100 Million Cars Made By Volkswagen Sold Since 1995 Are Vulnerable With A Simple Wireless Hack
Cars made by Volkswagen are vulnerable to a key cloning attack that could allow thieves to unlock the doors of most popular cars remotely through a wireless signal, according to new research.
The new attack applies to practically every car Volkswagen has sold since 1995.
There are two distinct vulnerabilities present in almost every car sold by Volkswagen group after 1995, including models from Audi, Skoda, Fiat, Citroen, Ford and Peugeot.
Computer scientists from the University of Birmingham and the German engineering firm Kasper & Oswald plan to present their research [PDF] later this week at the Usenix security conference in Austin, Texas.
Two separate attacks affecting different models are described in a paper by researchers from the University of Birmingham and German security firm Kasper & Oswald.
With the second method, an older cryptographic scheme in some other brands was found to have a similar, albeit more complex vulnerability.
The team showed it was possible for a malicious hacker to spy on key fob signals to target cars via a cheap, homemade radio.
The first attack can be carried out using a cheap radio device that can be made for just $40 with a small control board and a radio receiver, but is capable of eavesdropping and recording the rolling code values used by keyless entry systems.
By cloning the digital keys, the researchers found they could then unlock a variety of VW Group vehicles.
This was possible because they were able to reverse-engineer the keyless entry system in the affected models - a process which yielded some master cryptographic keys.
Prior to publishing their research, the team behind the paper agreed with Volkswagen that some key pieces of information - including the value of the master cryptographic keys - would not be made public.
However, they warned that if skilled hackers find and publicize those shared keys, each one could leave tens of Millions of cars vulnerable.
Mr Kasper said that after the researchers alerted Volkswagen to the problem in November 2015, they set up some meetings to help the car maker understand the vulnerability.
"We had very fruitful discussions - there was a very good atmosphere," he said.
However, there are "at least ten more, very widespread" hacking schemes affecting various other car brands that Kasper & Oswald is still waiting to publish, following appropriate disclosure to the companies involved, Mr Kasper added
In past 20 years, just the four most common keys are used in all the 100 Million cars sold by Volkswagen. Only the most recent VW Golf 7 model and others that use unique keys are immune to the attack.
In the second attack, the team managed to attack a cryptographic scheme called HiTag2 -- decades old rolling code scheme but still used in Millions of vehicles, including Alfa Romeo, Chevrolet, Peugeot, Lancia, Opel, Renault, and Ford.
To carry out this attack, all a hacker needs is a radio setup similar to the one used in the above hack.
Using a radio device, the researchers were able to intercept and read a string of the coded signals (rolling code number that changes unpredictably with every button press) from the driver's key fob.
A spokesman for Volkswagen said several current-generation vehicles, including the Golf, Tiguan, Touran and Passat were not affected by the problem.
The spokesman added that starting the car's engine with this attack was "not possible".
Security expert Ken Munro at Pen Test Partners said critical components of the attack had been omitted from the published paper.
With the collection of rolling codes, the researchers discovered that flaws in the HiTag2 scheme would allow them to crack the cryptographic key in as little as one minute.
Since the above two attacks focus on unlocking cars rather than stealing them, the lead researcher Flavio Garcia told Wired these attacks might be combined with already exposed bugs in the HiTag2 and Megamos 'immobilizer' systems, allowing "Millions of Volkswagens and other vehicles ranging from Audis to Cadillacs to Porsches to be driven by thieves."
However, he also said the research was the latest in a string of similar findings that showed how many on-board systems in modern cars were vulnerable to hacking.
"Manufacturers are doing the right thing now, but you've got this huge problem with the installed base, those cars will last maybe 10 years - the fix is not simple," he told the BBC.
"You're potentially replacing all the control units in all the vehicles out there."
Mr Munro added that it might be possible to prevent the reverse-engineering approach taken by the researchers in order to prevent the discovery of the crucial cryptographic keys.
Source: Wired , BBC
The new attack applies to practically every car Volkswagen has sold since 1995.
There are two distinct vulnerabilities present in almost every car sold by Volkswagen group after 1995, including models from Audi, Skoda, Fiat, Citroen, Ford and Peugeot.
Computer scientists from the University of Birmingham and the German engineering firm Kasper & Oswald plan to present their research [PDF] later this week at the Usenix security conference in Austin, Texas.
Two separate attacks affecting different models are described in a paper by researchers from the University of Birmingham and German security firm Kasper & Oswald.
With the second method, an older cryptographic scheme in some other brands was found to have a similar, albeit more complex vulnerability.
The team showed it was possible for a malicious hacker to spy on key fob signals to target cars via a cheap, homemade radio.
Attack 1 — Using Arduino-based RF Transceiver 'Cryptographic catastrophe'
The first attack can be carried out using a cheap radio device that can be made for just $40 with a small control board and a radio receiver, but is capable of eavesdropping and recording the rolling code values used by keyless entry systems.
By cloning the digital keys, the researchers found they could then unlock a variety of VW Group vehicles.
This was possible because they were able to reverse-engineer the keyless entry system in the affected models - a process which yielded some master cryptographic keys.
"With the knowledge of these keys, an adversary only has to eavesdrop a single signal from a target remote control," the researchers wrote in their paper. "Afterwards, he can decrypt this signal, obtain the current UID and counter value, and create a clone of the original remote control to lock or unlock any door of the target vehicle an arbitrary number of times."
Prior to publishing their research, the team behind the paper agreed with Volkswagen that some key pieces of information - including the value of the master cryptographic keys - would not be made public.
However, they warned that if skilled hackers find and publicize those shared keys, each one could leave tens of Millions of cars vulnerable.
Mr Kasper said that after the researchers alerted Volkswagen to the problem in November 2015, they set up some meetings to help the car maker understand the vulnerability.
"We had very fruitful discussions - there was a very good atmosphere," he said.
However, there are "at least ten more, very widespread" hacking schemes affecting various other car brands that Kasper & Oswald is still waiting to publish, following appropriate disclosure to the companies involved, Mr Kasper added
In past 20 years, just the four most common keys are used in all the 100 Million cars sold by Volkswagen. Only the most recent VW Golf 7 model and others that use unique keys are immune to the attack.
Attack 2 — Hijack with HiTag2 and A Radio Device in 60 Seconds 'Constructive exchange'
In the second attack, the team managed to attack a cryptographic scheme called HiTag2 -- decades old rolling code scheme but still used in Millions of vehicles, including Alfa Romeo, Chevrolet, Peugeot, Lancia, Opel, Renault, and Ford.
To carry out this attack, all a hacker needs is a radio setup similar to the one used in the above hack.
Using a radio device, the researchers were able to intercept and read a string of the coded signals (rolling code number that changes unpredictably with every button press) from the driver's key fob.
A spokesman for Volkswagen said several current-generation vehicles, including the Golf, Tiguan, Touran and Passat were not affected by the problem.
"The responsible department at Volkswagen Group is in contact with the academics mentioned and a constructive exchange is taking place," he told the BBC.
The spokesman added that starting the car's engine with this attack was "not possible".
Security expert Ken Munro at Pen Test Partners said critical components of the attack had been omitted from the published paper.
"You'd need some academic-level knowledge of cryptography to be able to do this," he added.
With the collection of rolling codes, the researchers discovered that flaws in the HiTag2 scheme would allow them to crack the cryptographic key in as little as one minute.
Since the above two attacks focus on unlocking cars rather than stealing them, the lead researcher Flavio Garcia told Wired these attacks might be combined with already exposed bugs in the HiTag2 and Megamos 'immobilizer' systems, allowing "Millions of Volkswagens and other vehicles ranging from Audis to Cadillacs to Porsches to be driven by thieves."
However, he also said the research was the latest in a string of similar findings that showed how many on-board systems in modern cars were vulnerable to hacking.
"Manufacturers are doing the right thing now, but you've got this huge problem with the installed base, those cars will last maybe 10 years - the fix is not simple," he told the BBC.
"You're potentially replacing all the control units in all the vehicles out there."
Mr Munro added that it might be possible to prevent the reverse-engineering approach taken by the researchers in order to prevent the discovery of the crucial cryptographic keys.
Source: Wired , BBC
No comments
Post a Comment