Back in the day, people had to walk up into a bank in order to rob it. They also had to walk into a car in order to steal it. Nowadays, people rob banks from the comfort of their home (or their parents' basements), and it's only a matter of time before they start hijacking cars the same way.
According to a couple of researchers, whose work has been covered by Wired recently, we're already halfway there – a new vulnerability has been found which allows hackers to remotely unlock 100 million Volkswagen cars.
Yeah, you read that correctly – 100 million vehicles from the Volkswagen group, including Golf 7, various Audis, Škodas, built in the last two decades.
The best part is – they’re saying it’s not even that hard to pull off. All you need it approximately £30, and some ‘trivial’ knowledge. What the whole process does is makes a copy of the victim’s key. In order to achieve that, the attacker needs to be in the victim’s relative vicinity (300 feet, approximately), and just intercept the signal once.
“You only need to eavesdrop once,” says Birmingham researcher David Oswald. “From that point on you can make a clone of the original remote control that locks and unlocks a vehicle as many times as you want.”
This technique works only on the cars’ doors, it was said, but because the same researchers already unveiled, some four years ago, a method of starting these cars, they believe VW is in a world of trouble.
Art Dahnert, Consultant at Cigital, says the automotive industry should ‘take a page from the computer software industry’s book’, because back in 2013, Volkswagen didn’t deal with the problem – only its publication.
“In this particular case, by sharing a common set of keys VW has created a situation where the total victim set is potentially in the tens of millions. A security risk assessment of this system could have exposed the impact that this would have and possibly reduce the cost of going with to market with a more secure system. And because of the long lead times with the development of the various components and systems involved, these vehicles have been operating insecurely for many years.”
The solution, Dahnert believes, is to have the auto industry working with security pros during the design process.
“The inclusion of dozens of computers and millions of lines of code in the typical automobile creates a large attack surface that needs to be addressed. This complex environment can be very difficult to secure, which is why the industry needs to work with security professionals to participate in the design process long before the car goes into production. It also needs to actively work with the security industry in developing a standard approach to securing the software that drives the vehicle today. It is very important that the auto industry understands that computer security is a vital part of the vehicle safety system and start to implement designs that can exist in production for decades.”