Paper / Key Fob / Reverse Engineering

During the last days, I was happy to see that normal news covered findings from wireless security researchers, who reverse engineered many wireless car key fobs from the VW group, unveiling major security issues. This Wired article, for example, gives a good overview.

The critical point is that VW uses very few master keys to encrypt the data sent by the key. Once these master keys (which are deployed in every key fob and every car) are disclosed, it’s trivial to clone keys by overhearing the signal from a single key press.

The results were published in the paper Lock It and Still Lose It – On the (In)Security of Automotive Remote Keyless Entry Systems by Flavio D. Garcia, David Oswald, Timo Kasper, and Pierre Pavlidès, which was presented at 25th USENIX Security Symposium. It covers many wireless car key fobs, including the ones that I had a look at.

My GNU Radio transceiver supports the keys that are referred to as VW-3 and VW-4 in the paper. Both versions use the same physical layer and frame structure, but differ in the algorithm used to encrypt the data. As far as I understand, the authors didn’t omit any information on that part of the system. So that seems to be settled.

The only thing that’s still unclear is how to acquire the master key. In the paper, the authors state that they extracted it from one of the car’s Electronic Control Units (ECUs). However, to me, it seems that this part requires another trick. When talking about key extraction, the authors mention:

Note that as part of our negotiations with VW Group, and to protect VW Group customers, we agreed to not fully disclose the part numbers of the analyzed ECUs and the employed μCs at this point. We furthermore agreed to omit certain details of the reverse-engineering process, as well as the values of cryptographic keys.

After some discussions with a friend, I think the ECU in question is the Comfort Control Module (Komfortsteuergerät), which sells for about 30 EUR on Ebay. I read in several forums that it contains the receiver for the wireless key fob. Furthermore, it is manufactured by Hella, who also sells the keys. So that makes, at least, some sense.

I just bought one of those ECUs for my Skoda Octavia. Since it looks like the same module is used with models from 2006 to 2012, I think that it might still use the VW-3 encryption scheme.

Looking forward to having a look in the box.