The Achilles heel of the system is in the remote control for remote opening and closing of the car. Using rudimentary techniques and simple equipment, it is possible to capture the radio signal from the remote control and steal the unlocking key, and then open the car without any problems. This allows crooks to steal cars without causing damage, or worse, to take the car by fooling the electronic immobiliser. This is an open secret in VAG owner circles.
Researchers at the University of Birmingham have presented a study in which they indicate what the vulnerability is based on. Volkswagen has been aware since November 2015, as has the supplier of the keys, who has not been identified. MQB-era models are not affected, and that includes Golf (5G), Leon (5F), A3 (8V), Octavia (5E), Passat (3G), and so on. It still happens to current models but based on previous platforms, like the Audi Q3, and to models from other brands that share guts, like the first Ford Galaxy.
Volkswagen has not announced a recall
To be sure that the car is more difficult to steal, the keys should be lined with aluminum foil, to inhibit the transmission of signals (Faraday cage), and the car should be locked using the conventional extendable key. The range of the remote control signal is more than 10 meters, so thieves with antennas can be at some distance and still capture the code. They could also inhibit the locking signal, and you can tell this because when you lock the car the indicators do not turn on, so the car remains unlocked.
Another elementary precaution to take is not to leave any valuables in sight. It is very easy to open and close the car without leaving a trace, so the insurance company may be tempted not to compensate by blaming the insured for negligence (i.e. leaving the doors open). Ideally, a complementary, non-standard security system should be installed to add an extra layer of security, or a GPS tracker should be used, and this is not foolproof either.
The report, entitled "Lock It and Still Lose It: On the (In)Security of Automotive Remote Keyless Entry Systems", will be presented today at a security conference in Austin, Texas. The summary is available on the Usenix website.