Attack 1: Using Arduino-based RF Transceiver (Cost $40)
The first attack can be carried out using a cheap radio device that can be made for just $40 with a small control board and a radio receiver, but is capable of eavesdropping and recording the rolling code values used by keyless entry systems.
The code values are included in the signal sent every time a driver presses the key fob’s buttons, which is then used together to emulate a key that is unique to every vehicle.
The researchers then managed to reverse engineer one component inside a Volkswagen’s network and were able to extract a cryptographic key that is shared among millions of Volkswagen vehicles.
Now, combining the two supposedly secret keys, the researchers were able to clone the key fob and access to the car.
“With the knowledge of these keys, an adversary only has to eavesdrop a single signal from a target remote control,” the researchers wrote in their paper. “Afterwards, he can decrypt this signal, obtain the current UID and counter value, and create a clone of the original remote control to lock or unlock any door of the target vehicle an arbitrary number of times.”
Although the team did not reveal the components they used to extract the keys to prevent potential car hackers from exploiting the weakness.
Attack 2: Hijack with HiTag2 and A Radio Device in 60 Seconds
In the second attack, the team managed to attack a cryptographic scheme called HiTag2 — decades old rolling code scheme but still used in Millions of vehicles, including Alfa Romeo, Chevrolet, Peugeot, Lancia, Opel, Renault, and Ford.
To carry out this attack, all a hacker needs is a radio setup similar to the one used in the above hack.
Using a radio device, the researchers were able to intercept and read a string of the coded signals (rolling code number that changes unpredictably with every button press) from the driver’s key fob.
With the collection of rolling codes, the researchers discovered that flaws in the HiTag2 scheme would allow them to crack the cryptographic key in as little as one minute.
Since the above two attacks focus on unlocking cars rather than stealing them, the lead researcher Flavio Garcia told Wired these attacks might be combined with already exposed bugs in the HiTag2 and Megamos ‘immobilizer’ systems, allowing “Millions of Volkswagens and other vehicles ranging from Audis to Cadillacs to Porsches to be driven by thieves.”
This is not the first time this team of researchers has targeted Volkswagen, it discovered a way to start Volkswagen cars’ ignitions in 2013, but had to withhold their findings for two years because VW Group threatened to sue them.
The researchers have reported the flaws to VW Group and agreed not to disclose the cryptographic keys, part numbers of vulnerable components, and how they reverse-engineered the processes.
Car hacking is a hot topic today. Recently, security researcher Benjamin Kunz Mejri disclosed zero-day flaws resided in the official BMW web domain and Connected Drive portal that allowed attackers totamper remotely with BMW’s In-Car Infotainment System.
Previous research demonstrated hackers capabilities to hack a car remotely and control its steering and brakes and to disable car’s critical functions like airbags by exploiting security bugs affecting significant automobiles.
Keeping these risks in mind, in April this year, the Michigan state Senate proposed two bills that introduce life sentences in prison for people who hack into cars’ electronic systems. Also, the FBI issued a public announcement warning people about the risks of car hacking.