You have to hand it to car thieves: they always invent.
By wirelessly stealing command codes from key fobs in a so-called “Rolling Pwn attack,” the hackers were able to unlock and start Honda cars, it was reported. ITSecurityGuru.com and automotive site TheDrive.com.
Every time you press a button on the fob, a pseudo-random number generator (PRNG) sends a semi-random code to the car, instructing it to, say, unlock the doors or open the liftgate. The car then checks this code against a list of valid codes; and if it’s legal, it executes the command. It is also assumed that previous codes are invalidated to prevent them from being reused by attackers. (This rolling code mechanism replaced the old fixed code system, making car theft even easier.)
Police warning: Rise in Kia and Hyundai car thefts due to possible design error
Here’s the catch: there is another group of codes designed to be used when the key fob is out of range of the car. And in the case of Honda cars, hackers intercept and record these invalid codes. He uses them to re-clock the number generator, keeping the valid codes and allowing them to steal the car later.
Honda: Trick can’t be used to drive the car away
Honda has acknowledged the issue but disputes what a hacker could do with the codes.
“We can confirm the researchers’ claims that sophisticated tools and technical know-how can be used to mimic Remote Keyless commands and access certain vehicles or ours,” Honda spokesman Chris Naughton said in an email to USA TODAY. “However, while technically possible, we want to reassure our customers that this particular form of attack, which requires the continuous capture of multiple consecutive RF signals at close range, cannot be used to drive off a vehicle.”
Ford expands SUV recall: Automaker asks owners to park affected vehicles outside
What cars are vulnerable?
Naughton said the following US models are at risk for this type of attack:
- 2012 Honda Civic
- 2020 Honda S-RV
- Honda Accord 2020
- honda odyssey 2020
- 2021 Honda Accord
Naughton confirmed that some Acuras are also vulnerable, but said that “all completely redesigned 2022 and 2023 model year vehicles have an improved keyless remote control system.”
According to him, the newer system “transmits codes that expire immediately, which will prevent this type of attack from being successful.”
Newer and safer keyless entry models include the 2022 Civic, 2023 HR-V. 2022 Acura MDX and Acura Integra 2023 release.
Credit: www.usatoday.com /