{"id":238762,"date":"2016-08-13T05:32:50","date_gmt":"2016-08-13T05:32:50","guid":{"rendered":"http:\/\/citifmonline.com\/?p=238762"},"modified":"2016-08-13T05:32:50","modified_gmt":"2016-08-13T05:32:50","slug":"millions-of-volkswagen-cars-can-be-unlocked-via-hack","status":"publish","type":"post","link":"https:\/\/citifmonline.com\/?p=238762","title":{"rendered":"&#8216;Millions&#8217; of Volkswagen cars can be unlocked via hack"},"content":{"rendered":"<p class=\"story-body__introduction\">A sizeable proportion of 100 million Volkswagen Group cars sold since 1995 can be unlocked remotely by hackers, a team of researchers has said.<\/p>\n<p>The problem affects a range of vehicles manufactured between 1995 and 2016 &#8211; including VWs and models from the company&#8217;s Audi, Seat and Skoda brands.<\/p>\n<p>A homemade radio costing about \u00a330 is the only hardware an attacker requires.<\/p>\n<p>Volkswagen said it was working with the researchers and added that several new vehicles were unaffected by the issue.<\/p>\n<p>Two separate attacks affecting different models are described in a paper by researchers from the University of Birmingham and German security firm Kasper &amp; Oswald.<\/p>\n<p>With the second method, an older cryptographic scheme in some other brands was found to have a similar, albeit more complex vulnerability.<\/p>\n<p>The team showed it was possible for a malicious hacker to spy on key fob signals to target cars via a cheap, homemade radio.<\/p>\n<p class=\"story-body__crosshead\"><strong>&#8216;Cryptographic catastrophe&#8217;<\/strong><\/p>\n<p>By cloning the digital keys, the researchers found they could then unlock a variety of VW Group vehicles.<\/p>\n<p>This was possible because they were able to reverse-engineer the keyless entry system in the affected models &#8211; a process which yielded some master cryptographic keys.<\/p>\n<p>Prior to publishing their research, the team behind the paper agreed with Volkswagen that some key pieces of information &#8211; including the value of the master cryptographic keys &#8211; would not be made public.<\/p>\n<p>&#8220;We were kind of shocked,&#8221; Timo Kasper at Kasper &amp; Oswald told the BBC. &#8220;Millions of keys using the same secrets &#8211; from a cryptography point of view, that&#8217;s a catastrophe.&#8221;<\/p>\n<figure class=\"media-landscape has-caption full-width\"><span class=\"image-and-copyright-container\"><img loading=\"lazy\" decoding=\"async\" class=\"responsive-image__img js-image-replace\" src=\"http:\/\/ichef-1.bbci.co.uk\/news\/624\/cpsprodpb\/16B6C\/production\/_90763039_gettyimages-525423918.jpg\" alt=\"Volkswagen factory\" width=\"976\" height=\"549\" data-highest-encountered-width=\"624\" \/><span class=\"off-screen\">Image copyright<\/span><span class=\"story-image-copyright\">AFP<\/span><\/span><figcaption class=\"media-caption\"><span class=\"off-screen\">Image caption<\/span><span class=\"media-caption__text\">Volkswagen produces around 10 million cars every year<\/span><\/figcaption><\/figure>\n<p>Mr Kasper said that after the researchers alerted Volkswagen to the problem in November 2015, they set up some meetings to help the car maker understand the vulnerability.<\/p>\n<p>&#8220;We had very fruitful discussions &#8211; there was a very good atmosphere,&#8221; he said.<\/p>\n<p>However, there are &#8220;at least ten more, very widespread&#8221; hacking schemes affecting various other car brands that Kasper &amp; Oswald is still waiting to publish, following appropriate disclosure to the companies involved, Mr Kasper added.<\/p>\n<p class=\"story-body__crosshead\"><strong>&#8216;Constructive exchange&#8217;<\/strong><\/p>\n<p>A spokesman for Volkswagen said several current-generation vehicles, including the Golf, Tiguan, Touran and Passat were not affected by the problem.<\/p>\n<p>&#8220;The responsible department at Volkswagen Group is in contact with the academics mentioned and a constructive exchange is taking place,&#8221; he told the BBC.<\/p>\n<p>The spokesman added that starting the car&#8217;s engine with this attack was &#8220;not possible&#8221;.<\/p>\n<p>Security expert Ken Munro at Pen Test Partners said critical components of the attack had been omitted from the published paper.<\/p>\n<p>&#8220;You&#8217;d need some academic-level knowledge of cryptography to be able to do this,&#8221; he added.<\/p>\n<figure class=\"media-landscape has-caption full-width\"><span class=\"image-and-copyright-container\"><img loading=\"lazy\" decoding=\"async\" class=\"responsive-image__img js-image-replace\" src=\"http:\/\/ichef-1.bbci.co.uk\/news\/624\/cpsprodpb\/32EC\/production\/_90763031_gettyimages-584022404.jpg\" alt=\"VW logo\" width=\"976\" height=\"549\" data-highest-encountered-width=\"624\" \/><\/span><\/figure>\n<p>However, he also said the research was the latest in a string of similar findings that showed how many on-board systems in modern cars were vulnerable to hacking.<\/p>\n<p>&#8220;Manufacturers are doing the right thing now, but you&#8217;ve got this huge problem with the installed base, those cars will last maybe 10 years &#8211; the fix is not simple,&#8221; he told the BBC.<\/p>\n<p>&#8220;You&#8217;re potentially replacing all the control units in all the vehicles out there.&#8221;<\/p>\n<p>Mr Munro added that it might be possible to prevent the reverse-engineering approach taken by the researchers in order to prevent the discovery of the crucial cryptographic keys.<\/p>\n<p>The paper will be presented later today at the Usenix cybersecurity conference in Austin, Texas.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A sizeable proportion of 100 million Volkswagen Group cars sold since 1995 can be unlocked remotely by hackers, a team of researchers has said. The problem affects a range of vehicles manufactured between 1995 and 2016 &#8211; including VWs and models from the company&#8217;s Audi, Seat and Skoda brands. A homemade radio costing about \u00a330 [&hellip;]<\/p>\n","protected":false},"author":14,"featured_media":238765,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jnews-multi-image_gallery":[],"jnews_single_post":[],"jnews_primary_category":[],"jnews_social_meta":[],"jnews_override_counter":[],"footnotes":""},"categories":[106],"tags":[],"class_list":["post-238762","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/citifmonline.com\/index.php?rest_route=\/wp\/v2\/posts\/238762","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/citifmonline.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/citifmonline.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/citifmonline.com\/index.php?rest_route=\/wp\/v2\/users\/14"}],"replies":[{"embeddable":true,"href":"https:\/\/citifmonline.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=238762"}],"version-history":[{"count":0,"href":"https:\/\/citifmonline.com\/index.php?rest_route=\/wp\/v2\/posts\/238762\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/citifmonline.com\/index.php?rest_route=\/wp\/v2\/media\/238765"}],"wp:attachment":[{"href":"https:\/\/citifmonline.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=238762"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/citifmonline.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=238762"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/citifmonline.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=238762"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}