Security Vulnerabilities in Honda’s Keyless Entry System

Honda vehicles from 2021 to 2022 are vulnerable to this attack:

On Thursday, a security researcher who goes by Kevin2600 published a technical report and videos on a vulnerability that he claims allows anyone armed with a simple hardware device to steal the code to unlock Honda vehicles. Kevin2600, who works for cybersecurity firm Star-V Lab, dubbed the attack RollingPWN.

[…]

In a phone call, Kevin2600 explained that the attack relies on a weakness that allows someone using a software defined radio—such as HackRF—to capture the code that the car owner uses to open the car, and then replay it so that the hacker can open the car as well. In some cases, he said, the attack can be performed from 30 meters (approximately 98 feet) away.

In the videos, Kevin2600 and his colleagues show how the attack works by unlocking different models of Honda cars with a device connected to a laptop.

The Honda models that Kevin2600 and his colleagues tested the attack on use a so-called rolling code mechanism, which means that—in theory—every time the car owner uses the keyfob, it sends a different code to open it. This should make it impossible to capture the code and use it again. But the researchers found that there is a flaw that allows them to roll back the codes and reuse old codes to open the car, Kevin2600 said.

Tags: cars, keys, locks, reports

Posted on July 12, 2022 at 7:23 AM • 13 Comments

Comments

Chris • July 12, 2022 11:01 AM

The article says all vehicles from “2012 to 2022” (a typo in the original blog post said 2021). That’s a lot of cars.

Let’s hope someone can reproduce this (or not) so we aren’t caught between one group’s report and the company’s denial.

John • July 12, 2022 11:36 AM

hmm….

No need to own a car anymore. Just use a nearby one when needed.

John

Mexaly • July 12, 2022 11:46 AM

Just throw a couple of Johnny Cash eight-tracks on the dash and leave the door unlocked.

cmeier • July 12, 2022 11:59 AM

Ugh, Honda. I’m fighting them right now on a warranty issue for my 2017 Fit. They want $1700 to replace the fuel injectors — 10% of the original cost of the car — which began failing just out of the 36k mile warranty. There is a technical service bulletin for the 2015-2016 years which describes symptoms that exactly match my problem. For those years, Honda extended the fuel injector warranty to 10 years, but they refuse to do that for my car. They’ve done the same for several other 2017 models that had the same manufacturing defect, but they won’t budge on my vehicle. I don’t know if any other car company is any better, but Honda is on the “Do Not Buy” list.

Ted • July 12, 2022 12:43 PM

Charlie Miller of Jeep hacking fame told Kevin2600 that he could report this bug to the Auto-ISAC. To which Kevin2600 replied:

Thanks. I will take a look. But seems Honda spoken person already denied the bug exists 🙁

https://twitter.com/0xcharlie/status/1546332864916103171

So I am confused how much the researchers believe in this bug. I’m also hoping they will release more technical details of the vuln, unless somehow the opacity is strategic.

Kevin2600 tweeted a link to a Black Hat talk for an issue that he says is “the same and much bigger.” That talk will be in August. Is there something to this?

https://twitter.com/kevin2600/status/1545594190016286720

Security Sam • July 12, 2022 1:54 PM

Drive a Honda
Drive the best
Ride for a mile
And walk the rest.

nobody • July 12, 2022 3:40 PM

It’s appalling how few physical security devices implement mutual TLS or even HMAC-based challenge-response.

Electronic authentication really shouldn’t be a weakpoint in these kinds of systems.

K.S. • July 12, 2022 7:46 PM

Modern car security is all-around shitshow, especially when OBD port allows anyone to pair a blank key on most makes and models. Basically, the only reason why your new car isn’t already stolen is because of a shortage of shipping containers to Africa.

SpaceLifeForm • July 12, 2022 8:11 PM

@ Ted

That they went to a Honda dealership and unlocked 10 different models should tell you that this problem is real.

David • July 12, 2022 11:25 PM

Rolling code security has to be tolerant of accidental button presses in your pocket, so strict single time use of a code is impractical.

MarkH • July 12, 2022 11:57 PM

For what it’s worth, an online rag called “TheDrive” published an article 2 days ago in which the author described his success in unlocking his own Honda’s doors and starting its engine, using the exploit with an SDR.

He wrote that you can’t drive his machine via the exploit alone, because it apparently tests for the presence of the fob (with RFID tech, I suppose).

SpaceLifeForm • July 14, 2022 2:44 PM

This will not fix the technical debt

There is no way Honda will recall all vehicles, fix the firmware, and provide new fobs.

https://therecord.media/honda-redesigning-latest-vehicles-to-address-key-fob-vulnerabilities/

Ismar • July 14, 2022 11:41 PM

A solution:
Honda pays Kevin to fix the bug- assuming he is not just good at finding them 😀

Schneier on Security

Security Vulnerabilities in Honda’s Keyless Entry System

Comments

Leave a comment Cancel reply