Millions of Keyless Remote Control Devices Can Be Cloned

Researchers say 100 million cars are vulnerable to thieves cloning the keyless remote controls.

Posted in News

— Security researchers may have finally figured out how thieves have been opening locked car doors by holding small devices in their hands, leaving authorities baffled as to how the doors were unlocked.

Researchers from engineering company Kasper & Oswald and scientists from the University of Birmingham UK released a study that shows a keyless remote control can be cloned for as little as $40.

The team of researchers found two vulnerabilities that can affect 100 million vehicles worldwide, including one vulnerability that could allow a hacker to unlocked just about every Volkswagen Group vehicle made since 1995. In addition, a separate vulnerability could affect millions of cars from numerous automakers, including Ford, Mitsubishi and Nissan.

The study says a simple small radio device can intercept a signal when a person pushes a button on a remote control to unlock a car. A $40 investment can turn into a keyless remote control just like the original remote, and a vehicle owner will have no idea anything has happened until it's too late.

The vulnerability in Volkswagen vehicles is particularly scary because a thief could clone a remote control with one push of a button and have access to the numerous models of VW cars manufactured since 1995, including the following:

  • Audi A1
  • Audi Q3
  • Audi R8
  • Audi S3
  • Audi TT and other Audi vehicles with remote control part number 4D0 837 231.
  • Seat Alhambra
  • Seat Altea
  • Seat Arosa
  • Seat Cordoba
  • Seat Ibiza
  • Seat Leon
  • Seat MII
  • Seat Toledo
  • Škoda City Go
  • Škoda Roomster
  • Škoda Fabia 1, Fabia 2
  • Škoda Octavia
  • Škoda SuperB
  • Škoda Yeti
  • Volkswagen Amarok
  • Volkswagen Beetle
  • Volkswagen Bora
  • Volkswagen Caddy
  • Volkswagen Crafter
  • Volkswagen e-Up
  • Volkswagen Eos
  • Volkswagen Fox
  • Volkswagen Golf 4, Golf 5, Golf 6, Golf Plus
  • Volkswagen Jetta
  • Volkswagen Lupo
  • Volkswagen Passat
  • Volkswagen Polo
  • Volkswagen T4, T5
  • Volkswagen Scirocco
  • Volkswagen Sharan
  • Volkswagen Tiguan
  • Volkswagen Touran
  • Volkswagen Up

Other automakers and vehicles are affected by a separate vulnerability that allows a thief to clone a remote control. The research paper listed the following vulnerable vehicles but admitted the list is short compared to the makes and models that would likely be affected.

  • 2010 Alfa Romeo Giulietta
  • 2012 Chevrolet Cruze Hatchback
  • 2009 Citroen Nemo
  • 2012 Dacia Logan II
  • 2016 Fiat Punto
  • 2009 Ford Ka
  • 2009 Lancia Delta
  • 2004 Mitsubishi Colt
  • 2006 Nissan Micra
  • 2008 Opel Vectra
  • 2016 Opel Combo
  • 2010 Peugeot 207
  • 2016 Peugeot Boxer
  • 2011 Renault Clio
  • 2011 Renault Master

The study says automakers have used insecure systems for more than 20 years where even a "smart watch" such as the TI Chronos could do the job and leave no physical trace the remote has been cloned.

The implications of a cloned or hacked remote control are numerous as an alarm system will typically be disarmed before a thief enters the vehicle to steal you blind. In addition, a hacker could enter the vehicle and compromise the computer or enter the vehicle and hide and wait for the driver to return.

Even if the thief doesn't enter the car, an object could be put into a vehicle and the car locked afterward, never leaving a clue the doors were opened. It's even technically possible to eavesdrop the signals of all cars on a parking lot or at a car dealer by placing an eavesdropping device there overnight.

Although the study was conducted outside the U.S., the paper says remote controls operating at 315 MHz for the US market are also vulnerable to attacks.

Furthermore, researchers determined similar cars from different manufacturers have the same problems. For example, some model years of Ford Galaxy have the same flawed system as the VW Sharan and Seat Alhambra.

After studying what is possible with a small handheld device, researchers say a driver shouldn't depend on knowing a vehicle is locked by touching a remote control and hearing a sound or seeing the lights blink. A hacker may have picked up the "lock" signal and created a new "unlock" code, all by standing as far as 320 feet away.

So how do you lock your car when a remote can be turned against you? Researchers suggest the only safe method of locking and unlocking a car is mechanically, by hand. However, even that option may cause trouble because many cars are set up so the alarm will trigger after a period of time if the car doors or the trunk are mechanically opened.

The other main question is whether a driver would know the remote has been cloned. The study authors say possible indicators of tampering include if a vehicle doesn't unlock on the first press of a button or if the remote is completely blocked from working.

Researchers from the University of Birmingham have been a thorn in the side of VW since 2013 when scientists came up with a way to start millions of VW vehicles without using a key. Getting that information to the public was put on hold for two years as lawsuits were filed to keep the vulnerabilities secret.

This time VW was transparent when approached about the keyless remote control issues. The researchers contacted Volkswagen in 2015 about the results of the study and sent the automaker a draft version of the final paper. VW admitted the vulnerabilities exist, and researchers agreed to leave out many technical details about the methods used to clone the systems.

Although nothing is confirmed, scientists believe thieves have been using similar or identical cloning devices for years to break into vehicles by simply unlocking the doors.