Security researchers Kevin2600 and Wesley Li of Star-V Lab claim the attack takes advantage of a flaw in how Honda’s keyless entry system relays authentication codes between the key fob and the car.
“The Rolling-PWN bug is a serious vulnerability. We found it in a vulnerable version of the rolling codes mechanism, which is implemented in huge amounts of Honda vehicles,” they wrote.
The attack relies on a flaw that enables anyone using a software-defined radio, such as HackRF, to capture the code a vehicle owner uses to unlock the car, then replay it so they can do the same.
Vehicles feature a counter that tracks the order in which codes are generated, increasing the count each time a new code is received. The researchers discovered that when Honda vehicles receive lock and unlock commands in consecutive sequence, the counter is resynchronised. As a result, the car accepts codes from earlier sessions that should have been invalidated.
“Once the counter resynced, commands from the previous cycle of the counter worked again. Therefore, those commands can be used later to unlock the car at will.”
Ladies and gentlemen, it is my honor to present you the Rolling-Pwn attack research on the Honda Keyfob system. (https://t.co/UqJEJofxtr) pic.twitter.com/3ZccqfJrUa
— Kevin2600 (@Kevin2600) July 7, 2022
The researchers tested their attack on several Honda models, including:
- 2012 Honda Civic
- 2018 Honda X-RV
- 2020 Honda Accord
- 2020 Honda Odyssey
- 2020 Honda C-RV
- Honda Inspire 2021
- 2022 Honda Civic
- 2022 Honda Fit
- 2022 Honda Breeze
- Honda VE-1 2022
They warn that the security weakness may impact not only available Honda vehicles but also those made by other manufacturers.
The vulnerability is indexed as CVE-2021-46145 and is described as an issue ‘related to a non-expiring rolling code and counter resynchronisation’ in the Honda keyfob subsystem.
Rob Stumpf, an automotive journalist who tested the vulnerability on his own, revealed that he was able to replicate Rolling-PWN on his 2021 Honda Accord by capturing codes at different times.
However, he said, the flaw does not enable an attacker to drive off with the car because the keyfob has to be close by.
In a statement to Motherboard, a Honda spokesperson described the vulnerability report as “old news.”
“Thus, I’d hope that you would treat it as such and move on to something current rather than creating a new round of people thinking that this is a ‘new’ thing,” the spokesperson snippily said.
“We’ve looked into past similar allegations and found them to lack substance. While we don’t yet have enough information to determine if this report is credible, the key fobs in the referenced vehicles are equipped with rolling code technology that would not allow the vulnerability as represented in the report.”
However, that was somewhat undermined when Honda spokesperson Chris Naughton told TechCrunch that the firm could verify it is feasible to use high-end gear and technical know-how to imitate Remote Keyless commands and gain access to certain cars.
“While it is technically possible, we want to reassure our customers that this particular kind of attack, which requires continuous close-proximity signal capture of multiple sequential RF transmissions, cannot be used to drive the vehicle away.”
“Furthermore, Honda regularly improves security features as new models are introduced that would thwart this and similar approaches,” Naughton added.