Security researchers have revealed a vulnerability in Honda’s keyless entry system that could allow hackers to remotely unlock and start potentially “all Honda vehicles currently existing on the market.”
The “Rolling-Pwn” attack, uncovered by Star-V Lab security researchers Kevin2600 and Wesley Li, exploits a vulnerability in the way Honda’s keyless entry system transmits authentication codes between the car and the key fob. It works in a similar way to the recently discovered Bluetooth replay attack affecting some Tesla vehicles; using easily purchasable radio equipment, the researchers were able to eavesdrop and capture the codes, then broadcast them back to the car in order to gain access.
This allowed the researchers to remotely unlock and start the engines of cars affected by the vulnerability, which includes models from as far back as 2012 and as recent as 2022. But according to The Drive, which independently tested and verified the vulnerability on a Honda Accord 2021, the key fob flaw doesn’t allow an attacker to drive off with the vehicle.
As noted by the researchers, this kind of attack should be prevented by the vehicle’s rolling codes mechanism — a system introduced to prevent replay attacks by providing a new code for each authentication of a remote keyless entry. Vehicles have a counter that checks the chronology of the generated codes, increasing the count when it receives a new code.
Kevin2600 and Wesley Li found that the counter in Honda vehicles is resynchronized when the car vehicle gets lock and unlock commands in a consecutive sequence, causing the car to accept codes from previous sessions that should have been invalidated.
“By sending the commands in a consecutive sequence to the Honda vehicles, it will be resynchronizing the counter,” the researchers write. “Once counter resynced, commands from the previous cycle of the counter worked again. Therefore, those commands can be used later to unlock the car at will.”
The researchers say they tested their attack on several Honda models, including the Honda Civic 2012, Honda Accord 2020, and Honda Fit 2022, but warn that the security vulnerability could affect “all Honda vehicles currently existing on the market” and may also affect other manufacturers’ cars.
The security researchers say they attempted to contact Honda about the vulnerability but found that the company “does not have a department to deal with security-related issues for their products.” As such, they reported the issue to Honda customer service but have not yet received a response.
TechCrunch also did not receive a response from Honda, but in a statement to The Drive, the company insisted that the technology in its key fobs “would not allow the vulnerability as represented in the report.”
“We’ve looked into past similar allegations and found them to lack substance,” a Honda spokesperson said. “While we don’t yet have enough information to determine if this report is credible, the key fobs in the referenced vehicles are equipped with rolling code technology that would not allow the vulnerability as represented in the report. In addition, the videos offered as evidence of the absence of rolling code do not include sufficient evidence to support the claims.”
As noted by the security researchers, if Honda was to acknowledge the flaw, fixing it would be difficult due to the fact that older vehicles don’t support over-the-air (OTA) updates. Worryingly, the researchers also warned there’s no way to guard against the hack and no way to determine if it happened to you.