American Honda Motor Co., http://www.honda.com has confirmed that researchers were able to hack certain Honda vehicles' remote keyless entry system to unlock the doors and start the engine. Recently, security researchers Kevin2600 and Wesley Li from Star-V Lab published information on a security bug they identified in the rolling codes mechanism of the remote keyless system of Honda vehicles, which allowed them to open car doors without the key fob present. When sending a signal to unlock the car doors, the remote key fob also transmits a code that the car verifies against a database and performs the required action only if the check passes.
The older model vehicles used static codes for this process. Still, these were found inherently vulnerable: an attacker within proximity of the car could capture them and replay them later to unlock the vehicle. The rolling codes mechanism in newer vehicles is meant to prevent such attacks by using a Pseudorandom Number Generator (PRNG) on the key fob to send a unique code along with the signal to unlock the doors.
The mechanism also features a rolling code synchronizing counter that is increased with each button press on the key fob. The receiver in the vehicle also accepts a sliding window of codes, which ensures that the commands are accepted even if the button is pressed by mistake when the vehicle is not in range.
Kevin2600 and Wesley Li discovered that it was possible to send “commands in a consecutive sequence to the Honda vehicles,” thus triggering counter-resynchronization.
“Once counter resynced, commands from the previous cycle of the counter worked again. Therefore, those commands can be used later to unlock the car at will,” the researchers say.
Tracked as CVE-2021-46145 and named Rolling-PWN attack, the vulnerability is believed to impact all Honda vehicles on the market but was tested only on the ten most popular models of the last decade: Civic 2012, X-RV 2018, C-RV 2020, Accord 2020, Odyssey 2020, Inspire 2021, Fit 2022, Civic 2022, VE-1 2022, and Breeze 2022.
The researchers, who published video demonstrations of the attack, believe that vehicles from other manufacturers might also be impacted.
A spokesman from Honda confirmed that the new attack is possible: “We can confirm researcher claims that it is possible to employ sophisticated tools and technical know-how to mimic Remote Keyless commands and gain access to certain vehicles or ours.”
The carmaker also underlined that, even if an attacker could unlock the car doors, they would not be able to drive it away, as this would require the key fob to be present in the car.
“However, while it is technically possible, we want to reassure our customers that this particular kind of attack, which requires continuous close-proximity signal capture of multiple sequential RF transmissions, cannot be used to drive the vehicle away,” the company said.
Honda has not shared details on whether it plans to deliver software updates to address this vulnerability in its latest models but was clear that older vehicles will remain unpatched.
“Honda regularly improves security features as new models are introduced that would thwart this and similar approaches. Honda has no plan to update older vehicles at this time,” the carmaker said.
The Rolling-PWN attack differs from CVE-2022-27254, a replay attack disclosed in March 2022, where the same unencrypted radio frequency (RF) signal sent for various commands can be captured by an attacker and then replayed to unlock the vehicle or start the engine.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. For questions, comments, or assistance, please contact the office directly at 1-844-492-7225 or feedback@wapacklabs. com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www. redskyalliance. org/
- Website: https://www. wapacklabs. com/
- LinkedIn: https://www. linkedin. com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings