Honda security flaw lets attackers unlock and start cars remotely
Star-V Lab security researchers Kevin2600 and Wesley Li have discovered a rolling code mechanism exploit that lets attackers unlock and start keyless Honda vehicles remotely.
The “Rolling-PWN” attack involves attackers intercepting the communications between the vehicle and its keyfob and “replaying” or resubmitting these to the vehicle to gain access.
The researchers successfully exploited ten of Honda’s most popular models from 2012 to 2022, namely:
- Civic 2012
- X-RV 2018
- C-RV 2020
- Accord 2020
- Odyssey 2020
- Inspire 2021
- Fit 2022
- Civic 2022
- VE-1 2022
- Breeze 2022
However, they said that the security vulnerability affects all Honda vehicles currently on the market and may also affect other manufacturers’ cars.
The Rolling-PWN exploit has received a Common Vulnerabilities and Exposures identifier of CVE-2021-46145.
While older vehicles use static codes for keyless entry, modern cars have a rolling code mechanism to improve security.
Rolling codes use a pseudorandom number generator to produce a unique code every time the keyfob is used.
The vehicle checks this code’s validity against an internal database of previously generated codes.
“The database contains several allowed codes, as a key fob may not be in range of a vehicle when a button is pressed and may transmit a different code than what the vehicle is expecting to be next chronologically,” The Drive’s Rob Stumpf reported.
The vehicle has a counter that increases each time a new code is received to track the different codes chronologically.
Stumpf explained that any previously received codes get invalidated when a vehicle receives a new code to protect against replay attacks.
However, Kevin2600 and Li discovered that issuing a lock command, followed by an unlock command, resynchronises the counter, allowing previous codes to be reused.
I was able to replicate the Rolling Pwn exploit using two different key captures from two different times.
So, yes, it definitely works. https://t.co/ZenCB3vX5z pic.twitter.com/RBAO7ZtlXZ
— Rob Stumpf (@RobDrivesCars) July 10, 2022
Stumpf conducted an independent experiment on his 2021 Honda Accord using software-defined radio equipment and confirmed the researchers’ findings.
He said that although it let him unlock and start the car, it did not allow him to drive off since the fob was not nearby.
The researchers said the exploit does not leave any traces in traditional log files and is therefore undetectable.
They said that while Honda can likely issue over-the-air patches to address the issue in newer models, the manufacturer will have to recall older models to do the same.
Loading ...