Researchers at the University of Birmingham in the U.K. have found a vulnerability that potentially affects more than 100 million Volkswagen vehicles.
Flavio D. Garcia, David Oswald, Pierre Pavlidès and Timo Kasper have published a study that details the vulnerability of keyless entry systems used in various Volkswagen Group models that date back to 1995, and potentially affected vehicles include the Audi A1, Q3, R8, S3 and TT; Volkswagen Amarok, Beetle, Bora, Caddy, Crafter, e-Up, Eos, Fox, Golf 4, Golf 5, Golf 6, Golf Plus, Jetta, Lupo, Passat, Polo, T4, T5, Scirocco, Sharan, Tiguan, Touran and Up; Seat Alhambra, Altea, Arosa, Cordoba, Ibiza, Leon, MII and Toledo; Skoda City Go, Roomster, Fabia 1, Fabia 2, Octavia, SuperB and Yeti.
Essentially, thieves are able to use an affordable and available transmitter to intercept the wireless signal from a key fob, capturing the signal so that it can be retransmitted to gain access to the vehicle. Even worse, if the vehicle is equipped with keyless ignition, another previously known exploit could be used to start and drive the vehicle.
The researchers note that the list is not exhaustive, as they did not have access to all types and model years of cars, and it is unclear if and when a car model was upgraded to a newer scheme. They added that it is possible that all Volkswagen Group cars manufactured in the past and partially today rely on a “constant-key” scheme, and are still vulnerable to the hacks, except for the cars that rely on the latest platform, like the latest Golf.
It’s worth noting that it isn’t an easy hack, despite the transmitter being readily available. Thieves must have the intercepting device within a few hundred feet of the key fob, and the key fob must be pressed in order to capture the signal. From there, the signal must be combined with a cryptographic key before the signal can be fully cloned. According to the research paper, the key is difficult to obtain, but not impossible. The German automaker only used four common ones in closed to all the 100-million vehicles sold in the past 20 years.
Volkswagen is aware of the issue.