Security researchers have revealed a vulnerability in Honda’s keyless entry system that could allow hackers to remotely unlock and start “all Honda vehicles currently on the market.”
The “Rolling-Pwn” attack, discovered by Star-V Lab security researchers Kevin2600 and Wesley Li, exploits a vulnerability in the way Honda’s keyless entry system transmits authentication codes between the car and the key fob. It works similarly to the recently discovered Bluetooth replay attack that affects some Tesla vehicles; Using readily available radio equipment, the researchers were able to eavesdrop and record the codes, then send them back to the car for access.
This allowed the researchers to remotely unlock and start the engines of cars affected by the vulnerability, including models from 2012 and as recent as 2022. But according to The Drive, which independently tested and verified the vulnerability on a 2021 Honda Accord, the key failure does not allow an attacker to drive away with the vehicle.
As the researchers noted, these types of attacks should be prevented by the vehicle’s rolling codes mechanism — a system introduced to prevent repeat attacks by providing a new code for each authentication of a remote keyless entry. Vehicles have a counter that checks the chronology of the codes generated and increments the count when it receives a new code.
Kevin2600 and Wesley Li found that the counter in Honda vehicles resynchronizes when the car receives lock and unlock commands in sequential order, causing the car to accept codes from previous sessions that should have been invalidated.
“By sending the commands to the Honda vehicles in sequential order, the counter is resynchronized,” the researchers write. “After the counter was resynchronised, the commands from the previous cycle of the counter worked again. Therefore, those commands can later be used to unlock the car at will.”
The researchers say they have tested their attack on several Honda models, including the Honda Civic 2012, Honda Accord 2020 and Honda Fit 2022, but warn that the vulnerability could affect “all Honda vehicles currently on the market.” as well as on other manufacturers’ cars.
The security researchers say they tried to contact Honda about the vulnerability, but found that the company “does not have a department to fix security-related issues for their products.” As such, they reported the issue to Honda customer service but have yet to receive a response.
TechCrunch also received no response from Honda, but in a statement to The Drive, the company insisted that the technology in its key rings “would not allow the vulnerability as depicted in the report”.
“We have investigated similar past allegations and found they had no substance,” said a Honda spokesperson. “While we do not yet have enough information to determine whether this report is credible, the key fob in the vehicles referenced are equipped with rolling code technology that does not allow the vulnerability as depicted in the report. In addition, the videos are offered as evidence of the absence of rolling code does not contain sufficient evidence to support the claims.”
As noted by the security researchers, if Honda acknowledged the flaw, it would be difficult to fix due to the fact that older vehicles do not support over-the-air (OTA) updates. Worryingly, the researchers also warned that there is no way to protect yourself from the hack, nor to determine if it happened to you.
Related video: