WTF?! Researchers recently uncovered a vulnerability that could allow hackers to unlock and start multiple Honda vehicle models remotely. The impacted model list identifies 10 of Honda's most popular models as vulnerable. To make matters worse, the current findings lead researchers to believe that the vulnerability could be present on all Honda vehicles from 2012 through 2022.
The security flaw, dubbed RollingPWN by researchers, exploits a component of Honda's keyless entry system. The current entry system relies on a rolling code model that creates a new entry code each time owners press the fob button. Once issued, the previous ones should be made unusable to prevent replay attacks. Instead, researchers Kevin26000 and Wesley Li discovered the old codes could be rolled back and used to obtain unwanted access to the vehicle.
The researchers tested the vulnerability across several Honda models ranging from 2012 through 2022. The list of affected test vehicles includes:
- Honda Civic 2012
- Honda XR-V 2018
- Honda CR-V 2020
- Honda Accord 2020
- Honda Odyssey 2020
- Honda Inspire 2021
- Honda Fit 2022
- Honda Civic 2022
- Honda VE-1 2022
- Honda Breeze 2022
Based on the list and successful tests of the exploit, Kevin26000 and Li strongly believe the vulnerability could affect all Honda vehicles and not just the initial ten listed above.
Providing a fix for the vulnerability may be as complex as the exploit itself. Honda could patch the flaw via an over-the-air (OTA) firmware update, but many of the cars affected don't provide OTA support. The larger pool of potentially impacted vehicles makes a recall scenario unlikely.
For now, research is ongoing to determine how widespread the vulnerability is. Based on the nature of the attack, Kevin26000 and Li strongly suspect that the issue may also impact other car makers.
The finding is just one more in a series of access vulnerabilities discovered across Honda's line of vehicles this year. In March, researchers identified a man-in-the-middle exploit (CVE-2022-27254) where RF signals could be intercepted and manipulated for later use. Kevin26000 had also reported a similar replay attack (CVE-2021-46145) back in January 2022.