Another blow for VW owners: millions at risk for key hack

Volkswagen owners may have another headache on their hands: a security vulnerability that allows hackers to wirelessly unlock millions of cars.

Unlike research into the security problems of recent tech innovations in cars, this hack involves an older piece of technology: the remote key fob. The researchers said their findings affect VW cars made between 1995 to 2016, including Jettas and Passats, as well as Audis and brands that aren't sold in the U.S., SEAT and Skoda.

The findings, which were presented at a security conference this week by researchers at the University of Birmingham and the German engineering firm Kasper & Oswald, may pose another setback for VW owners already stung by the company's emissions scandal. While it's unclear the degree of risk that VW owners may be facing, the researchers said that their investigation could shed light on "unexplained theft from locked vehicles in the last years."

"Insurance companies may thus have to accept that certain car theft scenarios that have so far been regarded as insurance fraud (e.g. theft of personal belongings out of a locked car without physical traces) have, considering the results of this paper, a higher probability to be real," the researchers noted.

Volkswagen didn't immediately respond to a request for comment.

The researchers who investigated the flaws in remote key fobs aren't strangers to VW security issues. In 2012, they were embroiled in a legal tussle after finding a VW flaw that could allow thieves to start and drive a car without a key. The automaker filed a lawsuit to block the publication of the research on the grounds that it would place cars and their owners at risk. The paper was published last year.

In their most recent paper, the researchers looked at two types of attacks: one that might affect millions of VW cars, and another that could affect additional car manufacturers, including Ford (F), Mitsubishi and Nissan. Both hacks rely on a simple piece of radio hardware that can be used to clone the key's remote control and gain access to a car.

The researchers said that they told VW about the remote key entry vulnerabilities in 2015, and that the automaker "acknowledged the vulnerabilities." They added that they agreed to leave out some information that could help thieves crack the remote key fobs, including details about how they reverse-engineered the process and cryptographic keys. The researchers said their advice to VW owners is to disable the remote keyless entry.

"For owners of affected vehicles, as a temporary countermeasure in cases where valuable items are left in the vehicle, we can unfortunately only recommend to stop using or disable/remove the RKE part of the car key and fall back to the mechanical lock," they wrote. They added, "Lock It or Lose It? Remove It!"