While the world stood with mouths agape at the deceitfulness of VW’s bad ECM software, many were still blind to the fact that the popular auto manufacturer was hiding an even darker secret that they’ve been trying to bury since 2013.

A team of researchers, led by computer scientist Flavio Garcia from the University of Birmingham, recently revealed that most vehicles manufactured by Volkswagen since 1995 could be wirelessly hacked to start the ignition, allowing anyone with the right RFID-based hardware to drive away without a key. Of course, like any reputable computer scientist, Flavio informed Volkswagen. The company promptly filed a lawsuit to keep Garcia and his team from publishing a detailed report of their findings.

University of Birmingham researchers found two vulnerabilities that allow hackers to gain entry to almost all VW vehicles manufactured after 1995.

University of Birmingham researchers found two vulnerabilities that allow hackers to gain entry to almost all Volkswagen vehicles manufactured after 1995.

A year after that lawsuit, the team was finally able to publish the report, which was overshadowed by the breaking emissions scandal at the time. Being the dedicated researcher that he is, Garcia and a new team of researchers continued to probe for flaws in VW vehicles and found yet more startling vulnerabilities, which are detailed in a recently released paper aptly titled “Lock It and Still Lose It — On the (In)Security of Automotive Keyless Entry Systems.”

The team’s Arduino-based intercept device used to grab VW key FOBs.

The team used this Arduino-based intercept device to grab VW key FOBs.

In their new probe, the team found that they could gain access to the ignition and door locks of nearly every VW vehicle they tested. Not only that, but they found that their wireless attacks worked on other vehicles as well, including models by Audi, Citroen, Fiat, Ford, Mitsubishi, and Nissan. Essentially, around 100 million vehicles are affected by these vulnerabilities that have yet to be fixed.

Both of the attacks were done using off-the-shelf hardware costing as little as $40 — with the help of an Arduino-based Wi-Fi transceiver, a software-defined radio can grab the vehicle’s key FOB and clone it (the same can be done with a laptop, but the Arduino is more stealthy). That clone can then be used for both attacks.

It’s basically like building a duplicate remote that functions identically to the original. Hackers need only intercept a single button press — a single cryptographic key value, which is shared by almost every model VW released over the last few decades. They then need only to intercept another value that is unique to the individual vehicle to gain access and drive away. The scary part is that owners receive no warning or alert at all that they have become compromised and only realize it when the vehicle is missing.

There are a couple of drawbacks to using the platform, though (if you can call it that). Hackers need to be within a 3-foot range of a targeted vehicle and the key value that most vehicles share isn’t truly universal, as there are several different numerical key values for each. They are not that difficult to find, however, and can be located in different internal components of the vehicle, although Garcia and his team won’t specify which.

The team also found they could also exploit the old Hitag2 cipher to gain access to vehicles as well.

The team also found they could exploit the old Hitag2 cipher to gain access to vehicles.

The team also found another exploit used to gain access to VW vehicles. In this case, the team took advantage of the stream cypher Hitag2 to accomplish the same exploits previously mentioned using the same hardware. Hitag2 may be old but it’s still being used in many vehicles, making the exploit a serious ongoing issue. In this instance, the team used the exploit to gain several rolling code numbers unique to the target vehicle, which were then used to break through the Hitag2 scheme and gain access in about a minute’s time.

They state that in order to accomplish that particular attack, hackers would need the vehicle’s owner to hit their key button multiple times in order to gain the several rolling values needed to exploit Hitag2. To get around that issue, the team suggested that their hardware could be programmed to act as a FOB jammer so that the owner would need to hit that button several times to gain access, which would allow the hackers to record those values.

While Volkswagen has yet to respond to any of these vulnerabilities found by Garcia and his team, it does not bode well for a company already bogged down with a global emissions scandal. Volkswagen has been dealing with some serious publicity issues with their ongoing emissions scandal, which has been under investigation for over a year. South Korea is now investigating emission fabrication claims in their country as well, according to the Wall Street Journal.