Over a 100 million cars made by Volkswagen (VW) are believed to be vulnerable to hacks that could let thieves unlock them remotely through a wireless signal, according to security researchers.
Computer experts at the University of Birmingham, Flavio Garcia and David Oswald, have uncovered two flaws in VW's keyless entry systems that could allow hackers to remotely unlock over 100 million cars sold by the firm since 1995.
The first vulnerability gives hackers the ability to remotely break into nearly every car VW has sold since 2000, while the second impacts "millions" more vehicles including models from Ford, Peugeot and Citroen.
Both attacks rely on "widely available" Arduino hardware (below) that costs as little as 30 quid. This can intercept signals transmitted wirelessly through the air via key fob and then clone said key.
The second attack is a bit more complex, and is a cryptographic scheme called HiTag 2. An attacker would need to use a radio setup like that used in the regular Volkswagen hack, intercepting special codes from drivers' key fobs and collecting codes that would eventually result in an unlock.
"We discovered that the RKE [remote keyless entry] systems of the majority of VW Group vehicles have been secured with only a few cryptographic keys that have been used worldwide over a period of almost 20 years," the researchers wrote.
"Our findings affect millions of vehicles worldwide and could explain unsolved insurance cases of theft from allegedly locked vehicles."
The researchers are now going to investigate if the attack has been used by criminals in the real world.
VW has since spoken out about the flaws, and has worryingly said that "there is no 100 per cent guarantee for security".
"On one hand, criminals are equipped with sophisticated tools, and on the other hand, theft protection is impacted by the fact that we have to provide access to the OBD interface (onboard diagnosis) as well as the processes and documents in connection to these systems.
"The bar for theft prevention is constantly being raised, but ultimately there is no 100 per cent guarantee for security.
"The responsible department at Volkswagen Group is in contact with the academics mentioned and a constructive exchange is taking place. The findings obtained will serve to further improve the security technology."
It is not the first time VW has been put under the microscope by the security researchers, with the firm going as far as getting a High Court injunction in the past to stop them revealing hack details for their vehicles.
Users are told that their non-existent 'iPhoneID' is expiring soon
Expansion of SDK intended to expand Amazon Alexa ecosystem
Locky returns from a prolonged rest with two new variants
AMD lambasted over Radeon RX Vega pricing that will add an extra £100 to RX Vega 56 and 64 graphics cards
Company accused of failing to tell anyone that the launch prices were only introductory offers