I have a Passat from late 2013 -- it cannot be remotely started but doors are keyless. Twice in the last 16 months, somebody rummaged through it overnight, without breaking anything. We religiously close the car every night, especially after the first occurrence, but still it happened again. After it happened to my next-door neighbor's 2013 Golf as well, I reported it to VW and they never even bothered getting back to me.
I'm not surprised in the slightest, I think this sort of news will keep popping up all over the place and manufacturers will keep trying hard to suppress it. We know it will never end: good crypto is hard and inconvenient, so it's unlikely that car manufacturers will ever implement it properly. Bad guys get all the info they need, eventually, so it's just a matter of time before any digital lock is broken.
Your anecdote doesn't share anything in common with the article. One of two things are likely - your car wasn't actually locked this nights, or the theirs used a signal amplifier to make the car think your keys inside the house were next to your car.
Neither of those things is VW's fault - if you don't like the wireless automatic door unlocking because the signal can be boosted maliciously, then you should disable it. Otherwise live with the consequences.
No, my anecdote is more about a data point (well, three actually) indicating we don't really know how many ways there are to break into these cars, and that manufacturers are playing dumb, hence me not being surprised at the news that another one was found.
If really the problem was relatively trivial, VW should have warned me on how to avoid it, and they didn't. It can't be a simple amplifier: it's not just proximity, you actually have to press a button on the dongle to open a door, so whatever they were doing, it wasn't just repeating an existing signal; and as I said, I can tell you that making sure the car is locked has become a nightly ritual.
I'd caution you against thinking that having to press a button on a dongle means that there's a required intermediary step.
I can imagine a design where the RF signal is being generated on a very low voltage/low power device that's always/permanently on, and pressing the button enables an integrated antenna that suddenly boosts the signal to a usable signal strength.
In that case, the attacker just has to simulate a increase in signal strength if they are already tapping your signal.
Electronic design doesn't follow the same rules as physical device designs - for example, that power button on your PC, it doesn't really close any circuit! It just tells the motherboard that it's ok to let voltage through a certain electrical pathway, the computer is already permanently on and is trickling power from AC / Mains.
You can use software to tell the motherboard to activate the same way that "pressing the button" does - ie remote server control over pxe, etc.
Most cars are always on trickling power from their battery waiting to hear that signal, I wouldn't be surprised if dongle design follow the same principle.
Well sure, but this is just a RF signal here, the objection to your anecdote is that on the face of it it has nothing whatsoever to do with good crypto
But my point is that it should. Any digital lock should use good crypto, it doesn't matter if for ignition or doors. The fact that it's been proven that they did it badly even when they tried, aligns with my experience that their digital locks are not secure.
Whether my locks open with an easily-spoofable RF signal or with a bruteforceable key, the bottom line is still that they are not doing good crypto in situations where it's clearly necessary.
It doesn't share much in common with the article, but I believe this immediately because the same thing happened three times over the last two years with different people in my street. All with new and rather nice Audi models. Opened without any damage, the dashboard completely rampaged (nav, radio, airbags etc removed)
I won't be surprised if there's another, even more serious vulnerability in Volkswagen locks. The security researcher who found it probably sold it to the bad guys, totally understandable after reading how Volkswagen handles security reports.
A long time ago I heard an anecdote where some guy got locked out of his luxury BMW and called for help. A roadside assistance repairman showed up and knocked on the car in a certain spot with a certain pattern and the car unlocked. Don't know if it's true or not but it wouldn't surprise me if there were (hopefully more secure than that) undocumented backdoors on the modern models.
The second thing - that thieves can use a radio signal amplifier to open your car - is definitely VW's fault. Even if they did not design that system, they chose a supplier for it. A fresh graduate engineer could have reviewed that design and seen that flaw. But would a fresh graduate manager listen to his report ?
I saw a report a while back that if you put your car keys in the freezer or something it blocks enough of the signal from your keys so that someone can't use this signal repeater to unlock your car, it's supposed to act like a Faraday cage (somewhat).
I know it sounds stupid but I remember seeing it on HackerNews a while back. I'm not sure if it was debunked or not.
I'm not surprised in the slightest, I think this sort of news will keep popping up all over the place and manufacturers will keep trying hard to suppress it. We know it will never end: good crypto is hard and inconvenient, so it's unlikely that car manufacturers will ever implement it properly. Bad guys get all the info they need, eventually, so it's just a matter of time before any digital lock is broken.