Scheduled for presentation Friday at the USENIX security conference in Austin, Texas, the study shows that thieves can use a simple wireless device to unlock the doors of millions of cars remotely, essentially by cloning the remote control that wirelessly secures a car door lock.
A second hack involves recovering the cryptographic key by attacking the rolling code scheme, called “Hitag2,” and entering a few keystrokes on a laptop to access a car.
The vulnerability could impact up to 100 million cars manufactured under the Volkswagen brand and others over the past 20 years.
Keeping a Lid on It
The initial research was considered so sensitive that the manufacturer for two years blocked publication of some of the results through a lawsuit, before both sides sat down to examine the findings and take action to mitigate the risk.
“Volkswagen takes the security of our customers and their vehicles very seriously,” spokesperson Mark Gillies said. “Volkswagen’s electronic and mechanical security measures are continuously being improved.”
The company “was in contact with the academics mentioned, and a constructive exchange is taking place,” he noted.
Volkswagen agreed that the authors would “publish their mathematical-scientific findings,” said Gilles, “but without the sensitive content that could be used by accomplished criminals to break into vehicles.”
The findings in the research will be used to improve the company’s security-technology, he added, noting that while research on auto security is important, “hacking into vehicles is a malicious, criminal act.”
As cars become more connected, more hacking vulnerabilities are coming to light, said Akshay Anand, an automotive analyst at Kelley Blue Book.
“Luckily, to this point, all the hacks have either been controlled or with good intentions, but that may not always be the case in the future,” he told TechNewsWorld. “Since hacking will never be stopped 100 percent, the industry needs to focus on mitigating it as much as possible, and recover as quickly as possible when a hack does happen.”
The risk uncovered in this University of Birmingham study is twofold, said Steve Grobman, CTO at Intel Security. The Volkswagen master key appears to be at risk of reverse engineering and there are cryptographic vulnerabilities in remote keyless entry systems that use the Hitag2 system.
“These two issues likely apply to a large number of vehicles, both from Volkswagen and other manufacturers,” he told TechNewsWorld. “However, they appear to affect only the car entry subsystem, not other subsystems.
The underlying issues involved in this vulnerability, including weakness in the Hitag2 protocol, have worried security experts and carmakers for some time, Grobman said.
“Connected devices, including autonomous vehicles and home automation systems, should only adopt crypto algorithms and protocols that have been through an open and accepted selection process by industry standards organizations,” he advised.
This type of cyber risk became a concern years ago, as cars began to depend increasingly on wireless networks and remote access technologies, according to Clarence Ditlow, executive director of The Center for Auto Safety.
“Up until 10 to 12 years ago,” he told TechNewsWorld, “you had to have a mechanical key to start the engine.”