A cybersecurity researcher using the alias Kevin2600 has revealed how hackers can exploit a vulnerability to unlock Honda vehicles.

According to Kevin2600, associated with cybersecurity firm Star-V Lab, the vulnerability allows attackers to steal the code and unlock or even start Honda vehicles using basic hardware.

He dubbed the bug Rolling-PWN and published videos demonstrating the attack and a detailed technical report on the newly discovered vulnerability. The National Vulnerability Database called it a “Counter resynchronization attack” and assigned it CVE-2021-46145.

Details of the Vulnerability

Regarding it as a “serious vulnerability,” Kevin 2600 revealed identifying the bug in a “vulnerable version of the rolling codes mechanism,” which is used in most Honda cars. The researcher wrote that the vulnerability lets the attacker open the car door permanently and start the engine from a considerable distance.

Theoretically, it means every time the car’s owner uses the keyfob, it will dispatch a new code to open the car. The mechanism is devised to make it impossible to steal and reuse the code. However, the vulnerability lets the attacker roll back the codes and reuse an old code to open the car.  

Attack Overview

Kevin2600 explained in a technical report that the attack works when the attacker uses a software-defined radio, for example, HackRF, to capture the code the car’s owner uses for unlocking the vehicle.

The attacker would then replay it to reset the internal pseudo-random number generator or PRNG counter and unlock the car from as far as 98 feet or 30 meters distance. For this attack, hackers only need valid old keys, which they can retrieve by attaching a logging device to the vehicle to receive valid codes and replay them.

In his videos, the researcher demonstrated the efficacy of this attack by successfully unlocking various models of Honda vehicles using a device connected to a laptop. Of all the models Kevin2600 and his colleagues tested at a Honda dealership, ten used the rolling code mechanism and were found vulnerable to the attack.

Hence, researchers concluded that all Honda vehicle models manufactured between 2012 and 2022 are vulnerable. The list of impacted models provided by Kevin2600 includes the following:

  • Honda Fit 2022
  • Honda Civic 2012
  • Honda X-RV 2018
  • Honda VE-1 2022
  • Honda Civic 2022
  • Honda C-RV 2020
  • Honda Inspire 2021
  • Honda Accord 2020
  • Honda Breeze 2022
  • Honda Odyssey 2020

Honda’s Response

A Honda spokesperson stated that the vulnerability discovered by Kevin2600 is not new, and the company already knows about it. They want to treat it as “old news” and “move on to something current rather than creating a new round of people thinking this is a ‘new’ thing.”

However, the researcher claims the Honda spokesperson referred to a study conducted earlier this year that focused only on fixed codes and not on rolling codes. Kevin2600 explained that this is a concerning issue because the attack is hard to detect as there’s no way to identify if someone has exploited the flaw to start or unlock the car.

A recall, according to Kevin2600, is imminent to fix the issue, so owners may take their cars to the local dealership to update Keyfob firmware with a patch.

More Vehicle Manufacturer Security News