they lock them just for fun. And that window, or even the door panel isn't going to stop a bullet, no matter how many times you've seen it do so on TV or in the movies.
  Either lock your doors when you get in your car, or remember to do so long before you end up in a "bad area". At least you won't paint a target on yourself when you're feeling out of you comfort zone.
3. Re:this is why by TheGratefulNet · 2016-08-11 06:45 · Score: 2, Insightful
  
  let them punch my windows. in my whole life, I've never seen a FIST break a window. I think you are full of shit, my friend.
  
  --
  
  --
  "It is now safe to switch off your computer."
4. Re:this is why by pr0fessor · 2016-08-11 06:48 · Score: 2
  
  It depends on the make model mine is like $200 a door for the motor and assembly then $30 for the switch... then you have to drill out all the pop rivets if it's never been changed before and good luck installing the new motor and assembly hope you have tiny hands... sound like a crappy Saturday to me...
5. Re:this is why by The+Grim+Reefer · 2016-08-11 06:57 · Score: 1
  
  I have a Luddite coworker who shares your mistaken belief that power windows are some kind of problem. Regular windows fail too, and replacing a power window drive system is inexpensive and easy.
  I think the only failure I've ever had with manual windows is for the $.50 spring clip that holds the crank on gets lost after removing it to fix something else. Power window regulators typically run $100+. I've replaced too many of those to count over the years. Plus the time it takes to do so. I've also had to replace the switches in the passengers doors on occasion, which were relatively cheap. But the two times I've had to replace the drivers side it's the entire switch cluster. That was around $200 each time. And again the time it took to do so. Granted the switches don't take too long, but you have to be careful about removing the inside door clip, or you can break things. That can add a couple bucks for the plastic retaining clips, or could get into the hundreds of dollars if your not careful and break the panel itself.
  Power windows tend to stop working if you are in an accident and end up in water too. I was a passenger once when that happened.
  Not that I'd buy a car without power windows, but they are certainly not as cheap or durable as ones with a hand crank.
6. Re:this is why by Locke2005 · 2016-08-11 06:59 · Score: 1
  
  Yeah, power windows and locks are great, until you drive into water, short out the electrical system, and are trapped inside the car. Rule of thumb: EVERY automatic system should have a manual backup! (To BMW's credit, their electric sunroof comes with a crank handle that can be used to close the sunroof when the electric motor fails. Not sure how many other manufacturers do this.)
  
  --
  I've abandoned my search for truth; now I'm just looking for some useful delusions.
7. Re:this is why by rgbscan · 2016-08-11 07:01 · Score: 1
  
  I dunno, I've seen a cop tear a window out with his bare hands. Look on youtube at "Man refuses to give license, gets tazed" uploaded by instajustice, at 2:13. Crazy.
8. Re:this is why by Anonymous Coward · 2016-08-11 07:20 · Score: 2, Informative
  
  In the U.S., cars will unlock with the mechanical motion of pulling the handle from the inside or must have the ability to be unlocked mechanically without electrical power. It's an NHTSA requirement for safety.
9. Re:this is why by sjames · 2016-08-11 07:22 · Score: 1
  
  All it takes is a ring with a point on it.
10. Re:this is why by tlhIngan · 2016-08-11 07:24 · Score: 3, Informative
  
  Yeah, power windows and locks are great, until you drive into water, short out the electrical system, and are trapped inside the car. Rule of thumb: EVERY automatic system should have a manual backup! (To BMW's credit, their electric sunroof comes with a crank handle that can be used to close the sunroof when the electric motor fails. Not sure how many other manufacturers do this.)
  Well, you can do the ObMythbusters who tested exactly that and found... it still works great, even after being submerged for 45 minutes.
  Or you can realize that it's pretty waterproof as it is, otherwise they'd short out in a moderate rainstorm - battery being in the engine compartment and getting wet, and the doors getting water inside of them too.
  No, what really prevents the windows from opening is water pressure - and even a manual crank is too weak to open a window in a fully submerged car.
11. Re:this is why by dreamchaser · 2016-08-11 07:30 · Score: 2
  
  By the time they manage to break through the safety glass my legally owned and operated handgun will be at the ready, so it doesn't really matter, though I agree he is full of shit.
12. Re:this is why by BitterOak · 2016-08-11 07:50 · Score: 2
  
  In the U.S., cars will unlock with the mechanical motion of pulling the handle from the inside or must have the ability to be unlocked mechanically without electrical power. It's an NHTSA requirement for safety.
  Have you ever tried opening a car door under water with the windows shut?
  
