WTF?! Researchers recently discovered a vulnerability that could allow hackers to remotely unlock and start several Honda car models. In the list of affected models, the 10 most popular Honda models are listed as vulnerable. To make matters worse, the current results lead researchers to believe that the vulnerability could be present on all Honda vehicles from 2012 to 2022.

- Advertisement -

The security vulnerability named by RollingPWN researchers is exploits component of the Honda keyless entry system. The current login system is based on a rolling code model that generates a new login code each time owners press the key fob button. Once released, previous ones should be made unusable to prevent replay attacks. Instead, researchers Kevin26000 and Wesley Lee found that old codes could be overridden and used to gain unwanted access to a car.

- Advertisement -

The researchers tested the vulnerability on several Honda models produced from 2012 to 2022. The list of affected test vehicles includes:

  • Honda Civic 2012
  • Honda XR-V 2018
  • Honda CR-V 2020
  • Honda Accord 2020
  • Honda Odyssey 2020
  • Honda Inspire 2021
  • Honda Fit 2022
  • Honda Civic 2022
  • Honda VE-1 2022
  • Honda Breeze 2022

Based on the list and successful tests of the exploit, Kevin26000 and Lee strongly believe that the vulnerability could affect all Honda vehicles, not just the top ten listed above.

- Advertisement -

Providing a patch for a vulnerability can be as complex as the exploit itself. Honda may be able to fix the bug with an over-the-air (OTA) firmware update, but many affected vehicles do not support OTA. The large pool of potentially affected vehicles makes a recall scenario unlikely.

Research is ongoing to determine how widespread this vulnerability is. Based on the nature of the attack, Kevin26000 and Lee strongly suspect other automakers may be affected by the problem.

The find is another in a series of access vulnerabilities found in Honda’s lineup of vehicles this year. In March, researchers uncovered a man-in-the-middle exploit (CVE-2022-27254) where RF signals can be intercepted and processed for later use. Kevin26000 also reported a similar replay attack (CVE-2021-46145) back in January 2022.