Four European researchers, led by Flavio Garcia from the University of Birmingham, have published a paper detailing how they successfully imitated the remote control key fob signals used by up to 100 million Volkswagen vehicles produced since 1995.
- shares

The paper details how the team was able to successfully produce valid key fob signals using around US$40 ($53.50) worth of electronics equipment, including a radio transmitter and receiver, battery, and circuit boards.

According to the researchers, there are four generations of Volkswagen Group key fobs, from 1995 until the introduction of Mark VII Golf, which employ a rolling code that's encrypted by a single set of worldwide master keys.

With a bit of effort the team were able to isolate and reverse engineer the master keys, which they found hidden in components within the car's internal communications and control systems.


Above: Volkswagen Golf Mark VII, one Volkswagen model not vulnerable to this hack.

Once the master keys were obtained, the team were able to easily replicate a key fob's functionality after intercepting communication from it once, for example when an owner is locking or unlocking their car.

This last step can be done up to 100 metres away, and enabled the team to capture and decrypt a working copy of that fob's rolling code. With this information they were then able calculate the number in the rolling code sequence.

During their research, the authors noted that more recent Volkswagen Group vehicles would begin reject signals from a key fob if its rolling code was more than two steps behind the next expected value.

As most, if not all, modern Volkswagen Group vehicles have an ignition immobiliser, this hack doesn't directly allow the researchers to drive away with a unlocked car, but it does provide a way for those with nefarious intentions to steal valuables or gain access to a vehicle without any telltale physical signs.

Volkswagen "acknowledged the vulnerabilities" to the researchers. In the interests of responsible disclosure, the authors did not publish reveal some of the details regarding their hack, including vulnerable component numbers, some of the equipment used, and, of course, the global encryption keys.

The paper does not provide an exhaustive list of affected vehicles, and the researchers weren't able to confirm if vehicles from Bentley, Bugatti, Lamborghini, and Porsche are affected.

Cars that have been confirmed as being vulnerable to this attack include the Audi A1, Q3 and R8, most of the Seat range, the Skoda Fabia, Superb, Yeti and Octavia, and the Volkswagen Amarok, Beetle, Caddy, Eos, Golf (Mark IV to Mark VI), Passat, Polo, Tiguan, and Up.

Peugeot 207CC press roof up

Above: Peugeot 207 CC.

The researchers were also able to successfully imitate signals from key fobs used by other brands as well. For these other key fobs, there wasn't a master key that they could obtain.

Instead they exploited the fobs' old and weak HiTag2 encryption algorithm. By capturing between four and eight encrypted rolling codes from a single key fob, the team were then able to figure out that fob's encryption key in under a minute using a laptop computer.

The problem here, of course, is that capturing data from the same fob up to eight times without being noticed by the car's owner. To get around this, the paper's writers suggest using equipment to both capture and jam the fob's signal. That way, the owner might press the unlock or lock button multiple times in succession.

Again, the paper doesn't attempt to give a definitive list of cars vulnerable to this attack. The researchers did note, though, that the hack was successful on the Alfa Romeo Giulietta, Dacia Logan, Fiat Punto, Ford Ka, Mitsubishi Colt, Nissan Micra, Opel Astra and Vectra, Peugeot 207, and Renault Clio.

NXP, which makes the HiTag2 transponder, "already informed their customers back in 2012" about the weaknesses of the HiTag2 encryption algorithm, and many vehicles being sold today employ more secure cryptography schemes.

In conclusion, the researchers note: "It is unclear whether [these two attacks] are currently carried out in the wild by criminals. However, there have been various media reports about unexplained theft from locked vehicles in the last years. The security issues described in this paper could explain such incidents."