By Stephanie Mlot,
A keyless car entry system used in Volkswagen vehicles for two decades can easily be hacked, according to a new report.
Computer security experts at the University of Birmingham in England this week published a paper highlighting the insecurity of remote keyless entry systems.
The feature—found in most VW Group vehicles manufactured since 1995—relies on a few global master keys. A nearby hacker can simply eavesdrop on and clone the driver’s key fob, and voila!—they gain unauthorized access to the car.
“Our findings affect millions of vehicles worldwide and could explain unsolved insurance cases of theft from allegedly locked vehicles,” the research team, led by computer scientist Flavio Garcia, said in a paper.
Vulnerable vehicles include Audi, VW, Seat, and Škoda models sold over the past two decades; a VW spokesman, however, told Reuters the current Golf, Tiguan, Touran, and Passat models are safe from harm.
“Volkswagen takes the security of our customers and their vehicles very seriously. Volkswagen’s electronic and mechanical security measures are continuously being improved,” a company spokesman told PCMag. “The findings obtained will serve to further improve the security technology. … While legitimate research on auto security is important and necessary, hacking into vehicles is a malicious, criminal act.”
Owners of affected vehicles should be wary of unlocking their car doors remotely. Using cheap, off-the-shelf equipment, the wireless hack can be executed from about 20 yards away. Leaving no physical traces, it poses “a severe threat in practice,” the researchers said.
Garcia and fellow University of Birmingham lecturer David Oswald are scheduled to present their paper today at the Usenix security conference in Austin.
In 2013, Volkswagen thwarted an attempt by Garcia and his team to publish a paper detailing how certain anti-theft car immobilizers were vulnerable to hackers, Reuters reported. The research was made public last year, after the authors agreed to pull certain details that explained how to carry out an attack.
Garcia and a different set of researchers in November disclosed their latest findings to VW Group, Reuters said.