In short: Yes. This is a big threat model that manufacturers try to guard against.
However, there are a few protections here:
* Most manufacturers do fairly aggressive KYC / risk protection for their online programming services. The VW one is called FAZIT/GeKo, you can find the subscription process online and it is similar to opening a business bank account. Still, you're right, aftermarket account sharing is a big thing and as always, a cat and mouse game that manufacturers are usually losing. You can easily rent VW online coding accounts by the hour on shady websites.
There's also second layer of protection for official AKL specifically which is harder to defeat, though:
* Most European manufacturers do not allow an All Keys Lost process to be carried out entirely online. For example, for VW, dealers or aftermarket vendors need to buy specific, physical "dealer keys" for a given VIN. These physical key fobs are seeded with some key material and registered with the shop and VIN in the backend / FAZIT database. The signing server backend for ODIS (GeKo) will not adapt keys to a car unless the key material matches and the VIN was already associated with the key in the backend. Of course, there are social engineering attacks here still, but it's basically 2FA for key programming, with a lead time of "they ship the key to you," and it prevents the attack you describe from being plausible by legitimate means.
HOWEVER, this is also one of the major weaknesses in the VW Immo 5 cryptosystem architecturally - since the actual message authentication is symmetric (MAC based), if the secret AES key material can be extracted from the immobilizer system, aftermarket tools (Abrites, Autel, VVDI/XHorse, etc.) can create and adapt a "Dealer Key" without prior authorization. So we get back to the current state of these systems - because authentication is symmetric, with long-term physical access to the car, specific control units can be removed and secret key material extracted and used for reprogramming. However, drive-by quick-and-dirty "plug two wires from outside" attacks are very challenging.
Very interesting, thanks! Glad to hear there's at least an attempt at actual due diligence and theft prevention as opposed to merely making it difficult/expensive for independent shops or car owners.
The longer and more involved I get in automotive diagnostics and programming as a hobby, the less I believe there is any particular conspiracy against independent shops and owners in the automotive industry (versus in the heavy equipment and ag industry, where there absolutely is a conspiracy).
The threat model most automotive systems are designed against (when they are designed against anything at all) is absolutely not "we want to screw over those damn independent shops trying to run diagnostic routines!" - it's "how do we lock down the immobilizer, the ADAS, and protect ourselves from tuning-related warranty fraud." Independent shops and individual enthusiasts are just caught in the crossfire between thieves, ADAS tampering, and manufacturers/insurance/regulators.
However, there are a few protections here:
* Most manufacturers do fairly aggressive KYC / risk protection for their online programming services. The VW one is called FAZIT/GeKo, you can find the subscription process online and it is similar to opening a business bank account. Still, you're right, aftermarket account sharing is a big thing and as always, a cat and mouse game that manufacturers are usually losing. You can easily rent VW online coding accounts by the hour on shady websites.
There's also second layer of protection for official AKL specifically which is harder to defeat, though:
* Most European manufacturers do not allow an All Keys Lost process to be carried out entirely online. For example, for VW, dealers or aftermarket vendors need to buy specific, physical "dealer keys" for a given VIN. These physical key fobs are seeded with some key material and registered with the shop and VIN in the backend / FAZIT database. The signing server backend for ODIS (GeKo) will not adapt keys to a car unless the key material matches and the VIN was already associated with the key in the backend. Of course, there are social engineering attacks here still, but it's basically 2FA for key programming, with a lead time of "they ship the key to you," and it prevents the attack you describe from being plausible by legitimate means.
HOWEVER, this is also one of the major weaknesses in the VW Immo 5 cryptosystem architecturally - since the actual message authentication is symmetric (MAC based), if the secret AES key material can be extracted from the immobilizer system, aftermarket tools (Abrites, Autel, VVDI/XHorse, etc.) can create and adapt a "Dealer Key" without prior authorization. So we get back to the current state of these systems - because authentication is symmetric, with long-term physical access to the car, specific control units can be removed and secret key material extracted and used for reprogramming. However, drive-by quick-and-dirty "plug two wires from outside" attacks are very challenging.