Hackers have uncovered ways to unlock and start nearly all modern Honda-branded vehicles by wirelessly stealing codes from an owner's key fob. Dubbed "Rolling Pwn," the attack allows any individual to "eavesdrop" on a remote key fob from nearly 100 feet away and reuse them later to unlock or start a vehicle in the future without owner's knowledge.
Despite Honda's dispute that the technology in its key fobs "would not allow the vulnerability," The Drive has independently confirmed the validity of the attack with its own demonstration.
Older vehicles used static codes for keyless entry. These static codes are inherently vulnerable, as any individual can capture and replay them at will to lock and unlock a vehicle. Manufacturers later introduced rolling codes to improve vehicle security. Rolling codes work by using a Pseudorandom Number Generator (PRNG). When a lock or unlock button is pressed on a paired key fob, the fob sends a unique code wirelessly to the vehicle encapsulated within the message. The vehicle then checks the code sent to it against its internal database of valid PRNG-generated codes, and if the code is valid, the car grants the request to lock, unlock, or start the vehicle.
The database contains several allowed codes, as a key fob may not be in range of a vehicle when a button is pressed and may transmit a different code than what the vehicle is expecting to be next chronologically. This series of codes is also known as a "window," When a vehicle receives a newer code, it typically invalidates all previous codes to protect against replay attacks.
This attack works by eavesdropping on a paired keyfob and capturing several codes sent by the fob. The attacker can later replay a sequence of valid codes and re-sync the PRNG. This allows the attacker to re-use older codes that would normally be invalid, even months after the codes have been captured.
A similar vulnerability was discovered late last year and added to the Common Vulnerabilities and Exposures database (CVE-2021-46145), and again this year for other Honda-branded vehicles (CVE-2022-27254). However, Honda has yet to address the issue publicly, or with any of the security researchers who have reported it. In fact, when the security researchers responsible for the latest vulnerability reached out to Honda to disclose the bug, they said they were instead told to call customer service rather than submit a bug report through an official channel.
Furthermore, when questioned by The Drive, a Honda spokesperson said that the automaker wasn't able to determine if the report was credible.
"[W]e’ve looked into past similar allegations and found them to lack substance," said a Honda spokesperson in a statement to The Drive. "While we don’t yet have enough information to determine if this report is credible, the key fobs in the referenced vehicles are equipped with rolling code technology that would not allow the vulnerability as represented in the report. In addition, the videos offered as evidence of the absence of rolling code do not include sufficient evidence to support the claims."
Contrary to Honda's claim, I independently confirmed the vulnerability by capturing and replaying a sequence of lock and unlock requests with my 2021 Honda Accord and a Software-Defined Radio.
Despite being able to start and unlock the car, the vulnerability doesn't allow the attacker to actually drive off with the vehicle due to the proximity functionality of the key fob. However, the fact that a bad actor can get this far is already a bad sign.
At this time, the following vehicles may be affected by the vulnerability:
- 2012 Honda Civic
- 2018 Honda X-RV
- 2020 Honda C-RV
- 2020 Honda Accord
- 2021 Honda Accord
- 2020 Honda Odyssey
- 2021 Honda Inspire
- 2022 Honda Fit
- 2022 Honda Civic
- 2022 Honda VE-1
- 2022 Honda Breeze
It's not yet clear if this affects any Acura-branded vehicles.
This is a significant vulnerability that affects an unknown number of Honda-branded vehicles across the globe. Essentially, any affected Honda vehicle can be unlocked today using the vulnerability, and the owners have no protection against the attack. What's more, it's unclear if this can be addressed with an over-the-air update, if a dealer visit will be required, or if Honda will address it. After all, it could be far-reaching into older vehicles, such as the 2012 Honda Civic tested by the researchers.