Dieselgate and now this. Something else for VW Group CEO Matthias Müller to think about
Researchers appear to have uncovered a security glitch affecting as many as 100m vehicles sold by Volkswagen Group over the past twenty years. Potentially, vehicles are vulnerable to theft because keyless entry systems can be hacked via radio devices.
Volkswagen said it was working with the researchers and added that several new vehicles were unaffected by the issue.
Researchers at the University of Birmingham in the UK have published a paper outlining how they were able to clone VW remote keyless entry controls by eavesdropping nearby when drivers press their key fobs to open or lock cars.
It is reported that vehicles vulnerable to this 'cyber-attack' include most Audi, VW, Seat and Skoda models sold since 1995 and many of the approximately 100m VW Group vehicles on the road since then, the researchers said.
The flaw was found in car models as recent as the Audi Q3, model year 2016, the researchers said.
The only exception were cars built on VW's latest MQB production platform, which the researchers found does not have the security flaw.
"There are still some VW car models being sold that are not on the latest platform and which remain vulnerable to attack," Flavio Garcia, co-author of the report and a senior lecturer in computer security at University of Birmingham, told Reuters.
Attackers can use cheap and widely available tools for grabbing radio signals, according to the researchers. Cars from other manufacturers may share these flaws.
Rob Miller, Head of Operational Technology at MWR InfoSecurity, highlighted the wider implications of the findings. "Volkswagen is clearly aware of what this research means for its customers' security, and are taking steps to make sure that this information does not fall into the wrong hands. This is a common theme we have seen with several organisations where security flaws have been found in embedded systems," he said.
"The issue is that, unlike in software where you can simply download a newer version, embedded systems often do not offer such connectivity and fixing requires recalls. In some cases the hardware design is the culprit in causing security issues and the resultant redesign, testing and release to address the problem can take many months.
"The car industry, and others producing equipment that consumers rely on for security, should take this research as a shot across the bows. Attacks will constantly evolve as new methods and technology become available to researchers and criminals. We need to consider not only how we are preventing the latest attacks, but how we can design systems so that we can quickly respond and adapt to new threats."