  --
  If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
13. Re:this is why by oobayly · 2016-08-11 07:56 · Score: 1
  
  Luckily most of us come from countries where a "bad area" means that somebody *might* try opening your door to steal a bag on the passenger seat, not start firing bullets at you.
14. Re:this is why by Cro+Magnon · 2016-08-11 08:09 · Score: 1
  
  In my country, that happens in the "good" areas!
  
  --
  Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
15. Re:this is why by whoever57 · 2016-08-11 08:46 · Score: 1
  
  Yeah, power windows and locks are great, until you drive into water, short out the electrical system, and are trapped inside the car.
  
  That's why you have combination hammer/seatbelt cutter readily available.
  
  --
  The real "Libtards" are the Libertarians!
16. Re:this is why by Anonymous Coward · 2016-08-11 08:47 · Score: 3, Funny
  
  Yes, I test this weekly just to be safe.
17. Re:this is why by The+Grim+Reefer · 2016-08-11 08:49 · Score: 1
  
  let them punch my windows. in my whole life, I've never seen a FIST break a window.
  In my whole life, I've never seen an atom either or Antarctica for that matter. I'm pretty sure they exist.
  Obviously we grew up in much different places. Your parents probably didn't encourage you to fight either. Many of my friends parents did when I was younger. Mine didn't actively encourage it, but they didn't discourage it either.
  
  I think you are full of shit, my friend
  Yes, obviously you must know all and see all.
18. Re:this is why by deadwill69 · 2016-08-11 08:57 · Score: 2
  
  Check out the 30(21) foot rule of fighting one day. Might make you think twice about how safe you are with that handgun. "Originating from research by Salt Lake City trainer Dennis Tueller "rule" states that in the time it takes the average officer to recognize a threat, draw his sidearm and fire 2 rounds at center mass, an average subject charging at the officer with a knife or other cutting or stabbing weapon can cover a distance of 21 ... Edged Weapon Defense: Is or was the 21-foot Rule Valid?" Said suspect is already at your car. If your weapon is not already in your hand you have very few options.
19. Re:this is why by deadwill69 · 2016-08-11 08:58 · Score: 1
  
  Why don't you do a quick search and see how many hits with video you get. This was just a sample.
20. Re:this is why by The+Grim+Reefer · 2016-08-11 09:47 · Score: 1
  
  By the time they manage to break through the safety glass my legally owned and operated handgun will be at the ready, so it doesn't really matter,
  This was just stupid teenage kid stuff. They'd run up and punch the window and run away. They didn't always break. The idea was to scare the hell out of the driver. Most of the time the person in the car ran the red light to get out of there.
  Just what do you think is going to happen if you shoot some kid in the ghetto who's pulling a prank? You're either going to go to jail for a very long time or get yourself killed.
  I can't say I've really looked into it, but I'd guess it would have been easier to break side windows back then as the doors tended to be a lot longer than modern cars. It probably wasn't designed as well either.
  
  though I agree he is full of shit.
  Oh look, another person who know all and sees all.
21. Re:this is why by TroII · 2016-08-11 11:49 · Score: 1
  
  This is why I keep Donald Trump on speed dial. $230 is pocket litter, and his tiny hands can fit down into the innards of the car door.
  
  --
  "If there was a gay Afro-Puertorican Linux distribution, I'd give it a try" ~lucm
22. Re:this is why by deadwill69 · 2016-08-12 08:48 · Score: 1
  
  Seems to work for them in the UK. Mostly.
Drive-by fix by Tablizer · 2016-08-11 06:25 · Score: 2

Good, it should then be easy for VW to update all their cheating smog applications.

--
Table-ized A.I.
Can someone hack the Dodge Charger next? by burhop · 2016-08-11 06:26 · Score: 4, Funny

My key fob broke and Dodge wants several hundred dollars to replace it with a new one.
Plus, it would be way cooler to walk around with a Raspberry Pi on my keychain that opens my car, everyone else car, and turns down the radio of the car parked next to me at a red light.
1. Re:Can someone hack the Dodge Charger next? by phorm · 2016-08-11 06:34 · Score: 1
  
  Pi might be a bit inconvenient for that. How about a smartphone app?
2. Re:Can someone hack the Dodge Charger next? by quenda · 2016-08-11 12:43 · Score: 1
  
  My key fob broke and Dodge wants several hundred dollars to replace it with a new one.
  So you car still starts, but no keyless entry?
  You should be able to get cheap generic fobs and receiver, and wire it to the unlock button inside your car.
3. Re:Can someone hack the Dodge Charger next? by burhop · 2016-08-12 00:53 · Score: 1
  
