Is this a specific feature of VW's implementation of CAN? CAN in general (at least not in 2007 when I last worked in the industry) is not secured. The only real security once you had access to the CAN bus were the separate rings (although several modules bridged). You probably couldn't start the car and keep it started unless you figured out the variant of crypto handshake used between whatever did ignition/skim/rke and the engine (sometimes public key, sometimes symmetric, often with some sketchy cipher implemented by modules that would offer full memory access via debug protocols if you asked the right way). If you had access to the spec for messages for the machines, access to the CAN bus can do some very cool/scary things.

Depending on how the car manufacturer spec'd the engine<->skim handshake, you might get as lucky as to just be able to isolate the offending skim/rke unit and MITM/replay its messages. If the rke and skim units are separate, there's an outside chance that the beacon that is sent after remote-start that lets the engine know not to turn off doesn't contain a secret key itself and can be replayed. In any event, I'd assume that physical access to the vehicle means that a kit could be deployed in minutes to steal the vehicle without any fuss.

Almost all German manufacturers use these variations of CAN.

Bosch recently published how their variants are used to prevent stuff like break-in through the radio.

The system is safe against replay attack (by prepending a timing signal to the encrypted message), has seperate rings of trust (so your gas pedal can control acceleration, but your radio can’t), and is in general quite safe.

And, well, with a physical kit you might be able to start the kit, but the steering wheel lock can not be unlocked without a physical key. And even if you break through that, you need to stop the immobilizer.

So you end up breaking open the door, breaking with large tools a part of the steering wheel lock, (hoping the car does not have an anti-intervention system, usually a cat jumping onto the car already starts a loud alarm), then you have to actually start the car and run this 30-min brute force attack against the immobilizer, after having sniffed the owner before.

It’s theoretically possible, but it's not really a practical attack.

This is how it worked ~2000:

You break door lock, get inside, pop the hood. Alarm starts, you spray polyurethane foam into alarm loudspeaker and it shuts up. You close the hood and go away for 10-20 minutes keeping a lookout on the car. You come back, swap computers, turn on the car and drive away.

Wait, so VW has an RFID immobilizer and a physical key? I've only ever seen cars having one or the other.

All European cars since 1998 will have both, because immobilizers are required by law in most of Western Europe.

On most cars, you'll never notice the immobilizer as it's RFID based, passive, and requires no batteries. The only way you'd find it is if you take apart the key fob or have to service the ignition lock, at which point you'll find the RFID antenna ring around it, or if you try to get the key replaced.

> All European cars since 1998 will have both, because immobilizers are required by law in most of Western Europe.

So will some cars produced before 1998. The Audi S2 (listed in the article) is one of those, and was built from 1990 to 1995.

Doesn't help you much if you don't live in Europe. I have a 2015 audi that doesn't require the key to be inserted.

FWIW my honda has a real physical key with an rfid chip. So just duplicating the key won't work unless I get a key with a chip.

At least in Germany, yes. Usually the key is also secured with multiple other techniques and has a 3-dimensional unique pattern, plus additionally magnetic safety features.

And the fact that the car has a steering wheel lock (the steering wheel is locked in the right-most position) is also standard.

Interesting, that seems like a pretty reasonable way to do it. Another case of convenience taking precedence over security, I guess.