The scope of this vulnerability is massive, encompassing roughly 100 million Volkswagen Group vehicles manufactured since 1996. Affected brands include Volkswagen, Audi, Seat and Skoda. The remote entry hack is ongoing, as the researchers were able to determine that the 2016 Audi Q3 is still affected.
So how were the researchers able to achieve this feat? Well, they were able to reverse engineer the electronic control unit (ECU) and remote keyless entry system used in Volkswagen’s vehicles, and once armed with the knowledge of the inner working of how key transmission and reception is handled by the vehicle, they were able to hack away with an Arduino-based RF transceiver powered by a 9-volt battery.
“With the knowledge of these keys, an adversary only has to eavesdrop a single signal from a target remote control,” write the researchers in their published paper [PDF]. “Afterwards, he can decrypt this signal, obtain the current UID and counter value, and create a clone of the original remote control to lock or unlock any door of the target vehicle an arbitrary number of times.”
Unfortunately, there doesn’t appear to be any useful or productive defense to an attack, so current Volkswagen owners will forever be sitting ducks. “Completely solving the described security problems would require a firmware update or exchange of both the respective ECU and (worse) the vehicle key containing the remote control,” the researchers add. “Due to the strict testing and certification requirements in the automotive industry and the high cost of replacing or upgrading all affected car keys in the field, it is unlikely that VW Group can roll out such an update in the short term.”
Although this is of little relief for owners of affected Volkswagen Group vehicles, the company’s newer vehicles based MQB architecture are immune. These include the newest version of the Audi A3, Audi TT, Volkswagen Golf family, and the Euro market Volkswagen Passat.