Hackers Are Able to Unlock Honda Vehicles Remotely
Newer Honda Models Feature an Unsafe Code-Rolling Technique.
A vulnerability known as rolling-PWN makes it possible to launch replay attacks. These attacks include a threat actor stealing the codes sent from a key fob to a vehicle and then using those codes to unlock or start the vehicle.
Researchers in the field of data security discovered that certain newer models of Honda automobiles have an insecure method for rolling codes, which makes it possible to unlock the vehicles and even start the engines from a distance.
According to a post by BleepingComputer, the researchers claim to have tested the assault on models of Honda automobiles manufactured between the years 2021 and 2022.
Each time the button on the key fob is pushed, the keyless entry system in current automobiles uses rolling codes, which are generated by a pseudorandom number generator (PRNG), to guarantee that it is using a string that is completely unique.
The rolling code technique was developed to avoid fixed code issues that permitted man-in-the-middle replay attacks, such as the one we discussed in March and which may still be exploited in earlier versions.
Vehicles are equipped with a counter that not only examines the order in which the produced codes were created but also increases the count whenever they are given a new code. However, codes that are not ordered chronologically might be used in place of the chronological ones if the driver accidentally touches the key fob or if the car is out of range.
Researchers Kevin2600 and Wesley Li discovered that the counter in Honda automobiles is resynchronized when the car vehicle receives lock/unlock orders in a row. This discovery was made public in their paper “Resynchronization of the Counter in Honda Vehicles.” Because of this, the vehicle will take codes from a prior session even though they ought to have been rendered invalid.
The Rolling-PWN bug is a serious vulnerability. We found it in a vulnerable version of the rolling codes mechanism, which is implemented in huge amounts of Honda vehicles. A rolling code system in keyless entry systems is to prevent replay attack. After each keyfob button pressed the rolling codes synchronizing counter is increased. However, the vehicle receiver will accept a sliding window of codes, to avoid accidental key pressed by design. By sending the commands in a consecutive sequence to the Honda vehicles, it will be resynchronizing the counter. Once counter resynced, commands from the previous cycle of the counter worked again. Therefore, those commands can be used later to unlock the car at will.
An adversary who is armed with software-defined radio (SDR) technology may record a string of codes, store them, and then use them at a later date to unlock the car and start the engine.
In the Honda keyfob subsystem, the vulnerability is being recorded as CVE-2021-46145 (with a severity rating of medium) and is being characterized as an issue “connected to a non-expiring rolling code and counter resynchronization.”
The keyfob subsystem in Honda Civic 2012 vehicles allows a replay attack for unlocking. This is related to a non-expiring rolling code and counter-resynchronization.
Rob Stumpf, an automotive writer, was successful in recreating Rolling-PWN on his 2021 Honda Accord by taking several code readings at various intervals. He says that it doesn’t matter how much time has gone after the codes were stolen as long as the re-sync procedure is repeated. The attacker would still be able to re-sync and carry out the unlock operation even if it had been weeks or months since the codes were stolen.
Stumpf points out that even if an adversary were able to utilize Rolling-PWN to start a Honda, they still would not be able to drive away in the vehicle since the keyfob needed to be nearby.
Read all about it. https://t.co/JRL1gqYnr8
— Rob Stumpf (@RobDrivesCars) July 11, 2022
A Honda representative disclosed for Motherboard that the vulnerability found by Kevin2600 is “old news.”
Thus, I’d hope that you would treat it as such and move on to something current rather than creating a new round of people thinking that this is a ‘new’ thing.
We’ve looked into past similar allegations and found them to lack substance. While we don’t yet have enough information to determine if this report is credible, the key fobs in the referenced vehicles are equipped with rolling code technology that would not allow the vulnerability as represented in the report. In addition, the videos offered as evidence of the absence of rolling code do not include sufficient evidence to support the claims.