“Rolling-PWN attack” targets Remote Keyless System on Honda vehicles
Honda has confirmed that researchers were indeed able to hack the remote keyless entry system of certain Honda vehicles to unlock the doors and start the engine.
Over the weekend, security researchers Kevin2600 and Wesley Li from Star-V Lab published information on a security bug they identified in the rolling codes mechanism of the remote keyless system of Honda vehicles, which allowed them to open car doors without the key fob present.
When sending a signal to unlock the car doors, the remote key fob also transmits a code that the car verifies against a database, and performs the required action only if the check passes.
Older vehicles used static codes for this process, but these were found inherently vulnerable: an attacker within proximity of the car could capture them and replay them later to unlock the vehicle.
The rolling codes mechanism in newer vehicles is meant to prevent such attacks, by using a Pseudorandom Number Generator (PRNG) on the key fob to send a unique code along with the signal to unlock the doors.
The mechanism also features a rolling code synchronizing counter that is increased with each press of a button on the key fob. The receiver in the vehicle also accepts a sliding window of codes, which ensures that the commands are accepted even if the button is pressed by mistake, when the vehicle is not in range.
What Kevin2600 and Wesley Li discovered was that it was possible to send “commands in a consecutive sequence to the Honda vehicles,” thus triggering counter resynchronization.
“Once counter resynced, commands from the previous cycle of the counter worked again. Therefore, those commands can be used later to unlock the car at will,” the researchers say.
Tracked as CVE-2021-46145 and named Rolling-PWN attack, the vulnerability is believed to impact all Honda vehicles on the market, but was tested only on the 10 most popular models of the last decade: Civic 2012, X-RV 2018, C-RV 2020, Accord 2020, Odyssey 2020, Inspire 2021, Fit 2022, Civic 2022, VE-1 2022, and Breeze 2022.
The researchers, who published video demonstrations of the attack, believe that vehicles from other manufacturers might be impacted as well.
Contacted by SecurityWeek, Honda confirmed that the new attack is possible: “We can confirm researcher claims that it is possible to employ sophisticated tools and technical know-how to mimic Remote Keyless commands and gain access to certain vehicles or ours.”
The car maker also underlined that, even if an attacker could unlock the doors of the car, they would not be able to drive it away, as this would require for the key fob to be present in the car.
“However, while it is technically possible, we want to reassure our customers that this particular kind of attack, which requires continuous close-proximity signal capture of multiple sequential RF transmissions, cannot be used to drive the vehicle away,” the company said.
Honda has not shared details on whether it plans to deliver software updates to address this vulnerability in its latest models, but was clear that older vehicles will remain unpatched.
“Honda regularly improves security features as new models are introduced that would thwart this and similar approaches. Honda has no plan to update older vehicles at this time,” the car maker said.
The Rolling-PWN attack is different from CVE-2022-27254, a replay attack disclosed in March 2022, where the same unencrypted radio frequency (RF) signal sent for various commands can be captured by an attacker and then replayed to unlock the vehicle or start the engine. .
More from Ionut Arghire
- NBA Notifying Individuals of Data Breach at Mailing Services Provider
- Adobe Acrobat Sign Abused to Distribute Malware
- Latitude Financial Services Data Breach Impacts 300,000 Customers
- US Government Warns Organizations of LockBit 3.0 Ransomware Attacks
- New ‘Trigona’ Ransomware Targets US, Europe, Australia
- New Espionage Group ‘YoroTrooper’ Targeting Entities in European, CIS Countries
- CISA Seeks Public Opinion on Cloud Application Security Guidance
- Data Breach at Independent Living Systems Impacts 4 Million Individuals
Latest News
- Hitachi Energy Blames Data Breach on Zero-Day as Ransomware Gang Threatens Firm
- NBA Notifying Individuals of Data Breach at Mailing Services Provider
- Adobe Acrobat Sign Abused to Distribute Malware
- New York Man Arrested for Running BreachForums Cybercrime Website
- Huawei Has Replaced Thousands of US-Banned Parts With Chinese Versions: Founder
- Latitude Financial Services Data Breach Impacts 300,000 Customers
- US Government Warns Organizations of LockBit 3.0 Ransomware Attacks
- New ‘Trigona’ Ransomware Targets US, Europe, Australia
Click to comment
