Keyless Entry Renders Millions Of Cars Vulnerable

Uploaded on 2016-09-06 in TECHNOLOGY--Hackers, NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Transport & Travel

Simple handheld scanning device capable of intercepting & cloning keyless entry 

Tens of millions of cars are made vulnerable to theft by their keyless entry systems, according to a report by computer security experts.

The paper claims many of the 100m Volkswagen vehicles sold over the past 20 years are vulnerable and can be hacked using cheap tools. Audi, Seat and Skoda models sold since 1995 are also said to be affected as they share Volkswagen’s remote keyless entry system. Alfa Romeo, Citroen, Fiat, Ford, Mitsubishi, Nissan, Opel, and Peugeot models are also at risk from a similar exploit, the researchers claim.

The three researchers from the University of Birmingham in England and a fourth from security company Kasper and Oswald GmbH in Germany, found models as recent as this year’s Audi Q3 were vulnerable. They said it is conceivable that all VW Group cars, with the exception of some Audis, are thus vulnerable to attacks because they rely on a ‘constant-key’ scheme.

The attack works by “eavesdropping” on the signal sent when a driver presses their key fob to unlock their car. With equipment costing as little as £30 the signal and be cloned and the hacker can then access the car in future. To clone the key’s signal the attack does need to be within 100m of the vehicle.

The report co-author Flavio Garcia said they believe some of the hackable cars are still on the market. He told Reuters: “There are still some VW car models being sold that are not on the latest platform and which remain vulnerable to attack.”

The researchers said the only exceptions were cars built on VW’s latest MQB production platform, which is used in its top selling model, the Golf VII, which the researchers found does not have the flaw.

The VW spokesman Peter Weisheit said that its current Golf, Tiguan, Touran and Passat models are not at risk from the attack, adding: “This current vehicle generation is not afflicted by the problems described.”

The Wolfsburg-based car maker confirmed it has had a constructive exchange with the researchers and that the authors had agreed to withhold details in their report that criminals could use to break into cars.

In 2013, VW obtained a restraining order against a group of researchers that included Garcia to prevent publication of a paper detailing how certain anti-theft car immobilisers were vulnerable to hackers. That research was published in 2015 after the authors agreed with VW to remove a detail that would have allowed thieves to figure out how to carry out an attack.

The authors also describe a second attack that could be used against Hitag2 (HT2) remote keyless entry systems used in older models of other car makers, running on circuits produced by Dutch-American chipmaker NXP.

An NXP spokesman said HT2 chips first introduced in 1998 have been gradually replaced by automakers since 2006 and that the chipmaker has advised them to replace HT2 chips in new cars since security weaknesses were reported in 2009 and 2012.

The reports’ authors said they had focused on mass-market models and did not analyse in detail VW’s luxury brands including Porsche, Bentley, Lamborghini and Bugatti.

The paper is set to be presented at the Usenix security conference in Austin, Texas, in the US recently.

Guardian: http://bit.ly/2bdnNdp

 

« 15 Years After 9/11
Exploring Alternatives: Terrorism Converging With Cyber Crime »

Infosecurity Europe
CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Center for Strategic Cyberspace & International Studies (CSCIS)

Center for Strategic Cyberspace & International Studies (CSCIS)

CSCIS seeks to advance global cyberspace security and prosperity by providing strategic insights for cyberspace and policy solutions to decision makers.

Seric Systems

Seric Systems

Seric is a technology business specialising in security, infrastructure and data management.

Excellium Services

Excellium Services

Excellium’s Professional Services team combines expertise and experience that complements your in-house security resources.

Armis

Armis

Armis offers the markets leading asset intelligence platform designed to address the new threat landscape that connected devices create.

Ensurity Technologies

Ensurity Technologies

Ensurity is a deep-tech cybersecurity engineering company; designs and manufactures specialized secure hardware, software, and mobile application solutions.

Brimondo

Brimondo

At Brimondo we help you to maximize and protect your brand value by being a proactive and strategic partner within brand protection with experts within intellectual property and digital assets.

Beauceron Security

Beauceron Security

Beauceron's cloud-based platform gives employees a powerful personal cyber-risk coach empowering them to improve their cybersecurity practices and behaviours.

Iron Bow Technologies

Iron Bow Technologies

Iron Bow Technologies is a leading IT solution provider dedicated to successfully transforming technology investments into business capabilities for government, commercial and healthcare clients.

INE

INE

INE is a premier provider of Technical Training for the IT industry.

Fifosys

Fifosys

Fifosys is a professional technology infrastructure specialist, delivering a broad portfolio of high quality technical and strategic managed services.

Future Planet Capital

Future Planet Capital

Future Planet is the impact-led, global venture capital firm built to invest in high growth potential companies from the world's top research centres.

Enzen

Enzen

Enzen is a global knowledge practice that provides consulting, technology, engineering, operating and innovation services to the energy and utility sectors.

VectorRock

VectorRock

Save Your Business From Cyber Criminals. We specialize in uncovering cyber risks which threaten your organization and fixing them.

Heron Technology

Heron Technology

Heron Technology are a technology solutions consultancy with core competencies in the areas of Cyber Security and Digital Aviation.

Dion Training Solutions

Dion Training Solutions

Dion Training Solutions offer comprehensive training in areas such as project management, cybersecurity, agile methodologies, and IT service management.

Nullify

Nullify

Nullify is your automated security sentry that continuously finds and fixes security issues across your codebase.