A sizeable proportion of 100 million Volkswagen Group cars sold since 1995 can be unlocked remotely by hackers, a team of researchers has said.
The problem affects a range of vehicles manufactured between 1995 and 2016 – including VWs and models from the company’s Audi, Seat and Skoda brands.
A homemade radio costing about £30 is the only hardware an attacker requires.
Volkswagen said it was working with the researchers and added that several new vehicles were unaffected by the issue.
Two separate attacks affecting different models are described in a paper by researchers from the University of Birmingham and German security firm Kasper & Oswald.
With the second method, an older cryptographic scheme in some other brands was found to have a similar, albeit more complex vulnerability.
The team showed it was possible for a malicious hacker to spy on key fob signals to target cars via a cheap, homemade radio.
By cloning the digital keys, the researchers found they could then unlock a variety of VW Group vehicles.
This was possible because they were able to reverse-engineer the keyless entry system in the affected models – a process which yielded some master cryptographic keys.
Prior to publishing their research, the team behind the paper agreed with Volkswagen that some key pieces of information – including the value of the master cryptographic keys – would not be made public.
“We were kind of shocked,” Timo Kasper at Kasper & Oswald told the BBC. “Millions of keys using the same secrets – from a cryptography point of view, that’s a catastrophe.”
Mr Kasper said that after the researchers alerted Volkswagen to the problem in November 2015, they set up some meetings to help the car maker understand the vulnerability.
“We had very fruitful discussions – there was a very good atmosphere,” he said.
However, there are “at least ten more, very widespread” hacking schemes affecting various other car brands that Kasper & Oswald is still waiting to publish, following appropriate disclosure to the companies involved, Mr Kasper added.
A spokesman for Volkswagen said several current-generation vehicles, including the Golf, Tiguan, Touran and Passat were not affected by the problem.
“The responsible department at Volkswagen Group is in contact with the academics mentioned and a constructive exchange is taking place,” he told the BBC.
The spokesman added that starting the car’s engine with this attack was “not possible”.
Security expert Ken Munro at Pen Test Partners said critical components of the attack had been omitted from the published paper.
“You’d need some academic-level knowledge of cryptography to be able to do this,” he added.