Drive a VW, Skoda or Seat? Wireless security flaw puts them all at risk of theft

Volkswagen found out once again...

Vehicles made by the Volkswagen Group (VW) are at risk of theft because of a basic security flaw that could enable an attacker to use wireless master keys to unlock virtually every vehicle with remote central locking.

More than 100 million vehicles made by VW are believed to be vulnerable, according to security researchers at the University of Birmingham. Flavio Garcia and David Oswald claims to have uncovered two flaws in VW's remote central locking systems, used by the company since 1995.

The first vulnerability gives hackers the ability to remotely break into nearly every car VW has sold since 2000, while the second affects "millions" more vehicles, including models from Ford, Peugeot and Citroen.

Both attacks rely on "widely available" Arduino hardware that costs as little as £30. This can intercept signals transmitted wirelessly through the air via key fob and then clone the key.

The second attack is more complex, and is a cryptographic scheme called HiTag 2. An attacker would need to use a radio setup like that used in the regular Volkswagen hack, intercepting special codes from drivers' key fobs and collecting codes that would eventually result in an unlock.

"We discovered that the RKE [remote keyless entry] systems of the majority of VW Group vehicles have been secured with only a few cryptographic keys that have been used worldwide over a period of almost 20 years," the researchers wrote.

"Our findings affect millions of vehicles worldwide and could explain unsolved insurance cases of theft from allegedly locked vehicles."

The researchers will now investigate whether the attack has been used by criminals in the real world.

VW has since spoken out about the flaws, and has worryingly said that "there is no 100 per cent guarantee for security".

"On one hand, criminals are equipped with sophisticated tools, and on the other hand, theft protection is impacted by the fact that we have to provide access to the OBD interface (onboard diagnosis) as well as the processes and documents in connection to these systems.

"The bar for theft prevention is constantly being raised, but ultimately there is no 100 per cent guarantee for security.

"The responsible department at Volkswagen Group is in contact with the academics mentioned and a constructive exchange is taking place. The findings obtained will serve to further improve the security technology."

It is not the first time VW has been put under the microscope by the security researchers, with the firm going as far as getting a High Court injunction in the past to stop them revealing hack details for their vehicles.