Honda Vehicle Vulnerability Allows Remote Unlocking And Starting

Honda Vehicle Vulnerability Allows Remote Unlocking And Starting

As the fifth-largest auto manufacturer in the world, Honda’s vehicles are a common sight on essentially every road. Many of those vehicles could have a major vulnerability that an attacker can use to unlock and start the car. The researchers who discovered the exploit, known as RollingPWN, say it might affect all Honda vehicles from 2012 through the latest 2022 models. However, Honda currently denies a vulnerability exists.

The issue stems from Honda’s keyless entry fob, which uses a “rolling code” system to authenticate the remote. Each time you press a button on the remote, the rolling code clicks ahead to prevent so-called “replay attacks” in which someone captures and retransmits your remote code. Security researchers Kevin2600 and Wesley Li from Star-V Lab discovered that Honda’s rolling code implementation has a flaw that allows these old codes to be reused under certain circumstances.

According to a statement from the researchers, Honda has implemented a sliding window of codes to avoid accidental key presses. So, it’s possible to send codes in sequence to the vehicle until the counter resynchronizes. Once that happens, codes from the previous cycle start working again, so replay attacks become possible.

The RollingPWN code and proof of concept were released last week — it’s unclear if Honda was alerted first, which is a key component of responsible disclosure. Regardless, the exploit is in the wild, and several car enthusiasts and journalists have confirmed it works. Without the key fob in-hand, it’s possible to unlock the doors and remotely start the affected cars. Yet, Honda has yet to admit the bug exists. In a statement to Vice, Honda claims its rolling code system prevents replay attacks.

Well done, time to Rolling pwn all the cars :P https://t.co/pYxWASf3br

— Kevin2600 (@Kevin2600) July 10, 2022

The researchers tested ten models of cars, including a 2020 CR-V, a 2022 Civic, and a 2012 Civic. All of them were vulnerable to the attack, and therefore, it’s possible all Honda vehicles back to 2012 are the same. This might be a big headache for Honda owners. While some of its newer vehicles can receive OTA updates, most cannot. Not only would Honda have to develop new software for dozens of models, it would have to coax owners to bring their vehicles to a dealership or Honda service center to upgrade the software.

Kevin2600 and Li believe the same exploit could affect other car manufacturers. The pair promises more details in the future. So, things may get worse before they get better.

Continue reading

NASA Created a Collection of Spooky Space Sounds for Halloween
NASA Created a Collection of Spooky Space Sounds for Halloween

NASA's latest data release turns signals from beyond Earth into spooky sounds that are sure to send a chill up your spine.

AMD May Allow Custom RX 6900 XT Cards, Launch Stock May Be Limited
AMD May Allow Custom RX 6900 XT Cards, Launch Stock May Be Limited

There are rumors that Nvidia may not be the only company facing production shortages this holiday season. High-end GPUs might just be very hard to find in general.

EA Will ‘Allow’ BioWare to Pull Dragon Age 4’s Unnecessary Multiplayer
EA Will ‘Allow’ BioWare to Pull Dragon Age 4’s Unnecessary Multiplayer

EA will allow developers not to ship multiplayer in Dragon Age 4 after Anthem tanked and Jedi: Fallen Order soared. How kind of them.

TPM Trouble: Which PC Enthusiasts Are Allowed to Upgrade to Windows 11?
TPM Trouble: Which PC Enthusiasts Are Allowed to Upgrade to Windows 11?

Microsoft's free upgrade to Windows 11 could wind up costing you money. Not for the OS, but for the additional hardware you'll need to run it.