Vulnerability in Honda key fob allows hackers to remotely unlock and start cars

- Advertisement -

- Advertisement -

Hackers demonstrate a repeat attack using a vulnerable Honda key fob. Honda said it could not determine if the attack was “credible”. Image credits: Star-V Lab

- Advertisement -

Security researchers have discovered a vulnerability in Honda’s keyless entry system that could allow hackers to remotely unlock and potentially start “all Honda vehicles currently on the market.”

Rolling Pwnattack uncovered by Star-V Lab security researchers Kevin2600 and Wesley Lee exploits a vulnerability in how Honda’s keyless entry system communicates authentication codes between the car and the fob. It works similar to the newly discovered Bluetooth replay attack affects some Tesla vehicles; Using readily available radio equipment, the researchers were able to eavesdrop on and intercept the codes and then feed them back into the machine to gain access.

- Advertisement -

This allowed the researchers to remotely unlock and start the engines of vehicles affected by the vulnerability, including models released as early as 2012 and 2022. Drive unitwhich independently tested and validated the vulnerability on the 2021 Honda Accord, a key fob flaw prevents an attacker from leaving with the car.

As researchers note, these kinds of attacks must be prevented by the vehicle’s rolling codes mechanism, a system introduced to prevent replay attacks by providing a new code for each remote keyless entry authentication. Vehicles have a counter that checks the history of generated codes, incrementing the counter when a new code is received.

Kevin2600 and Wesley Lee found that the meter in Honda vehicles is resynchronized when the vehicle receives lock and unlock commands in sequential order, causing the vehicle to accept codes from previous sessions that should have been cancelled.

By sending commands in serial sequence to Honda vehicles, it will resynchronize the counter,” the researchers write. “After resynchronizing the counter, the commands from the previous counter cycle worked again. Therefore, these commands can be used later to unlock the car at will.”

The researchers say they have tested their attack on several Honda models, including the 2012 Honda Civic, 2020 Honda Accord and 2022 Honda Fit, but warn that the security vulnerability could affect “all Honda vehicles currently on the market” and could also affect other models. car manufacturers.

Security researchers say they tried to contact Honda about the vulnerability, only to find that the company “does not have a department dedicated to dealing with issues related to the security of their products.” So they have reported the issue to Honda customer support but have not received a response yet.

TechCrunch also received no response from Honda, but in a statement to Drive unitthe company insisted that the technology in its key fobs “will not allow the vulnerability presented in the report.”

“We have reviewed past similar allegations and concluded that they are without merit,” a spokesman for Honda said. “While we do not yet have enough information to determine whether this report is credible, the key fobs in the mentioned vehicles are equipped with rolling code technology that does not allow for the vulnerability presented in the report. In addition, the videos offered as proof of the absence of a rolling code do not provide sufficient evidence to support the claims.”

As security researchers note, if Honda acknowledged the mistake, it would be difficult to fix it due to the fact that older cars do not support over-the-air (OTA) updates. Unfortunately, the researchers also warned that there is no way to protect against hacking and determine if it happened to you.

Credit: /

- Advertisement -

Stay on top - Get the daily news in your inbox

DMCA / Correction Notice

Recent Articles

Related Stories

Stay on top - Get the daily news in your inbox