A team of researchers from Birmingham University have discovered a way to bypass wireless car locks with a simple gadget. After doing some reverse engineering, the team managed to copy radio signals and decrypt car keys that open vehicles with a button. One of the exploits affects almost all VW models since 1990, another affects many more makers like Peugeot, Opel, Alfa Romeo and others. Together, they equal hundreds of millions of exposed cars.
All that is needed to mimic the signal of a key is an Arduino board with a radio receiver, the researchers note in their paper, which can be found here. “The cost of the hardware is small, and the design is trivial,” says Flavio Garcia, a computer scientist who is part of the team. “You can really build something that functions exactly like the original remote,” he adds.
The four most common locking systems of Volkswagen use a string of four secret keys which the researchers managed to extract. Then all you need to do is be in the vicinity of a person unlocking a car. You can intercept the radio signal from a single button press from about 300 feet and then you can clone the signal to unlock the vehicle yourself.
The second exploit, which affects a ton of makers, including Alfa Romeo, Citroen, Fiat, Ford, Mitsubishi, Nissan, Opel, and Peugeot, is a bit more complicated, but works in essentially the same way. It exploits the cryptographic scheme HiTag2, which is 18 years old but still used. An exploiter would have to intercept eight different codes sent by an equal amount of button presses. If a radio signal jammer is employed, the paper suggests, an owner might press his key repeatedly, leaving the vehicle exposed.