Honda redesigning latest vehicles to address key fob vulnerabilities
Honda said it is addressing a spate of recently-discovered vulnerabilities in its newly designed models after researchers found bugs affecting the key fob systems in its vehicles dating back to 2012.
Earlier this year, Honda was forced to address CVE-2022-27254 – a replay vulnerability affecting the Remote Keyless System in Honda Civics made between 2016 and 2020. That bug allowed researchers to eavesdrop on the unencrypted radio frequency signal and recreate it, giving them the ability to open and start vehicles.
In an effort to deal with this issue, Honda and other car manufacturers developed a rolling code system in keyless entry systems that mitigates this vulnerability by using a Pseudorandom Number Generator (PRNG) to create several different codes between the key fob and the car.
But this week, security researchers from Star-V Lab released a report showing how the rolling code system could be exploited.
The researchers found a way to effectively capture the different codes generated by the PRNG and use them to eventually open the vehicle.
They tested the 10 most popular models of Honda released since 2012 and found all were susceptible to the attack, leading them to claim all Honda models are vulnerable.
The models they tested include Honda Civic 2012, Honda X-RV 2018, Honda C-RV 2020, Honda Accord 2020, Honda Odyssey 2020, Honda Inspire 2021, Honda Fit 2022, Honda Civic 2022, Honda VE-1 2022 and the Honda Breeze 2022.
Other researchers have tried the attack and confirmed it works.
Rolling Pwn Attack— Jinwook Kim (@wugeej) July 13, 2022
unlock and remotely start virtually all models of Honda cars
· Honda X-RV
· Honda C-RV
· Honda Accord
· Honda Odyssey
· Honda Inspire 2021
· Honda Fit 2022
· Honda Civic 2022
· Honda VE-1 2022
· Honda Breeze 2022https://t.co/g0YW6EFNSt pic.twitter.com/FrrVUHI3kr
A Honda spokesperson told The Record that they also have confirmed the report but claimed that hackers would need “sophisticated tools and technical know-how to mimic Remote Keyless commands and gain access to certain vehicles of ours.”
“However, while it is technically possible, we want to reassure our customers that this particular kind of attack, which requires continuous close-proximity signal capture of multiple sequential RF transmissions, cannot be used to drive the vehicle away,” the spokesperson said.
“Furthermore, Honda regularly improves security features as new models are introduced that would thwart this and similar approaches.”
The spokesperson added that all “completely redesigned” 2022 and 2023 model year vehicles have an “improved system” that addresses the issue.
“Currently this includes 2022 Civic, 2022 MDX and 2023 HR-V. Our newer system transmits codes that immediately expire, which would prevent this type of attack from being successful,” the Honda spokesperson explained.
The vulnerability was initially discovered last year and tagged as CVE-2021-46145, but that was only connected specifically to Honda Civic 2012.
The bug is informally known as “Rolling-PWN” but the Star-V Lab researchers noted it is called that – as opposed to Honda-PWN – because “this bug may exist in other brands of vehicles too.”
“Although the main targets for the research is Honda Automobiles, we have leads to show the impact of this vulnerability also applies to other car manufacturers. We will release more details in the future,” the researchers said.
They said solutions to the vulnerability include bringing vehicles back to local dealerships and more.
“But the recommended mitigation strategy is to upgrade the vulnerable BCM firmware through Over-the-Air (OTA) Updates if feasible. However, some old vehicles may not support OTA,” the researchers explained.
Jonathan Greig is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.