Honda Vehicle Vulnerability Allows Remote Unlocking And Starting
As the fifth-largest auto manufacturer in the world, Honda’s vehicles are a common sight on essentially every road. Many of those vehicles could have a major vulnerability that an attacker can use to unlock and start the car. The researchers who discovered the exploit, known as RollingPWN, say it might affect all Honda vehicles from 2012 through the latest 2022 models. However, Honda currently denies a vulnerability exists.
The issue stems from Honda’s keyless entry fob, which uses a “rolling code” system to authenticate the remote. Each time you press a button on the remote, the rolling code clicks ahead to prevent so-called “replay attacks” in which someone captures and retransmits your remote code.
According to a statement from the researchers, Honda has implemented a sliding window of codes to avoid accidental key presses. So, it’s possible to send codes in sequence to the vehicle until the counter resynchronizes. Once that happens, codes from the previous cycle start working again, so replay attacks become possible.
The were released last week — it’s unclear if Honda was alerted first, which is a key component of responsible disclosure. Regardless, the exploit is in the wild, and several car enthusiasts and journalists have confirmed it works. Without the key fob in-hand, it’s possible to unlock the doors and remotely start the affected cars. Yet, Honda has yet to admit the bug exists. In a , Honda claims its rolling code system prevents replay attacks.
Well done, time to Rolling pwn all the cars :P
— Kevin2600 (@Kevin2600)
The researchers tested ten models of cars, including a 2020 CR-V, a 2022 Civic, and a 2012 Civic. All of them were vulnerable to the attack, and therefore, it’s possible all Honda vehicles back to 2012 are the same. This might be a big headache for Honda owners. While some of its newer vehicles can receive OTA updates, most cannot. Not only would Honda have to develop new software for dozens of models, it would have to coax owners to bring their vehicles to a dealership or Honda service center to upgrade the software.
Kevin2600 and Li believe the same exploit could affect other car manufacturers. The pair promises more details in the future. So, things may get worse before they get better.
Now Read: