Honda downplays vulnerability allowing hackers to lock, unlock and start Civics
Image: Emrecan Arik
Jonathan Greig March 25, 2022

Honda downplays vulnerability allowing hackers to lock, unlock and start Civics

Honda downplays vulnerability allowing hackers to lock, unlock and start Civics

Honda said it has no plans to update its older vehicles after researchers released a proof-of-concept for CVE-2022-27254 – a replay vulnerability affecting the Remote Keyless System in Honda Civics made between 2016 and 2020. 

Researchers released a detailed breakdown of the issue on GitHub, sharing multiple videos showing that the remote keyless system on various Honda vehicles sends the same, unencrypted radio frequency signal for each door-open, door-close, boot-open and remote start command. Cybersecurity researcher Ayyappan Rajesh discovered the vulnerability and worked with developer Blake Berry, his mentor and Cybereason chief security officer Sam Curry as well as his professors Ruolin Zhou and Hong Liu from the University of Massachusetts Dartmouth.

“This allows for an attacker to eavesdrop on the request and conduct a replay attack,” the researchers explained. 

The researchers said Honda Civic models LX, EX, EX-L, Touring, Si and Type R are affected by the issue. They used several widely-available tools including a HackRF One SDR, a laptop, an account on FCCID.io, access to Gqrx software-defined radio receiver software and a ​​GNURadio development toolkit.

All a hacker would need to do is be nearby when a car owner uses their key fob and record the signal it transmits. Once recorded, it could be used to open the car or start it. 

Researchers have long warned of these kinds of attacks and other similar vulnerabilities have been highlighted in the past. The NIST page for CVE-2022-27254 ties the issue to CVE-2019-20626, a similar vulnerability affecting Honda HR-V 2017 vehicles. 

The researchers said manufacturers must implement rolling codes, otherwise known as hopping codes. 

“It is a security technology commonly used to provide a fresh code for each authentication of a remote keyless entry (RKE) or passive keyless entry (PKE) system,” the researchers said, urging consumers to use a signal-blocking Faraday pouch for their key fobs. 

“Use the PKE as opposed to the RKE, this would make it significantly harder for an attacker to clone/read the signal due to the proximity they would need to be at to do so.”

They noted that the precautions are not foolproof and that if anyone has already been a victim of the attack, the only mitigation is to have your key fob reset at the dealership. There is no evidence that the vulnerability has been exploited in the wild, the researchers said, but The Record cannot independently confirm that.

‘Not a new discovery’

When contacted about this issue by The Record, Honda spokesperson Chris Martin claimed it “is not a new discovery” and “doesn’t merit any further reporting.” 

Martin confirmed that “legacy technology utilized by multiple automakers” may be vulnerable to “determined and very technologically sophisticated thieves.”

“Honda has not verified the information reported by researchers and cannot confirm if its vehicles are vulnerable to this type of attack. Honda has no plan to update older vehicles at this time,” Martin said. 

“It’s important to note, while Honda regularly improves security features as new models are introduced, determined and technologically sophisticated thieves are also working to overcome those features. Further, access to a vehicle without other means to drive the vehicle, while hi-tech in nature, does not provide thieves an advantage much greater than more traditional and certainly easier ways to gain entry to a vehicle. And there is no indication that the type of device in question is widely used.” 

Martin told The Record that if started remotely, Acura and Honda vehicles cannot be driven until a valid key fob with a separate immobilizer chip is present in the vehicle. He added that there is “no indication that the reported vulnerability to door locks has resulted in an ability to actually drive an Acura or Honda vehicle.”

Vulcan Cyber’s senior technical engineer Mike Parkin said rolling codes were evolved, in part, to deal with the barrage of door openers being susceptible to simple drive-by attacks.

“The surprise is that any major manufacturer would implement an insecure remote opening system. There are several theoretical attacks against current remote controls, some of which have been shown in proof-of-concept form,” Parkin said. 

“This is on top of existing attacks against older remotes. The challenge is how Honda will deal with this issue, as there is no simple software fix for physical key fobs, and cars, that were never designed for this kind of firmware upgrade – if it is even software correctable.”

Other experts, like Cerberus Sentinel’s Chris Clements, said the attack is even worse than the “rolljam” flaw that security researcher Samy Kamkar famously demonstrated in 2015

This latest vulnerability gives hackers indefinite access to control a specific car’s functionality.

Clements also took issue with Honda’s response to the vulnerability, noting that manufacturers’ abandonment of correcting security issues in otherwise completely functional devices “is going to be a huge problem.”

“It’s similar to yelling your password across a room and hoping no one happens to be listening.  Yes, someone has to be close enough to hear and then know what to do with it, but after that it’s very simple to exploit,” Clements said. 

“As more and more devices add ‘smart’ functions, it’s inevitable that there will be vulnerabilities discovered that put those devices or data at risk. If there’s no patch available or worse not even a mechanism to patch, users will have to choose whether to go at risk of exploitation or trash the vulnerable device, neither of which is an ideal situation.”

Correction: An earlier version of this story misidentified the author of the proof-of-concept. It was released by researcher Ayyappan Rajesh.

Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.