Security Experts:

Connect with us

Hi, what are you looking for?


IoT Security

Honda Admits Hackers Could Unlock Car Doors, Start Engines

“Rolling-PWN attack” targets Remote Keyless System on Honda vehicles

“Rolling-PWN attack” targets Remote Keyless System on Honda vehicles

Honda has confirmed that researchers were indeed able to hack the remote keyless entry system of certain Honda vehicles to unlock the doors and start the engine.

Over the weekend, security researchers Kevin2600 and Wesley Li from Star-V Lab published information on a security bug they identified in the rolling codes mechanism of the remote keyless system of Honda vehicles, which allowed them to open car doors without the key fob present.

When sending a signal to unlock the car doors, the remote key fob also transmits a code that the car verifies against a database, and performs the required action only if the check passes.

Older vehicles used static codes for this process, but these were found inherently vulnerable: an attacker within proximity of the car could capture them and replay them later to unlock the vehicle.

The rolling codes mechanism in newer vehicles is meant to prevent such attacks, by using a Pseudorandom Number Generator (PRNG) on the key fob to send a unique code along with the signal to unlock the doors.

The mechanism also features a rolling code synchronizing counter that is increased with each press of a button on the key fob. The receiver in the vehicle also accepts a sliding window of codes, which ensures that the commands are accepted even if the button is pressed by mistake, when the vehicle is not in range.

What Kevin2600 and Wesley Li discovered was that it was possible to send “commands in a consecutive sequence to the Honda vehicles,” thus triggering counter resynchronization.

“Once counter resynced, commands from the previous cycle of the counter worked again. Therefore, those commands can be used later to unlock the car at will,” the researchers say.

Tracked as CVE-2021-46145 and named Rolling-PWN attack, the vulnerability is believed to impact all Honda vehicles on the market, but was tested only on the 10 most popular models of the last decade: Civic 2012, X-RV 2018, C-RV 2020, Accord 2020, Odyssey 2020, Inspire 2021, Fit 2022, Civic 2022, VE-1 2022, and Breeze 2022.
The researchers, who published video demonstrations of the attack, believe that vehicles from other manufacturers might be impacted as well.

Contacted by SecurityWeek, Honda confirmed that the new attack is possible: “We can confirm researcher claims that it is possible to employ sophisticated tools and technical know-how to mimic Remote Keyless commands and gain access to certain vehicles or ours.”

The car maker also underlined that, even if an attacker could unlock the doors of the car, they would not be able to drive it away, as this would require for the key fob to be present in the car.

“However, while it is technically possible, we want to reassure our customers that this particular kind of attack, which requires continuous close-proximity signal capture of multiple sequential RF transmissions, cannot be used to drive the vehicle away,” the company said.

Honda has not shared details on whether it plans to deliver software updates to address this vulnerability in its latest models, but was clear that older vehicles will remain unpatched.

“Honda regularly improves security features as new models are introduced that would thwart this and similar approaches. Honda has no plan to update older vehicles at this time,” the car maker said.

The Rolling-PWN attack is different from CVE-2022-27254, a replay attack disclosed in March 2022, where the same unencrypted radio frequency (RF) signal sent for various commands can be captured by an attacker and then replayed to unlock the vehicle or start the engine. .

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet