A researcher has uploaded proof-of-concept (PoC) videos demonstrating how an attacker may remotely open the doors and start the engine of a Honda vehicle. The attack is conceivable because of a remote keyless system flaw (CVE-2022-27254) that seems to affect all Honda Civic (EX, EX-L, LX, Touring, Type R, and Si) cars produced between 2016 and 2020. According to Ayyappan Rajesh, a student at the University of Massachusetts Dartmouth, the problem is that commands to open the boot, unlock/lock doors, or start the engine remotely all use the same unencrypted radio frequency (RF) signal. As a result, a man-in-the-middle attacker may listen in on the request and then use it to conduct a replay attack.
If an attacker is near a susceptible vehicle, they may capture the car owner’s remote signal to open and start the car wirelessly and then repeat the identical activity independently. The problem, however, is not new. Researchers first discovered the possibility of such attacks in 2017, and a CVE designation (CVE-2019-20626) was given in 2019. A researcher revealed that hackers could gain complete and unrestricted access to the target vehicle’s locking, unlocking, window control, trunk opening, and engine start functions. The researcher alleges that the carmaker has continued to employ the vulnerable technology in production even though CVE-2019-20626 has been demonstrated to affect various Honda vehicle models. According to the researcher, cyberattacks can be avoided if customers don’t use their RF fobs. Honda uses a “rolling code” system, in which a new code is created each time the user pushes the fob’s button, providing a more secure authentication mechanism.
“Honda has not verified the information reported by this researcher and cannot confirm if its vehicles are vulnerable to this type of attack. Honda has no plan to update older vehicles at this
time,” said a Honda spokesperson. “At this time, it appears that the devices only appear to work within close proximity or while physically attached to the target vehicle, requiring local reception of radio signals from the vehicle owner’s key fob when the vehicle is opened and started nearby.”
Honda said that even if an attacker uses this attack to remotely open a car’s door and start the engine, they won’t be able to drive it away without a genuine key fob with a distinct immobilizer chip is available in the vehicle, limiting the chances of vehicle theft. Lastly, the spokesperson said that there is no evidence that the claimed door lock weakness has resulted in the ability to drive a Honda or Acura vehicle.