UPDATED 6:15 p.m. Thursday with comment from NXP.
If you've got a Volkswagen or an Audi built in the past 20 years, or a Ford, Chevy, Nissan or Fiat made in the past decade, you may want to stop using your wireless key fob or ignition-key buttons to lock and unlock your car — like, forever.
The 2013 Volkswagen Golf Mark 7, one of the few late-model Volkswagens not affected by the keyless-entry flaw. Credit: M93/Creative CommonsThe remote-keyless-entry (RKE) systems on many of those vehicles could let a thief into your car without you ever knowing it, according to a research paper to be presented tomorrow (Aug. 12) at the USENIX computer-security conference in Austin, Texas. There's no practical fix for the problem, short of a recall of all affected ignition keys and key fobs.
"Owners of affected vehicles should be aware that unlocking the doors of their car is much simpler than commonly assumed today," the authors of the paper say.
The research team was led by Flavio Garcia of the University of Birmingham in England and Timo Kasper of the information-security firm Kasper & Oswald in Bochum, Germany. It found that most or all cars made by Volkswagen Group since 1995 used only four different master encryption codes to secure the wireless signals sent by ignition keys and key fobs issued to about 100 million vehicles.
The master codes were hard-coded into the ignition keys and key fobs themselves, and each was reused for years until the next generation of ignition keys and key fobs came along.
(This attack does not involve ignition keys that don't have a remote-unlock button to press. Nor does it involve the ignition component of passive-keyless-entry-and-start systems, which let you start the car without putting the ignition key into the steering column. But it does involve the door- and trunk-locking features of those systems.)
If an attacker knew the master encryption code for a particular model year — one of the four master codes was used for all models from 1995 through 2003 — then he or she could use inexpensive radio software to capture a single command the car owner sent from a key fob or ignition key to the car. The attacker wouldn't even have to be nearby, as high-gain antennae in the bed of an SUV could grab the signal from hundreds of feet away.
Once the command was captured and decoded, the attacker could then play back a slightly modified version of it to lock or unlock the car after the owner had left.
"It is technically feasible to eavesdrop the signals of all cars on a parking lot or at a car dealer by placing an eavesdropping device there overnight," the paper said. "Afterwards, all vulnerable cars could be opened by the adversary."
The attack worked on all models of Volkswagen, Audi, Seat and Skoda brand vehicles tested by the researchers, except for the Volkswagen Golf Mark 7, introduced in 2013. The researchers did not test Volkswagen Group's luxury brands, which include Bentley, Bugatti, Lamborghini and Porsche.
"There have been various media reports about unexplained theft from locked vehicles in the last years," the paper states. "The security issues described in this paper could explain such incidents."
A similar attack works on cars using RKE key fobs and ignition keys using technology made by NXP, which includes Alfa Romeos, Chevrolets, Fiats, Fords, Mitsubishis, Nissans, Opels, Peugeots and Renaults. Model years affected range from 2004 to 2016, depending on the brand.
Unlike the Volkswagen key fobs, the NXP key fobs and ignition keys do not share a master code, and there's nothing to be gained by hacking into one of the key fobs and reading its contents. However, the encryption used by the NXP devices is weak enough so that an attacker, using the same inexpensive laptop-connected radio equipment as in the Volkswagen attack, would need to capture only between four and eight commands issued by the NXP key fob or ignition key to decrypt the signals.
That's perhaps not as easy as capturing the single command needed for the Volkswagen hack, but the researchers noted that the attacker could also use a jammer to make sure not all the car owner's wireless commands reached the car, forcing the owner to press the lock or unlock button again and again.
"Insurance companies may ... have to accept that certain car-theft scenarios that have so far been regarded as insurance fraud (e.g. theft of personal belongings out of a locked car without physical traces) have, considering the results of this paper, a higher probability to be real," said the researchers.
These attacks can only lock and unlock the doors, trunk and hatch of affected cars and, in North America, sound a car alarm. But Garcia was part of an earlier research team that discovered wireless attacks that bypassed Volkswagen's immobilizer system, which is meant to make sure that no car starts without a radio signal from a chip embedded in the ignition key itself. Using that attack, a car can be started and driven away without the verified ignition key.
That research into ignition-key-bypassing was completed in 2013, but Volkswagen went to court in Britain and had the paper's presentation delayed for two years. It was finally presented at last year's USENIX conference.
Regarding the latest findings, the research team's advice was simple — go back to using mechanical keys to lock and unlock your car.
"For owners of affected vehicles, as a temporary countermeasure in cases where valuable items are left in the vehicle," the paper says, "we can unfortunately only recommend to stop using or disable/remove the RKE part of the car key and fall back to the mechanical lock."
UPDATE: NXP responded to this story with a statement.
The research "criticizes the robustness of the HT2 security algorithm when used for Remote Keyless Entry systems," the statement reads. "HT2 is a legacy security algorithm, introduced 18 years ago (in 1998). It has been gradually replaced by more advanced algorithms from 2006 onwards. Our customers are aware as NXP has been recommending not to use HT2 for new projects and design-ins for years."
"Since 2006, NXP's product portfolio has featured a new product family based on Advanced Encryption Standard, with AES128, encryption based on a 128-bit key. Also, since 2009, NXP added to its Hitag family the HT3 security algorithm in addition to HT2. NXP Immobilizer and Remote Keyless Entry solutions based on HT3 or AES128 have meanwhile allowed the phase-out of HT2 systems in the market, but NXP cannot judge to which extent legacy systems are still using the HT2 security algorithm."