  My key fob broke and Dodge wants several hundred dollars to replace it with a new one.
  So you car still starts, but no keyless entry?
  You should be able to get cheap generic fobs and receiver, and wire it to the unlock button inside your car.
  Weekend project! Whoo hooo!
Partially Expected by EndlessNameless · 2016-08-11 06:31 · Score: 5, Insightful

So in 1995, we also saw SHA1 formally accepted as a standard. And SHA1 is now considered to weak to be secure against well-funded attackers.
The standard VW used had to be developed prior to 1995 if it was in production for the 1995 model year, so it's not surprising that it is more vulnerable. Compute capabilities have grown quite a bit.
The only real problem I see is that VW is still using 90s-era crypto in modern vehicles. I'm not surprised by this, and I'd be shocked if they were the only ones---but it is still a problem.
Cars with remote start and smartphone integration really need to have software support and upgrades over their anticipated lifespan. Sorry if it's a hassle, but cars are IT devices now.

--

---
According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
1. Re:Partially Expected by EndlessNameless · 2016-08-11 06:32 · Score: 1
  
  *too weak
  Dammit.
  
  --
  
  ---
  According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
2. Re:Partially Expected by Anonymous Coward · 2016-08-11 07:46 · Score: 1
  
  Cars with remote start and smartphone integration really need to have software support and upgrades over their anticipated lifespan. Sorry if it's a hassle, but cars are IT devices now.
  Like our phones, you mean?
3. Re:Partially Expected by Hylandr · 2016-08-11 08:06 · Score: 1
  
  Compute capabilities have grown quite a bit.
  Is anyone missing their old 486DX4 100?
  
  --
  ~ People that think they are better than anyone else for any reason are the cause of all the strife in the world.
4. Re:Partially Expected by Hylandr · 2016-08-11 08:08 · Score: 1
  
  If you own a Dodge built around 2000+ then yes.
  And they used GPIO for most of it. Including the transmission shifting.
  
  --
  ~ People that think they are better than anyone else for any reason are the cause of all the strife in the world.
5. Re:Partially Expected by armanox · 2016-08-11 10:17 · Score: 1
  
  Sometimes - much less bloat back in those days.
  
  --
  I'm starting to think GNU is the problem with "GNU/Linux" these days.
Direct link to PDF of research paper by Anonymous Coward · 2016-08-11 06:36 · Score: 5, Informative

The page at Wired requires tons of third-party Javascript and then tries to block ad blockers, so here's a link to the raw PDF:
https://assets.documentcloud.org/documents/3010178/Volkswagen-amp-HiTag2-Keyless-Entry-System.pdf
Re:As always, the ASIAN cars are safest of all by Anonymous Coward · 2016-08-11 06:41 · Score: 1

RTFA:

The findings are to be presented at a security conference later this week and detail two different vulnerabilities...
The first affects almost every car Volkswagen has sold since 1995, with only the latest Golf-based models in the clear....
The second affects many more makes, "including Alfa Romeo, Citroën, Fiat, Ford, Mitsubishi, Nissan, Opel, and Peugeot," according to Greenberg.
This whole IoT, RF controlled... by Anonymous Coward · 2016-08-11 06:46 · Score: 1

devices thing may be getting out of hand. Besides car entry and starting lack of security, we have Blue Tooth door locks that broadcast their pass code in plain text, thermostats that send info to their manufacturer about where householders may be or not be, "smart" TVs with audio pickup and maybe video being compromised so as to pass their data to who knows where, refrigerators sending personal info in the clear to where ever, and most recently Blue Tooth enabled vibrators sending usage information to its manufacturer. We're living a security and privacy nightmare.
1. Re:This whole IoT, RF controlled... by Locke2005 · 2016-08-11 07:03 · Score: 1
  
  The Internet of Things. Turns out "Things" are a pretty gossipy bunch! Yes, most wireless-enabled front doorlocks are inherently insecure, I think the Kwikset was they only one they haven't found problems with... yet.
  
  --
  I've abandoned my search for truth; now I'm just looking for some useful delusions.
2. Re:This whole IoT, RF controlled... by Anonymous Coward · 2016-08-11 07:37 · Score: 1
  
  Yeah, but Kwiksets are trivial to pick mechanically. They only have 4 pins and you can bump the lock manually really easily. So adding secure electronics on top of that doesn't matter...
Re:Volkswagen, again by Knuckx · 2016-08-11 06:48 · Score: 2

Real Fords are unaffected; if you read the paper, the vulnerable model are the Ka Mk2 and onward, which are actually rebadged Fiat 500's.
No Ford actually designed or engineered by Ford is in the list.
That's what I was going to say. 2012 Dodge Charger by raymorris · 2016-08-11 06:54 · Score: 1

