security researcher and DriveK Rob Stumpf recently posted own videos Unlocking and remotely starting many Honda vehicles using a handheld radio, despite the company’s insistence that the cars have safety protections to deter attackers from doing so. According to the researchers, the hack was made possible due to a vulnerability in the keyless entry system in several Hondas made between 2012 and 2022. They have dubbed the vulnerability Rolling-PWN.
The basic concept for rolling-PWN is similar to attacks we’ve seen before using it against VW and Tesla as well as other devices; Using radio equipment, someone records a valid radio signal from a key fob, then broadcasts it back to the car. This is called a replay attack, and if you’re wondering if it’s possible to defend against such an attack with some kind of cryptography, you’re right. In theory, many modern cars use a rolling key system, originally built in such a way that each signal would only work once; You press the button to unlock your car, your car is unlocked, and that exact signal should never unlock your car again.
but as Jalopnik Turns out, Honda hasn’t had that level of safety until recently. Researchers have also found vulnerabilities where surprisingly recently Honda (2016 to 2020 Civics, in particular) used an unencrypted signal that doesn’t change. And even those that have rolling code systems – including those in the 2020 CR-V, Accord and Odyssey, Honda tells Vice – could be vulnerable to the recently unfolded onslaught. Rolling-PWN’s website has videos of the hacks being used to unlock those rolling code vehicles, and Stumpf was able to… well, pretty much a 2021 deal with the exploit, remotely driving its engine. turning it on and then unlocking it.
Honda told Drive That security systems will not allow their key fobs and cars to meet the “vulnerabilities shown in the report will not be allowed”. In other words, the company says the attack shouldn’t be possible — but clearly, it somehow is. We have asked the company for comment Driveperformance, which was published on Monday, but did not immediately respond.
According to the Rolling-PWN website, the attack works because it is able to re-synchronize the car’s code counter, meaning it will accept the old code – basically, because the system was built to have certain tolerances. (so you can even use its keyless entry if you press the button once or twice while away from the car, and therefore keep the car and remote in sync), its security system can be defeated. The site also claims that it affects “all Honda vehicles currently on the market”, but acknowledges that it has actually only been tested on a few model years.
Even more worrying, the site states that other brands of cars have also been affected, but is unclear on the details. While this makes me shudder at my Ford, it’s actually probably a good thing — if safety researchers are following standard responsible disclosure procedures, they should reach out to automakers and ask them to resolve the issue before the details become public. Should be given a chance. According to JalopnikThe researchers did reach out to Honda, but were asked to file a report with customer service (which isn’t really standard safety practice).