UPDATE: Honda has released the following statement.
“We can confirm researcher claims that it is possible to employ sophisticated tools and technical know-how to mimic Remote Keyless commands and gain access to certain vehicles or ours,” the company told TechRadar Pro. “However, while it is technically possible, we want to reassure our customers that this particular kind of attack, which requires continuous close-proximity signal capture of multiple sequential RF transmissions, cannot be used to drive the vehicle away. Furthermore, Honda regularly improves security features as new models are introduced that would thwart this and similar approaches.”
The company also noted that in order to be driven, even a vehicle started remotely requires a valid key fob with a separate immobilizer chip to be present in the vehicle.
Original story: Millions of Honda cars could be at risk of being accessed by outside users following the reveal of a new remote hacking flaw.
Security researchers from Star-V Lab have uncovered a technique that allows anyone to unlock a vehicle, open doors and even start the engine using a handheld radio due to a vulnerability in the car’s keyfob.
A number of leading Honda models released between 2012 and 2022 are apparently affected by the flaw, including the Accord, Civic, C-RV and X-RV.
The researchers have teamed up with journalist Rob Stumpf from The Drive (opens in new tab) to show off the vulnerability, which they’ve dubbed Rolling-PWN.
The issue is contained within the rolling codes mechanism, including within the keyless entry system (aka the keyfob) in order to prevent replay “man-in-the-middle” attacks.
The team found that every time the keyfob button is pressed, it increases the chance of certain codes being accepted to give access to the vehicle. The team notes that the receiver within the vehicle accepts a “sliding window of codes” primarily in order to avoid accidental key presses.
Each time the button is pressed, the rolling codes synchronizing counter is increased, and so by sending certain commands in a consecutive sequence, the counter will resychronize, opening it up to previous commands that can be used to access the vehicle.
“The Rolling-PWN bug is a serious vulnerability,” the team wrote in a blog post (opens in new tab) outlining its findings. “We found it in a vulnerable version of the rolling codes mechanism, which is implemented in huge amounts of Honda vehicles.”
The researchers note that anyone with a specific vehicle make could be at risk, and users may not even be able to detect if the flaw has been used against them.
They also warn that the threat could affect vehicles from other brands, and that Honda doesn’t currently seem to have a fix, or even noticed the issue. The researchers note that they have tried to file a report, but could not find a proper way to do so, so instead contacted Honda Customer Service.
A spokesperson for Honda told Vice (opens in new tab) that the report wasn’t credible and that the allegations are unfounded.
“The key fobs in the referenced vehicles are equipped with rolling code technology that would not allow the vulnerability as represented in the report,” the company said.
“In addition, the videos offered as evidence of the absence of rolling code do not include sufficient evidence to support the claims,” the company added.