Over 100 million cars sold by Volkswagen since 1995 are susceptible to hacking due to security flaws in keyless entry systems, researchers have revealed.
Two UK-based computer experts at the University of Birmingham, Flavio Garcia and David Oswald, have published a paper showing how they were able to clone VW keyless systems by intercepting signals when drivers press their fobs to get into their vehicles.
"Major manufacturers have used insecure schemes over more than 20 years," the research paper asserts. Vehicles that are at risk to the attack include most Audi, VW, Seat and Skoda models sold since the mid-90s and roughly 100 million VW Group vehicles.
The landmark paper, which also included input from German engineering firm Kasper & Oswald, revealed two main vulnerabilities. The first could give hackers the ability to remotely break into nearly every car VW has sold since 2000. The second impacts 'millions' more vehicles such as Ford, Peugeot, Citroen and Ford.
As outlined in the paper, both attacks rely on "widely available" hardware that costs as little as $40 (£31) which can then be used to intercept and clone signals from victim's car fobs. Of course, at this point, cryptography becomes involved, but the experts found ways to crack that too.
"We discovered that the RKE [remote keyless entry] systems of the majority of VW Group vehicles have been secured with only a few cryptographic keys that have been used worldwide over a period of almost 20 years," the researchers wrote.
"With the knowledge of these keys, an adversary only has to eavesdrop a single signal from a target remote control. Afterwards, he can decrypt this signal, obtain the current UID and counter value, and create a clone of the original remote control to lock or unlock any door of the target vehicle an arbitrary number of times."
The researchers were able to uncover the algorithms from the vehicles' electronic control units (ECUs) and, as a result, access the vehicle by eavesdropping on "a single signal sent from the original remote."
The paper stated: "The VW Group has sold almost 100 million cars from 2002 until 2015. While not all of these vehicles use the RKE schemes covered [...] we have strong indications that the vast majority are vulnerable to the attacks.
"While most automotive immobiliser systems have been shown to be insecure in the last few years, the security of remote keyless entry systems (to lock and unlock a car) based on rolling codes has received less attention."
"The attacks are highly scalable and could be potentially carried out by an unskilled adversary. Since they are executed solely via the wireless interface, with at least the range of the original remote control and leave no physical traces, they pose a severe threat in practice."
For owners of the affected vehicles, which is many, the researchers explained that a temporary countermeasure is to stop using or disable the remote unlocking features and use the traditional mechanical lock instead.
In light of the research, Volkswagen released a statement claiming the security systems on its vehicles are state-of-the-art however admitted there is "no 100% guarantee for security."
A spokesperson said: On one hand, criminals are equipped with sophisticated tools, and on the other hand, theft protection is impacted by the fact that we have to provide access to the OBD interface (on-board diagnosis) as well as the processes and documents in connection to these systems. The bar for theft prevention is constantly being raised, but ultimately there is no 100% guarantee for security."
The statement continued: "The responsible department at Volkswagen Group is in contact with the academics mentioned and a constructive exchange is taking place.
"We agreed that the authors would publish their mathematical-scientific findings, but without the sensitive content that could be used by accomplished criminals to break into vehicles. The findings obtained will serve to further improve the security technology."
In 2015, a group of researchers - which included Garcia - was given permission to finally publish similar research regarding Volkswagen vehicles after facing a legal injunction that suppressed the academic research for two years.