100 million vehicles are vulnerable to hack that unlocks doors

Almost every car developed by Volkswagen group since 1995 carries a known vulnerability that is susceptible to cyberattacks, according to a research paper authored by researchers from the University of Birmingham and German engineering firm Kasper & Oswald.

Almost every car developed by Volkswagen AG since 1995 carries a known vulnerability that is susceptible to cyberattacks, according to a paper authored by researchers from the University of Birmingham and German engineering firm Kasper & Oswald.

The vulnerability, according to the report, allows for hackers to intercept, record and thereby clone signals sent from a victim’s wireless key fob. By copying data emitted from the key fob while it is in transit, a hacker could feasibly gain remote access to a vehicle’s door lock mechanism.

The report was revealed in full this week at the Usenix cybersecurity conference. Researchers say that the discovered vulnerability could affect roughly 100 million vehicles, including some made by Volkswagen brands like Audi and Škoda, in addition to non-Volkswagen properties like Fiat, Ford, Mitsubishi and Nissan.

The hack isn’t exactly easy to pull off though, even while the tools required to make it a reality are relatively cheap and easy to find.


By reverse engineering a component found inside Volkswagen’s internal communications network, the researchers were able to extract a default cryptographic key shared among millions of vehicles.

A combination of the first, default crypto key with a victim’s device specific key signal produces what looks like an authentic command to the vehicle. Researchers were able to capture the victim’s device specific key signal by placing an affordable piece of commercial grade radio hardware — connected to a computer with the appropriate software — within about 300 feet of the victim while they activated the key fob unlock command.

The research paper notes that Volkswagen acknowledged the vulnerabilities’ existence.

The software bug affecting Fiat, Ford, Mitsubishi and Nissan is slightly different, however. Researchers found that an outdated cryptographic scheme called HiTag2 is still used in millions of vehicles, which is susceptible to yet another signal interception technique.

The second technique similarly relies on a radio setup to intercept codes sent between a driver’s key fob and vehicle. HiTag2 typically employs eight lines of scrambled code — with one line changing each time the button is pushed — to authorize the unlock mechanism. But researchers reportedly found a flaw in HiTag2 that allows them to break the code in a matter of minutes, making it unnecessary to extract data from the manufactures’ internal communications network.


Both cyber attacks focus on unlocking doors rather than activating the ignition switch. But when combined with another now disclosed attack — also previously discovered by a team led by computer scientist Flavio Garcia, a member of the aforementioned University of Birmingham research squad — a hacker would be able to unlock and then turn on the vehicle.

Last week, Sens. Edward Markey, D-Mass., and Richard Blumenthal, D-Conn., members of the Commerce, Science and Transportation Committee, sent a letter to the Federal Communications Commission asking for assurance from commission chief Tom Wheeler that he would work to improve security surrounding airwaves used by vehicles to transmit data.

“We have entered the Internet of Things (IoT) era, where our cars, transportation infrastructure, and devices can all be interconnected,” the Senators’ letter reads, “But make no mistake, IoT can also be considered the Internet of Threats if appropriate safety, cybersecurity and privacy safeguards are not put in place.”

The letter continues, “We must ensure that these vehicles have robust safety, cybersecurity, and privacy protections in place before automakers deploy vehicle-2-vehicle and vehicle-2-infrastructure communication technologies.”

An FCC spokesperson said the agency was declining to comment on efforts to improve the security of Dedicated Short Range Communications, or DSRC, like those used by cars until a public comment period concludes. The public comment request, which calls for responses by August 28, can be found here.

Chris Bing

Written by Chris Bing

Christopher J. Bing is a cybersecurity reporter for CyberScoop. He has written about security, technology and policy for the American City Business Journals, DC Inno, International Policy Digest and The Daily Caller. Chris became interested in journalism as a result of growing up in Venezuela and watching the country shift from a democracy to a dictatorship between 1991 and 2009. Chris is an alumnus of St. Marys College of Maryland, a small liberal arts school based in Southern Maryland. He's a fan of Premier League football, authentic Laotian food and his dog, Sam.

Latest Podcasts