Vulnerability allows hackers to unlock and start Honda cars remotely

Jimmy2x

Posts: 234   +29
Staff
WTF?! Researchers recently uncovered a vulnerability that could allow hackers to unlock and start multiple Honda vehicle models remotely. The impacted model list identifies 10 of Honda's most popular models as vulnerable. To make matters worse, the current findings lead researchers to believe that the vulnerability could be present on all Honda vehicles from 2012 through 2022.

The security flaw, dubbed RollingPWN by researchers, exploits a component of Honda's keyless entry system. The current entry system relies on a rolling code model that creates a new entry code each time owners press the fob button. Once issued, the previous ones should be made unusable to prevent replay attacks. Instead, researchers Kevin26000 and Wesley Li discovered the old codes could be rolled back and used to obtain unwanted access to the vehicle.

The researchers tested the vulnerability across several Honda models ranging from 2012 through 2022. The list of affected test vehicles includes:

  • Honda Civic 2012
  • Honda XR-V 2018
  • Honda CR-V 2020
  • Honda Accord 2020
  • Honda Odyssey 2020
  • Honda Inspire 2021
  • Honda Fit 2022
  • Honda Civic 2022
  • Honda VE-1 2022
  • Honda Breeze 2022

Based on the list and successful tests of the exploit, Kevin26000 and Li strongly believe the vulnerability could affect all Honda vehicles and not just the initial ten listed above.

Providing a fix for the vulnerability may be as complex as the exploit itself. Honda could patch the flaw via an over-the-air (OTA) firmware update, but many of the cars affected don't provide OTA support. The larger pool of potentially impacted vehicles makes a recall scenario unlikely.

For now, research is ongoing to determine how widespread the vulnerability is. Based on the nature of the attack, Kevin26000 and Li strongly suspect that the issue may also impact other car makers.

The finding is just one more in a series of access vulnerabilities discovered across Honda's line of vehicles this year. In March, researchers identified a man-in-the-middle exploit (CVE-2022-27254) where RF signals could be intercepted and manipulated for later use. Kevin26000 had also reported a similar replay attack (CVE-2021-46145) back in January 2022.

Permalink to story.

 
Oh there is a vulnerability allowing me to steal Hondas.

That is how it works? Thanks for telling us about it and how it works

Now we are gonna steal Hondas left right and center

Stupi.... techspot authors

Either take this article down or remove how it works.

You're giving away the vulnerability

so dum...

This is a new stupid low you've reach techspot
 
Oh there is a vulnerability allowing me to steal Hondas.

That is how it works? Thanks for telling us about it and how it works

Now we are gonna steal Hondas left right and center

Stupi.... techspot authors

Either take this article down or remove how it works.

You're giving away the vulnerability

so dum...

This is a new stupid low you've reach techspot

This was announced on Twitter, which has just a few orders of magnitude more users than Techspot. 7 people have read about it here yet over 500 people have liked the Tweet which means thousands have read it there already. And all the information is publicly available at GitHub, which has millions of users.

Please explain how Techspot is doing something wrong here.
 
I can think of exactly three scenarios where keyless entry is actually useful: if its raining and your wanting the door unlocked so you can dive right in, because you're being chased by someone, or if you lost your keys and had subscribed to remote assistance. Other than that its just another expensive, unnecessary add-on by car manufacturers and a major vulnerability. I personally don't think its worth it.
 
Oh there is a vulnerability allowing me to steal Hondas.

That is how it works? Thanks for telling us about it and how it works

Now we are gonna steal Hondas left right and center

Stupi.... techspot authors

Either take this article down or remove how it works.

You're giving away the vulnerability

so dum...

This is a new stupid low you've reach techspot

They're just repeating the news, they did nothing wrong. A few minutes on google and anyone can figure it out for God's sake.
 
Couple reasons why I drive a 2011. Yeah, it has a computer, but requires a KEY to start it,
and it has MANUAL transmission, which today, is like a "poor man's" security system since
most kids can't drive a stick. ;)
I'm fairly confident any would be car thief should know how to drive a stick, it's not rocket surgery after all.

