Volkswagen keyless entry systems can be bypassed

Keyless locking systems in cars can be bypassed relatively easily, researchers have found, leaving hundreds of millions of vehicles at risk of thefts and break-ins.

University of Birmingham researchers Pierre Pavlidès, Flavio Garcia and David Oswald along with security consultant Timo Kasper discovered two serious vulnerabilities in the keyless entry systems and the adjunct alarms and engine immobilisers used by major car manufacturers.

They focused on vehicles made by the Volkswagen Group, finding the company has been using just a few master keys for the encryption of the wireless signal used for car remotes since 1995.

The cryptographic keys were recovered from cars' electronic control units (ECUs) by the reseachers, who were able to unlock vehicles after eavesdropping on a single signal sent by the remote key fob (one button press).

To capture the radio frequency signals from key fobs, the researchers built a cheap Arduino-based transceiver costing just a few tens of dollars.

Audis, Seats and Škodas are also vulnerable, they found.

A flaw in a second keyless entry system used by many other car makers such as Alfa Romeo, Chevrolet, Peugeot, Lancia, Opel, Renault and Ford was also discovered.

It stems from car makers using the weak and now deprecated HiTag2 rolling code scheme, which can be broken and the keys cloned using a laptop and just a few minutes of computation.

This means it is possible to not only unlock vehicles, but to bypass engine immobilisers, according to the researchers, who tested their theories on their own and friends' cars.

"The cryptography of these immobilisers has to be considered broken as their added protection to prevent criminals from starting the engine of a car is very weak," they wrote.

The findings could explain mysterious car thefts and burglaries in recent times, in which criminals have accessed vehicles that were locked and had the engine immobiliser system activated.

"Since they are executed solely via the wireless interface, with at least the range of the original remote control (ie a few tens of metres), and leave no physical traces, they pose a severe threat in practice," the researchers said.

The vulnerabilities have been reported to Volkswagen and other car makers.

But there are currently no fixes or countermeasures against the keyless entry system weaknesses, as they cannot easily be patched or updated. 

The researchers also analysed other keyless entry systems and found them insecure, but have decided not disclose the details at this stage.

The research was presented at the 25th USENIX security conference in Austin, Texas [pdf].