I was going to say exactly that. I have one key fob for me Charger, but I lose things, so I expect I'll lose it at some point, or break it. I'd love to crack it first. I hate to spend several hundred dollars on a spare.
I understand that slightly older Dodge vehicles can be hacked wirelessly through the infotainment system, but I don't think that hack applies to my car.
Re: New tech defeats old tech by fubarrr · 2016-08-11 07:41 · Score: 1

WVs were being stolen with a replay attack since nineties in Russia
Re:This just in by boristdog · 2016-08-11 07:46 · Score: 1

Yeah, I can still open my 2010 truck with a coat hanger, so I ain't to worried.
Re:Volkswagen, again by Hylandr · 2016-08-11 07:49 · Score: 1

This joke is older than the exploit.

--
~ People that think they are better than anyone else for any reason are the cause of all the strife in the world.
Re:Volkswagen, again by Hylandr · 2016-08-11 07:51 · Score: 1

I get pulled over for burned out lamps too. Must be cause I am white. :(

--
~ People that think they are better than anyone else for any reason are the cause of all the strife in the world.
Re:This just in by holophrastic · 2016-08-11 07:53 · Score: 2

You're right. It's just sitting in my pocket, on my desk, in a bowl, for anyone to take at any time without my knowledge. Pick any movie from the '90s. I'll start. The Thomas Crown Affair.
Keys aren't meant to keep people out. My house's front door is protected by a key -- only one key will fit the lock. And next to the door is a big glass window -- any key in the world will shatter that window..
Keys, like most security, are meant to require an attacker to escalate their attacks -- so the 7 year-old down the street won't accidentally enter my house, and so the expert burglar needs to actually do something that's always illegal. See, opening the door to my house is legal under so many circumstances. But picking the lock is legal under so very few.
The only security measure that's meant to keep people out is, and always has been, another person.
Re:This just in by holophrastic · 2016-08-11 08:00 · Score: 1

Good one. Let's crowdsource a list, shall we?
Coat Hanger
Slim Jim
Air Bag
from-inside-the-trunk
a knife through the rag top convertible
just plain forcing down the window with a glass-transport suction cup
jumping into the open convertible on a nice day
ten guys picking up a small car and carrying it away
four guys picking up half a small car and dragging it away
loading a small car into a large truck
using any tow truck on any car
a crow bar
a window-breaker
Yeah, it's the wireless that's the problem. Sure.
Re:Volkswagen, again by drinkypoo · 2016-08-11 08:09 · Score: 1

All the affected Audis have Bosch PCMs, and the immobilizer is in the PCM itself on many of them including my 1997 A8, which has a later ME5 sadly and not a ME7.

--
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Re:Volkswagen, again by Anne+Thwacks · 2016-08-11 08:21 · Score: 2

A couple of years ago (about 7 really) I got stopped for a faulty headlight bulb, just down the road from my home. Three cops standing round booking me. The owner of the copy shop by the side of the road come shout shouting "My shop is being robbed!"
The cops continue booking me. The guys is screaming till he goes blue!

--
Sent from my ASR33 using ASCII
i have an idea! by kaatochacha · 2016-08-11 08:28 · Score: 3, Insightful

It's a shame someone hasn't invented a physical device that cannot be remotely skimmed, which the person could carry upon themselves and use with a physical interface to unlock the door. Perhaps a series of notches on some item that would inserted into the car?
1. Re:i have an idea! by Anonymous Coward · 2016-08-11 09:25 · Score: 1
  
  But physical devices are too vulnerable. All someone needs to do is take a high-quality picture of the device, and it can then be copied and printed on a 3D printer in a matter of hours.
2. Re:i have an idea! by Anonymous Coward · 2016-08-11 12:29 · Score: 1
  
  (Sure, the key probably has a chip in it, but that's only checked for the ignition.)
  Actually, that's not true. My car (a 2004 Holden Commodore - a full sized general purpose everyday family car, for the non Australians) has a built in alarm that sounds if you open it with the physical key when it had been locked with the remote.
  It's probably its most annoying feature - since it also warns you via the same method if you lock the car with one of the doors open.
Re:Volkswagen, again by kaatochacha · 2016-08-11 10:02 · Score: 1

If they fine you, money for the dept.
If they stop a thief, no money for the dept.
Re:New tech defeats old tech by Bob_Who · 2016-08-11 19:03 · Score: 1

Right. Why should we believe that the wireless hack is new if the car it opens "since" 1995 is not...
It is more likely that if a key exists to open doors for twenty years that it is not new. Its probably twenty years old.
The only thing new here is the clue to the clueless.