“Rolling-PWN attack” targets Remote Keyless System on Honda vehicles
Honda has confirmed that researchers were indeed able to hack the remote keyless entry system of certain Honda vehicles to unlock the doors and start the engine.
Over the weekend, security researchers Kevin2600 and Wesley Li from Star-V Lab published information on a security bug they identified in the rolling codes mechanism of the remote keyless system of Honda vehicles, which allowed them to open car doors without the key fob present.
When sending a signal to unlock the car doors, the remote key fob also transmits a code that the car verifies against a database, and performs the required action only if the check passes.
Older vehicles used static codes for this process, but these were found inherently vulnerable: an attacker within proximity of the car could capture them and replay them later to unlock the vehicle.
The rolling codes mechanism in newer vehicles is meant to prevent such attacks, by using a Pseudorandom Number Generator (PRNG) on the key fob to send a unique code along with the signal to unlock the doors.
The mechanism also features a rolling code synchronizing counter that is increased with each press of a button on the key fob. The receiver in the vehicle also accepts a sliding window of codes, which ensures that the commands are accepted even if the button is pressed by mistake, when the vehicle is not in range.
What Kevin2600 and Wesley Li discovered was that it was possible to send “commands in a consecutive sequence to the Honda vehicles,” thus triggering counter resynchronization.
“Once counter resynced, commands from the previous cycle of the counter worked again. Therefore, those commands can be used later to unlock the car at will,” the researchers say.
Tracked as CVE-2021-46145 and named Rolling-PWN attack, the vulnerability is believed to impact all Honda vehicles on the market, but was tested only on the 10 most popular models of the last decade: Civic 2012, X-RV 2018, C-RV 2020, Accord 2020, Odyssey 2020, Inspire 2021, Fit 2022, Civic 2022, VE-1 2022, and Breeze 2022.
The researchers, who published video demonstrations of the attack, believe that vehicles from other manufacturers might be impacted as well.
Contacted by SecurityWeek, Honda confirmed that the new attack is possible: “We can confirm researcher claims that it is possible to employ sophisticated tools and technical know-how to mimic Remote Keyless commands and gain access to certain vehicles or ours.”
The car maker also underlined that, even if an attacker could unlock the doors of the car, they would not be able to drive it away, as this would require for the key fob to be present in the car.
“However, while it is technically possible, we want to reassure our customers that this particular kind of attack, which requires continuous close-proximity signal capture of multiple sequential RF transmissions, cannot be used to drive the vehicle away,” the company said.
Honda has not shared details on whether it plans to deliver software updates to address this vulnerability in its latest models, but was clear that older vehicles will remain unpatched.
“Honda regularly improves security features as new models are introduced that would thwart this and similar approaches. Honda has no plan to update older vehicles at this time,” the car maker said.
The Rolling-PWN attack is different from CVE-2022-27254, a replay attack disclosed in March 2022, where the same unencrypted radio frequency (RF) signal sent for various commands can be captured by an attacker and then replayed to unlock the vehicle or start the engine. .