Cheap, easy-to-build device disables car locks remotely
A technical paper recently released by a group of academics reveals that smart key fobs can be exploited to grant unauthorized access to millions of vehicles currently on the road. The revelation could explain a wave of thefts involving cars believed to be securely locked.
The hack was specifically targeted at Volkswagen, Ford, and Chevrolet vehicles that rely on a now antiquated key fob technology. In most cases, the vulnerable technology is not being used in late model year vehicles, but millions of older vehicles rely on the insecure technology to permit remote and keyless access to the car.
The researchers involved include Flavio D. Garcia, David Oswald, Timo Kasper and Pierre Pavlidès. They did not outline the full details of the hack but revealed that the exploit required only $40 worth of readily available technology. Once constructed, the device not only allows a phony key to grant access, it can also disable the genuine key remotely.
The hack affects multiple automakers, but Volkswagen most significantly. The researchers believe that almost all Volkswagen vehicles manufactured since 1995 are at risk.
The device the researchers constructed has a range of around 300 feet. After a key fob is used just once to grant authorized access to the owner of the vehicle, the cryptographic code used by the key fob is recorded by the device. It can then be programmed into a dummy key that removes all barriers to entry.
The problems are not exclusive to Volkswagen. Security researchers who study cyber attacks on cars have said previously that most key fob technologies are vulnerable to exploitation. The technologies in place either lack adequate security measures or rely on systems with significant loopholes and backdoors in place.
The device is not wholly new but rather a variation on existing devices used to grant unauthorized access to cars. In some cases, kits for building these devices are available on the black market. That means the technology is accessible to malicious parties with little to no technical expertise.
Experts report that a fix is possible, but that it is expensive, time consuming, and not likely a priority for the automakers. This research comes amid widespread fears about the vulnerability of internet connected cars and the ways that they could potentially be exploited by hackers. The sobering truth revealed by the report is that the vast majority of cars currently in service are vulnerable to some form of cyber attack.