“Rolling-PWN attack” targets Remote Keyless System on Honda vehicles
Honda has confirmed that researchers were indeed able to hack the remote keyless entry system of certain Honda vehicles to unlock the doors and start the engine.
Over the weekend, security researchers Kevin2600 and Wesley Li from Star-V Lab published information on a security bug they identified in the rolling codes mechanism of the remote keyless system of Honda vehicles, which allowed them to open car doors without the key fob present.
When sending a signal to unlock the car doors, the remote key fob also transmits a code that the car verifies against a database, and performs the required action only if the check passes.
Older vehicles used static codes for this process, but these were found inherently vulnerable: an attacker within proximity of the car could capture them and replay them later to unlock the vehicle.
The rolling codes mechanism in newer vehicles is meant to prevent such attacks, by using a Pseudorandom Number Generator (PRNG) on the key fob to send a unique code along with the signal to unlock the doors.
The mechanism also features a rolling code synchronizing counter that is increased with each press of a button on the key fob. The receiver in the vehicle also accepts a sliding window of codes, which ensures that the commands are accepted even if the button is pressed by mistake, when the vehicle is not in range.
What Kevin2600 and Wesley Li discovered was that it was possible to send “commands in a consecutive sequence to the Honda vehicles,” thus triggering counter resynchronization.
“Once counter resynced, commands from the previous cycle of the counter worked again. Therefore, those commands can be used later to unlock the car at will,” the researchers say.
Tracked as CVE-2021-46145 and named Rolling-PWN attack, the vulnerability is believed to impact all Honda vehicles on the market, but was tested only on the 10 most popular models of the last decade: Civic 2012, X-RV 2018, C-RV 2020, Accord 2020, Odyssey 2020, Inspire 2021, Fit 2022, Civic 2022, VE-1 2022, and Breeze 2022.
The researchers, who published video demonstrations of the attack, believe that vehicles from other manufacturers might be impacted as well.
Contacted by SecurityWeek, Honda confirmed that the new attack is possible: “We can confirm researcher claims that it is possible to employ sophisticated tools and technical know-how to mimic Remote Keyless commands and gain access to certain vehicles or ours.”
The car maker also underlined that, even if an attacker could unlock the doors of the car, they would not be able to drive it away, as this would require for the key fob to be present in the car.
“However, while it is technically possible, we want to reassure our customers that this particular kind of attack, which requires continuous close-proximity signal capture of multiple sequential RF transmissions, cannot be used to drive the vehicle away,” the company said.
Honda has not shared details on whether it plans to deliver software updates to address this vulnerability in its latest models, but was clear that older vehicles will remain unpatched.
“Honda regularly improves security features as new models are introduced that would thwart this and similar approaches. Honda has no plan to update older vehicles at this time,” the car maker said.
The Rolling-PWN attack is different from CVE-2022-27254, a replay attack disclosed in March 2022, where the same unencrypted radio frequency (RF) signal sent for various commands can be captured by an attacker and then replayed to unlock the vehicle or start the engine. .
Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.
Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.
Combined with AI, polymorphic phishing emails have become highly sophisticated, creating more personalized and evasive messages that result in higher attack success rates.(Stu Sjouwerman)
While the Security Posture Management buzz is real, its long-term viability depends on whether it can deliver measurable outcomes without adding more complexity.(Torsten George)
Our collective voices and one community will provide the intelligence we need to safeguard our businesses in today’s modern digital environment.(Marc Solomon)
Very few people in the cybersecurity industry do not know, or know of, Bryson Bort, CEO/Founder of SCYTHE and the co-founder of ICS Village.(Jennifer Leggio)
The greatest security policies in the world are useless if enterprises don’t have a reasonable, consistent, and reliable way to implement them.(Joshua Goldfarb)