Honda Vehicle Vulnerability Allows Remote Unlocking And Starting

Honda Vehicle Vulnerability Allows Remote Unlocking And Starting

As the fifth-largest auto manufacturer in the world, Honda’s vehicles are a common sight on essentially every road. Many of those vehicles could have a major vulnerability that an attacker can use to unlock and start the car. The researchers who discovered the exploit, known as RollingPWN, say it might affect all Honda vehicles from 2012 through the latest 2022 models. However, Honda currently denies a vulnerability exists.

The issue stems from Honda’s keyless entry fob, which uses a “rolling code” system to authenticate the remote. Each time you press a button on the remote, the rolling code clicks ahead to prevent so-called “replay attacks” in which someone captures and retransmits your remote code. Security researchers Kevin2600 and Wesley Li from Star-V Lab discovered that Honda’s rolling code implementation has a flaw that allows these old codes to be reused under certain circumstances.

According to a statement from the researchers, Honda has implemented a sliding window of codes to avoid accidental key presses. So, it’s possible to send codes in sequence to the vehicle until the counter resynchronizes. Once that happens, codes from the previous cycle start working again, so replay attacks become possible.

The RollingPWN code and proof of concept were released last week — it’s unclear if Honda was alerted first, which is a key component of responsible disclosure. Regardless, the exploit is in the wild, and several car enthusiasts and journalists have confirmed it works. Without the key fob in-hand, it’s possible to unlock the doors and remotely start the affected cars. Yet, Honda has yet to admit the bug exists. In a statement to Vice, Honda claims its rolling code system prevents replay attacks.

Well done, time to Rolling pwn all the cars :P https://t.co/pYxWASf3br

— Kevin2600 (@Kevin2600) July 10, 2022

The researchers tested ten models of cars, including a 2020 CR-V, a 2022 Civic, and a 2012 Civic. All of them were vulnerable to the attack, and therefore, it’s possible all Honda vehicles back to 2012 are the same. This might be a big headache for Honda owners. While some of its newer vehicles can receive OTA updates, most cannot. Not only would Honda have to develop new software for dozens of models, it would have to coax owners to bring their vehicles to a dealership or Honda service center to upgrade the software.

Kevin2600 and Li believe the same exploit could affect other car manufacturers. The pair promises more details in the future. So, things may get worse before they get better.

Continue reading

Tesla Ordered to Recall 150K+ Vehicles to Repair Memory Failures
Tesla Ordered to Recall 150K+ Vehicles to Repair Memory Failures

Tesla has been asked — or "asked" — to recall some 159,000 vehicles to repair a NAND memory issue that will eventually cause failures on every affected vehicle.

Tesla Will Recall 134,000+ Vehicles Affected by Inevitable eMMC Failure
Tesla Will Recall 134,000+ Vehicles Affected by Inevitable eMMC Failure

Tesla will recall Model S and Model Y vehicles manufactured over specific model years in order to repair an inevitable system failure.

GM Cuts Pickup MPG to Ship Vehicles During Semiconductor Shortage
GM Cuts Pickup MPG to Ship Vehicles During Semiconductor Shortage

GM has announced a unique way of dealing with the ongoing semiconductor shortage. It's going to drop a chip, cut gas mileage, and ship certain pickups anyway.

US Launches Investigation of Tesla Autopilot Following Emergency Vehicle Crashes
US Launches Investigation of Tesla Autopilot Following Emergency Vehicle Crashes

The National Highway Traffic Safety Administration (NHTSA) is looking into Tesla Autopilot in the wake of a series of crashes involving Tesla vehicles and emergency vehicles. If the NHTSA finds Tesla is at fault, it could lead to a recall or other enforcement action that affects what Tesla is permitted to do with Autopilot.