Honda has acknowledged that researchers were able to start the engine and open the doors of some Honda vehicles using a remote keyless entry system. According to security experts Kevin2600 and Wesley Li from Star-V Lab, the rolling codes component of Honda automobiles’ remote keyless systems has a security flaw that allows someone to access car doors without having a key fob nearby. They discovered this flaw over the weekend.
The remote key fob delivers a signal to open the car doors along with a code that the vehicle checks against a database and only takes the necessary action if the review is successful. Older cars employed static codes for this procedure, but it was discovered that they were inherently susceptible since an attacker nearby might record them and repeat them later to unlock the car.
In order to thwart such attacks in modern cars, the rolling codes system sends a special code along with the signal to open the doors using a pseudorandom number generator (PRNG) on the key fob. The rolling code synchronizing counter in the mechanism is incremented with each button push on the key fob. A sliding window of codes is also accepted by the receiver in the car, ensuring that orders are carried out even if a button is accidentally touched while the vehicle is out of range.
Wesley Li and Kevin2600 found that it was possible to send “commands in a consecutive sequence to the Honda vehicles,” thus triggering counter-resynchronization. “Once counter resynced, commands from the previous cycle of the counter worked again. Therefore, those commands can be used later to unlock the car at will,” said the researchers.
The weakness, known as the Rolling-PWN attack and tracked as CVE-2021-46145, may affect all the vehicles from Honda. However, it was only tested on the ten most popular models from the last ten years: Civic 2012, X-RV 2018, C-RV 2020, Accord 2020, Odyssey 2020, Inspire 2021, Fit 2022, Civic 2022, VE-1 2022, and Breeze 2022. The researchers, who shared video examples of the attack, think that other manufacturers’ cars might also be affected.
When approached, Honda acknowledged the likelihood of the latest attack: “We can confirm researcher claims that it is possible to employ sophisticated tools and technical know-how to mimic Remote Keyless commands and gain access to certain vehicles or ours.”
The automaker also stressed that even if an assailant managed to open the car’s doors, they would not be able to drive it away since they would need the key fob to be inside the vehicle. Honda also said this is technically possible, but it just wants to reassure its clients that this specific type of attack, which necessitates constant close-proximity signal collection of several successive RF transmissions, can’t be used for driving the car away.
Honda has not provided information on whether it intends to send software upgrades to its most recent models to fix this issue, but it has made it plain that older vehicles will not receive a patch. The Rolling-PWN attack, which allows an attacker to collect and replay the same unencrypted radio frequency (RF) signal delivered for various requests to unlock a car or start the engine, is different from the CVE-2022-27254 replay attack revealed in March 2022.