Cybersecurity researchers have disclosed a security bug in Honda’s keyless entry system that could allow hackers to remotely unlock and start potentially all models of Honda cars.
Over the weekend, researchers Kevin2600 and Wesley Li from Star-V Lab published a technical report and videos on a vulnerability, dubbed Rolling-PWN, in the rolling codes mechanism of the remote keyless system of Honda cars, which enabled them to open car doors without the key fob present.
The vulnerability is tracked as CVE-2021-46145 (medium severity) and is described as an issue "related to a non-expiring rolling code and counter resynchronization" in the keyfob subsystem in Honda.
The keyless entry system in modern cars depends on the rolling codes mechanism generated by a pseudorandom number generator (PRNG) algorithm, ensuring that unique strings are employed each time the keyfob button is pressed.
“Vehicles have a counter that checks the chronology of the generated codes, increasing the count upon receiving a new code. Non-chronological codes are accepted, though, to cover situations of accidental presses of the keyfob, or when the vehicle is out of range,” researchers explained.
The researchers identified that the counter in Honda vehicles is resynchronized when the car vehicle gets lock/unlock commands in a consecutive sequence, causing the car to accept codes from previous sessions that should have been invalidated.
The hacker equipped with software-defined radio (SDR) equipment can capture a consecutive sequence of codes and replay them at a later time to unlock the vehicle and starts its engine.
The vulnerability is believed to affect all Honda vehicles on the market, but the researchers examined the attack on the 10 most popular models of Honda of the last decade including Civic 2012, X-RV 2018, C-RV 2020, Accord 2020, Odyssey 2020, Inspire 2021, Fit 2022, Civic 2022, VE-1 2022, and Breeze 2022.
“We can confirm researcher claims that it is possible to employ sophisticated tools and technical know-how to mimic Remote Keyless commands and gain access to certain vehicles or ours. However, while it is technically possible, we want to reassure our customers that this particular kind of attack, which requires continuous close-proximity signal capture of multiple sequential RF transmissions, cannot be used to drive the vehicle away. Furthermore, Honda regularly improves security features as new models are introduced that would thwart this and similar approaches,” Honda’s spokesperson stated.