A wireless hack has exposed a massive security breach in cars made by the Volkswagen group that could potentially put 100 million cars at risk.
The vulnerability was discovered by University of Birmingham computer scientist, Flavio Garcia and his team, and puts everything from small hatchbacks to supercars at risk.
The hack can be pulled off with equipment as cheap as $40 (Rs. 2,672). The setup just requires a small microcontroller board with and an add-on radio transceiver board to intercept signals from any key fob for cars made by the Volkswagen Group.
The signal, when combined with a minuscule number of cryptographic keys shared by every VW car could easily be used to clone the key fob from any car from the VW group (Audi, Bentley, Lamborghini, Skoda to name a few).
In his paper, Garcia describes the hack stating, "In our first case study, we show that the security of the keyless entry systems of most VW Group vehicles manufactured between 1995 and today relies on a few, global master keys. We show that by recovering the cryptographic algorithms and keys from electronic control units, an adversary is able to clone a VW Group remote control and gain unauthorized access to a vehicle by eavesdropping a single signal sent by the original remote."
To intercept the signal, any tech-savvy thief needs to be within 300 feet (91.44 metres) of the signal with the right equipment (which at $40 isn't all that expensive). However, getting one of the four cryptographic keys used by the VW Group requires a bit more finesse and a some reverse engineering.
Garcia and his team stated, "Using widely available, standard programming tools for automotive processors, we were able to obtain firmware dumps for all studied ECUs. We then located and recovered the cryptographic algorithms by performing static analysis of the firmware image, searching amongst others for constants used in common symmetric ciphers and common patterns of such ciphers (e.g., table lookups, sequences of bitwise operations)."
If you want to know about the hacks and how they affect your car, you can find them in the paper that Garcia and his team showed at USENIX 2016.