If you're a Volkswagen owner, you've probably spent the last 11 months worrying about Dieselgate. Even folks who don't own diesels have been deeply concerned about the resale value of their VWs because of the black eye the brand has received in the press.
Owners of Audi, Porsche, and other marques in the Volkswagen family haven't been quite as worried, since their brand names haven't been as closely associated with the ongoing scandal. But now, there's an issue that could affect all of them very, very directly.
To put it bluntly, there's a security hole in Volkswagen's keyless entry system, and it affects a lot of vehicles--basically, every vehicle that Volkswagen has built since 1995.
But wait, it gets worse: a second software flaw can give hackers access to other vehicles from makes like Alfa Romeo, Fiat, Ford, Mitsubishi, and Nissan.
All told, the two security issues affect 100 million vehicles worldwide. They were discovered by a team of engineers from the firm of Kasper & Oswald and researchers from the University of Birmingham. Details will be discussed at the Usenix security conference, which is taking place this week in Austin, Texas.
Good news, bad news
The good news is, these security flaws don't allow bad guys and gals to pop open every affected car at once. They have to identify a particular car, then intercept the radio signal that passes from the owner's key fob to the car.
In the case of the Volkswagen hack, intercepting a fob's signal gives would-be thieves the unique cryptographic key associated with the vehicle. That key must then be paired with another one--one that's shared among large numbers of vehicles from a particular Volkswagen brand or model year. That key is trickier to find, and only when hackers have both can they clone the fob for a specific car.
In other words, this isn't the kind of job your local, neighborhood hacker is likely to carry out--at least, not on his or her own.
And that brings us to the bad news.
If sophisticated hackers manage to identify the base cryptographic keys that are used across Volkswagen's vehicle lines, there's nothing to stop them from publishing that data to the internet. Other no-goodniks can then take that information, pull key codes from particular vehicles (a much simpler process), and voila: they're in.
Also, unlike the hack that researchers recently used to confound Tesla's Autopilot system, this one is cheap to deploy. All it takes is the right know-how, a laptop, a cheap micro-computer like an Arduino board with a radio receiver, and a fair bit of patience.
Worse still, the security hole that affects non-Volkswagen vehicles is simple to exploit, too. The vehicles vulnerable to this attack use fobs that send out eight cryptographic keys to open their doors. Seven of those remain constant, with the eighth changing at random.
By jamming the signal from an owner's key fob, hackers can intercept multiple cryptographic keys from the device. That reveals which of the seven keys are constant, and savvy hackers can identify the eighth in less than a minute.
Should you be worried?
Most people reading this have no reason to worry. Those most at risk of being hacked are those who drive very expensive cars or who have something of equal value to hackers. That doesn't describe us, and it probably doesn't describe most of you.
However, these hacks show the potential effect that security flaws can have on huge populations of vehicles. As our cars creep ever-closer toward total computerization and autonomization, these sorts of flaws--and the chaos that can ensue when they're exploited--will become an even greater concern for regulators, automakers, and consumers.