Tuesday, 12 July 2022

Honda Vehicle Vulnerability Allows Remote Unlocking And Starting

Last year’s ET best car is back: the Honda Accord. This midsize sedan is an exceptional people-mover, with Honda Sensing (ACC, LDW; see below) on all trim lines, and BSD on all but the entry LX. A hybrid Accord came available spring 2018 with 47 mpg city and highway ratings, $1,600 more than a gas-engine Accord.

As the fifth-largest auto manufacturer in the world, Honda’s vehicles are a common sight on essentially every road. Many of those vehicles could have a major vulnerability that an attacker can use to unlock and start the car. The researchers who discovered the exploit, known as RollingPWN, say it might affect all Honda vehicles from 2012 through the latest 2022 models. However, Honda currently denies a vulnerability exists. 

The issue stems from Honda’s keyless entry fob, which uses a “rolling code” system to authenticate the remote. Each time you press a button on the remote, the rolling code clicks ahead to prevent so-called “replay attacks” in which someone captures and retransmits your remote code. Security researchers Kevin2600 and Wesley Li from Star-V Lab discovered that Honda’s rolling code implementation has a flaw that allows these old codes to be reused under certain circumstances. 

According to a statement from the researchers, Honda has implemented a sliding window of codes to avoid accidental key presses. So, it’s possible to send codes in sequence to the vehicle until the counter resynchronizes. Once that happens, codes from the previous cycle start working again, so replay attacks become possible. 

The RollingPWN code and proof of concept were released last week — it’s unclear if Honda was alerted first, which is a key component of responsible disclosure. Regardless, the exploit is in the wild, and several car enthusiasts and journalists have confirmed it works. Without the key fob in-hand, it’s possible to unlock the doors and remotely start the affected cars. Yet, Honda has yet to admit the bug exists. In a statement to Vice, Honda claims its rolling code system prevents replay attacks. 

The researchers tested ten models of cars, including a 2020 CR-V, a 2022 Civic, and a 2012 Civic. All of them were vulnerable to the attack, and therefore, it’s possible all Honda vehicles back to 2012 are the same. This might be a big headache for Honda owners. While some of its newer vehicles can receive OTA updates, most cannot. Not only would Honda have to develop new software for dozens of models, it would have to coax owners to bring their vehicles to a dealership or Honda service center to upgrade the software. 

Kevin2600 and Li believe the same exploit could affect other car manufacturers. The pair promises more details in the future. So, things may get worse before they get better.

Now Read:



No comments:

Post a Comment