Mon, 15 August 2016
Q: Could you tell us a little about how this research began?
A: Actually in 2013 Flavio Garcia, a computer scientist at University of Birmingham, and a team of researchers were about to reveal a vulnerability in the ignition of Volkswagen cars that allowed them to start the car and drive off without a key. This vulnerability was present in millions of VWs.
Q: You say “about to reveal”?
A: Yes, they were sued, which delayed the publication of the work for 2 years. They used that time to continue their research into vulnerabilities with VW cars.
Q: So did they find anything new?
A: They sure did. The paper they just published identifies flaws not only with the ignition system, but also with the keyless entry system.
Q: How many cars are we talking about?
A: The researchers claim that every Volkswagen sold since 1995 is affected. The estimate is nearly 100 million cars!
Q: Which cars are affected?
A: There are two distinct attacks – one impacts Audi and Škoda cars; the other Alfa Romeo, Citroen, Fiat, Ford, Mitsubishi, Nissan, Opel, and Peugeot.
Q: Do they provide any details of the attack?
A: They use radio hardware to intercept signals from the victim’s key fob, using the intercepted signals to clone the key. They started with software defined radio connected to a laptop, but have moved to a small $40 setup that includes an Arduino board with an attached radio receiver.
Q: How concerned should we be?
A: Of the two attacks, the one targeting Volkswagen cars is most concerning because (1) there is no indication to the drivers that they’ve been compromised, (2) one a single button press needs to be intercepted.
Q: Why is the security weak?
A: It turns out that millions of Volkswagen vehicles share a single cryptographic key. Using the hardware we described earlier, researchers capture another key unique to the target vehicle that is transmitted every time the button on the key fob is pressed. By combining these two key, the researchers can clone the key fob. A single interception and the car is “owned”.
Q: So it’s that easy?
A: Not quite that easy. A few caveats. The attacker has to be within 300 feet of the car. The shared key is not quite universal. The shared key may change based on the model of the car and the year. Also, the internal components where the shared is extracted from may be different.
Q: So the key’s not universal. That’s good, right?
A: Yes, except that the 4 most common keys are used in nearly all the 100 million Volkswagen’s sold in the past 20 years.
Q: So should listeners sell their Volkswagens?
A: No, not yet. The researchers have not revealed where the shared key is stored, but a determined hacker could reverse engineer the keys and publish or sell them. And a newer locking system, used in the VW Golf 7 and other models, uses unique - not shared - keys and it his immune to these attacks.
Q: You mentioned that there are two attacks. What’s the second?
A: The second technique exploits flaws in a common cryptographic scheme called HiTag2 that is used in millions of vehicles.
Q: How does this attack work?
A: The hardware setup is similar to the previous attack. One big difference is that you don’t need to extract any internal keys from the car. You do have to intercept more codes from the target key fob - eight codes specifically. These codes include a rolling code number that changes with every button press.
Q: Sounds a lot like cracking a WEP key on a wireless network.
A: It is. In fact, the researchers suggest jamming the key fob so that the driver has to repeatedly press the button. Essentially generating more traffic to capture. Similar to a so-called replay attack used to help speed up the cracking of WEP keys.
Q: Why not just updated the encryption scheme?
A: It turns out the HiTag2 crypto system is hard coded into chips made by semiconductor company NXP. According to NXP HiTag2 is a legacy security algorithm - 18 years old. Since 2009, they have introduced new, more advanced algorithms, but car makers have been slow to transition to these new chips.
Q: So attackers can unlock the car. Can they steal the car?
A: While these attacks focus on the key fob and unlocking the car. Other research - even these researchers previous work - focuses on exploiting vulnerabilities in the ignition system and bypassing so-called immobilizer systems that are intended to prevent the car being driven without the key fob present. Combining these attackers, it would be possible to steal the car. In fact, there is already evidence of sophisticated digitally-enable car thieves using mysterious “black box” devices to steal cars.
Q: So what should car owners do?
A: Car owners can’t fix the vulnerabilities, so there’s little they can do to avoid these sort of attacks. If you’re concerned about someone cloning your key fob (1) don’t leave valuables in the car, (2) avoid using the key fob at all.