The issue I have is whenever I bring my car anywhere for any kind of service short of my mechanic, I always worry the person getting behind the wheel is going to ride the clutch as the first thing they seem to do is look at the stick and pause... And then the people in the garage all have to see it as if it's some kind of ancient artifact... At least that part is amusing.

Drive an 08 6spd. Pretty safe as I have no remote start functionality either.
 
Riddle me this .
Surely it should be this hack should only be for opening car ,
IE a key should not pass final inspection to start the car .

Ie a the system should be designed that a secondary check runs fob and car - based on a known hard to calculate problem - eg no colour can sit next to another in a 2D pattern with 100000 colour tiles - so car asks colour of tile 522, 1820, 39415 ,88478 and 88588
the lookup is much much quicker than a hacking PC - ie fob must respond in X time - yes this could be broken given enough attempts over time - but the thief does not have this time
 
Suddenly those cars that charge a premium subscription for the remote start feature are looking much better (assuming the hack doesn't work if you don't subscribe.)
 
Thanks for telling us about it and how it works

Now we are gonna steal Hondas left right and center
Many replies already, but just wanted to add this from the original publication:
9: Is there more technical information about Rolling-PWN?

You can follow the author on Twitter [@kevin2600]. However, we will not be releasing any tools required to go out and steal the affected vehicles. At a later stage, we will release technical information in order to encourage more researchers to get involved in the car security research.
 
I wonder if they told Honda about this first. Isn't it good ethics for the researchers to notify the companies affected first instead of just releasing their findings in the wild?
 
Ummm Hand in there trying to get attention!!
NO CAR IS SAFE LOL IF YOU NEED A PHONE TO OPEN IT!!! For Fart Sake!! You can get many programs from Torrent sites lol turn off remote opening on and use your key fob!!
 
That's funny, I was just telling my wife yesterday that new technologies in cars brought nothing good for me. I loved so much my car from the 90's. It had no electronics. It was cheap and almost never failed. It didn't have any kind of nice options but just what it needed to serve me as a car without me to worry about anything.

Now the car can be stolen remotely, what a progress ! No need to take risks.
I imagine that when people have to do any kind of maintenance or reparation, it becomes an expensive technological nightmare that only the seller of the car can fix.

Instead of that we could have ultra light and long lasting cars with aluminum chassis that would consume a portion of what they do. We could also have open source hardware that whatever technician could fix or upgrade.
 
Oh there is a vulnerability allowing me to steal Hondas.

That is how it works? Thanks for telling us about it and how it works

Now we are gonna steal Hondas left right and center

Stupi.... techspot authors

Either take this article down or remove how it works.

You're giving away the vulnerability

so dum...

This is a new stupid low you've reach techspot
Honda driver spotted.
 
This isnt actually as serious as it sounds. As a Honda CRV owner, the way the system works with remote start is the ability to put the car in drive and drive away is disabled.

You remote start the car, the fob is in your possession. The car is essentially disabled other than starting up. You put it into drive and the car dies, you cant go anywhere with it.

Additionally, you cant drive away in a Honda CRV without the fob physically present in the car.

Funny how they leave these details out. Emulating a previous code really does no good but potentially waste some ones gas by having the vehicle idle.

Cant say this is how it works on all the models but its 100% how my CRV works.
 
This isnt actually as serious as it sounds. As a Honda CRV owner, the way the system works with remote start is the ability to put the car in drive and drive away is disabled.

You remote start the car, the fob is in your possession. The car is essentially disabled other than starting up. You put it into drive and the car dies, you cant go anywhere with it.

Additionally, you cant drive away in a Honda CRV without the fob physically present in the car.

Funny how they leave these details out. Emulating a previous code really does no good but potentially waste some ones gas by having the vehicle idle.

Cant say this is how it works on all the models but its 100% how my CRV works.


Yeah, its unclear how critical this would be on Hondas without remote start feature. Can they use the same exploit to press the start button now that they are inside the car?
 
Back