British researchers say they have uncovered “severe” vulnerabilities in remote keyless entry systems used by millions of cars worldwide.
The researchers tested the keyless technology used in VW Group cars, which are covered by brands including VW, Seat, Skoda and Audi.
They also looked at a separate system that manages keyless entry for cars made by the likes of Alfa Romeo, Chevrolet, Peugeot, Lancia, Opel, Renault, and Ford “among others”.
Their findings – first reported by Wired - “could explain unsolved insurance cases of theft from allegedly locked vehicles”.
Both technologies the researchers examine are examples of “rolling code” keyless entry systems. These systems create a new cryptographic code every time the remote button is pressed, meaning the same code is never used twice to unlock the vehicle.
“An increased counter value is considered new and thus accepted. A rolling code with an old counter value is rejected,” the researchers said.
The researchers built small transceivers to “eavesdrop and record rolling codes [and] emulate a [car] key” using off-the-shelf components. The total cost of each device was about US$40. ($52).
In the case of VW Group cars, the researchers looked at four variations of rolling code schemes used in vehicles built from around 1995 to today.
They then sought access to the master key used by the cars to decode a signal from a key remote control and determine whether or not it is valid. To do this, they extracted firmware from various internal systems in the cars.
The researchers said that as part of “negotiations with VW Group, and to protect VW Group customers” they had agreed not to disclose exactly which components they tapped for the master keys, nor how they had reverse-engineered the components to extract the key.
But they said their system meant they only had to eavesdrop on a single button push by a car owner.
“Afterwards, [we] can decrypt this signal … and create a clone of the original remote control to lock or unlock any door of the target vehicle an arbitrary number of times,” they said.
The researchers said that one countermeasure owners of vehicles could employ was not to use their remote keyless control and instead “resort to the mechanical lock of the vehicle”.
The second part of the research saw cryptographic weaknesses exploited in the Hitag2 remote keyless entry scheme used by a wide variety of manufacturers.
However, the researchers noted that the complexity of exploiting this system was “slightly higher” as it required eavesdropping of more than one rolling code.
The remote keyless entry vulnerabilities are the second major flaws found in car systems in the space of a year.
Last year, two security researchers famously used a zero-day exploit in a Jeep’s entertainment system to remotely commandeer a car as it was being driven on a highway.
Jeep maker Fiat Chrysler recalled 14 million cars to patch against the critical flaw.