Security researchers and The rideRob Stumpf’s recently hebben posted videos of herself unlocking and remotely starting several Honda vehicles using portable radios, despite the company’s insistence that the cars have security guards intended to deter attackers from doing just that. According to the researchers, this hack was made possible by a vulnerability in the keyless entry system in many Hondas made between 2012 and 2022. They have named the vulnerability Rolling-PWN.
The basic concept for Rolling-PWN is similar to attacks we’ve seen before against VWs and Teslas, as well as against other devices; using radio equipment, someone picks up a legitimate radio signal from a key fob and then transmits it back to the car. It’s called a replay attack, and if you think it should be possible to defend against this kind of attack with some sort of cryptography, you’re right. In theory, many modern cars use a so-called ‘rolling key’ system, which basically means that each signal only works once; you press the button to unlock your car, your car will be unlocked and that exact signal should never unlock your car again.
But if jalopnik points out that not every recent Honda has that level of protection. Researchers also found vulnerabilities where surprisingly recent Hondas (particularly 2016 to 2020 Civics) instead used an unencrypted signal that doesn’t change. And even those that do have a rolling code system — including the 2020 CR-V, Accord and Odyssey, Honda tells Vice — could be vulnerable to the recently discovered attack. Rolling-PWN’s website has videos of the hack used to unlock those vehicles with rolling code, and Stumpf was able to…well, pretty much pwn a 2021 Accord with the exploit, by running the engine remotely. turn it on and then unlock it.
Honda told The ride that the security systems it puts in its keychains and cars “would not allow the vulnerability as depicted in the report” to run. In other words, the company says the attack shouldn’t be possible — but it’s clear it somehow is. We asked the company for comment on The ride‘s demonstration, which was published Monday, but which did not immediately respond.
According to the Rolling-PWN website, the attack works because it’s able to resync the car’s code counter, meaning it accepts old codes — basically because the system is built to have some tolerances (so you can use your keyless entry even if the button is pressed once or twice while you are away from the car, so the car and the remote control remain in sync), the security system can be disabled. The site also claims it affects “all Honda vehicles currently on the market,” but admits it has only been tested in a handful of model years.
Even more worryingly, the site suggests other makes of cars are also affected, but is vague on the details. While it makes me nervous about my Ford, it’s probably a good thing – if the security researchers follow standard responsible disclosure procedures, they should contact automakers and give them a chance to address the issue before details are made public. . According to jalopnikthe investigators would have contacted Honda but were told to file a report with customer service (which are not exactly standard security practices).