What Is It With Volkswagen And Software? First Emissions, Now Locks

What is it with Volkswagen and software? First, the automaker gets itself in great gobs of trouble by installing a “defeat switch” in its emissions control system, setting off the Dieselgate scandal. To make things worse, VW says: “Oh, you didn’t know this, but we’ve been cheating since 2009 and you never even knew.” Wow!

And, now, VW admits that the software that controls the keyfobs that lock and unlock nearly 100 million vehicles worldwide can be easily hacked with easy-to-find and use tools. Worse, there’s no art to the hack potential. Instead of requiring a user, at least, to do something spectacular to access one of its vehicles, all you have to do is get a monitor device, stand near the vehicle in question and turn on the hacking system.

Waiting For The Code, Waiting…

If you time it right, you will get the specialized digital code that drives the keyfob and enables the doors to be locked and unlocked. Once you have the unique digital code, the car or cars in your area are yours for the hacking. And, if you are a bit talented in programming, you can change the locking codes so that the owner will never get back in.

Though there are indications that the size of the pay-outs in the Dieselgate Scandal buyback plan could be $7,000 to $10,000, there is no official word yet.

How many vehicles, you may be wondering, are affected by the problem software? To say, 100 million, give or take a few, is pretty much on target. Why are there so many vehicles involved? It is a sheer numbers- and years-based thing. The problem, which centers on the Magamos locking system, has been in use continuously by VW since 1995. Right up to 2016, the same easy-to-hack devices were still in use by VW.

Putting numbers on the problem, based on 21 years of production, VW’s exposure to this potential scandal is about 100 million vehicles or 10 times the number of vehicles involved in Dieselgate.

Like as not, VW didn’t intentionally set out to have a second potential scandal on its doorstep, even as the first, Dieselgate, was still winding its way through the courts and regulatory agencies. Still, the automaker is facing another potential gaffe of monumental proportions.

Interestingly, the hackable keyfobs were discovered by a group of researchers from the University of Birmingham in the U.K.

Research Team Blocked By VW

Flavio Garcia, head of the research team, whose work was stonewalled by the automaker for at least two years, finally had the chance to detail the problem at the Usenix security conference recently in Austin, Texas. As described by Garcia, his team, using a relatively inexpensive radio scanner hooked up to a laptop, was able to snag the code needed to set up a keyfob to lock and unlock a vehicle. More importantly, the team was able to engineer other hacks on other major brands including:

• Alfa Romeo
• Fiat
• Ford
• Citroen
• Nissan
• Mitsubishi
• Opel
• Peugeot

The funny thing about all this is that it need not have happened. The semiconductor company that makes the chips that run the keyfobs has been urging VW and others to update their coding for years, but it hasn’t been done. A bit of tightening is all that’s needed for a hard-to-hack system. VW doesn’t seem to be in the mood to do it. Indeed, it acknowledged the issue, but that’s as far as it goes. Mostly, its answer to the whole matter is a quiet: “Duh!!”

For whatever reason, it seems VW has fallen back on old automotive habits. In this case, the automaker, which was informed of Garcia’s team findings in 2013, sued to block the publication of the team’s findings. By preventing the release, the automaker apparently reasoned that no one would know of the problem, and if no one knew of the problem, it didn’t exist. The issues have been resolved and Garcia was able to publish his team's findings this year.