Another worry for Volkswagen owners: Wireless hack can unlock millions of Audis, Porsches, VWs

There's a security hole in Volkswagen's keyless entry system, and it affects a lot of vehicles--basically, every vehicle that Volkswagen has built since 1995.

Yves Herman/Reuters/File
Audi A1 cars are parked at the Audi powerplant in Brussels, Belgium. A recently-discovered security hole in Volkswagen's keyless entry system affects 100 million cars worldwide, including VW, Audi, and Porsche models

If you're a Volkswagen owner, you've probably spent the last 11 months worrying about Dieselgate. Even folks who don't own diesels have been deeply concerned about the resale value of their VWs because of the black eye the brand has received in the press. 

Owners of Audi, Porsche, and other marques in the Volkswagen family haven't been quite as worried, since their brand names haven't been as closely associated with the ongoing scandal. But now, there's an issue that could affect all of them very, very directly. 

To put it bluntly, there's a security hole in Volkswagen's keyless entry system, and it affects a lot of vehicles--basically, every vehicle that Volkswagen has built since 1995.

Das sigh.

But wait, it gets worse: a second software flaw can give hackers access to other vehicles from makes like Alfa Romeo, Fiat, Ford, Mitsubishi, and Nissan.

All told, the two security issues affect 100 million vehicles worldwide. They were discovered by a team of engineers from the firm of Kasper & Oswald and researchers from the University of Birmingham. Details will be discussed at the Usenix security conference, which is taking place this week in Austin, Texas.

Good news, bad news

The good news is, these security flaws don't allow bad guys and gals to pop open every affected car at once. They have to identify a particular car, then intercept the radio signal that passes from the owner's key fob to the car. 

In the case of the Volkswagen hack, intercepting a fob's signal gives would-be thieves the unique cryptographic key associated with the vehicle. That key must then be paired with another one--one that's shared among large numbers of vehicles from a particular Volkswagen brand or model year. That key is trickier to find, and only when hackers have both can they clone the fob for a specific car.

In other words, this isn't the kind of job your local, neighborhood hacker is likely to carry out--at least, not on his or her own.

And that brings us to the bad news.

If sophisticated hackers manage to identify the base cryptographic keys that are used across Volkswagen's vehicle lines, there's nothing to stop them from publishing that data to the internet. Other no-goodniks can then take that information, pull key codes from particular vehicles (a much simpler process), and voila: they're in.

Also, unlike the hack that researchers recently used to confound Tesla's Autopilot system, this one is cheap to deploy. All it takes is the right know-how, a laptop, a cheap micro-computer like an Arduino board with a radio receiver, and a fair bit of patience.

Worse still, the security hole that affects non-Volkswagen vehicles is simple to exploit, too. The vehicles vulnerable to this attack use fobs that send out eight cryptographic keys to open their doors. Seven of those remain constant, with the eighth changing at random.

By jamming the signal from an owner's key fob, hackers can intercept multiple cryptographic keys from the device. That reveals which of the seven keys are constant, and savvy hackers can identify the eighth in less than a minute.

Should you be worried?

Most people reading this have no reason to worry. Those most at risk of being hacked are those who drive very expensive cars or who have something of equal value to hackers. That doesn't describe us, and it probably doesn't describe most of you.

However, these hacks show the potential effect that security flaws can have on huge populations of vehicles. As our cars creep ever-closer toward total computerization and autonomization, these sorts of flaws--and the chaos that can ensue when they're exploited--will become an even greater concern for regulators, automakers, and consumers.

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.