CATEGORIES
home IT/Enterprise Security

Newer Honda Vehicles Are Vulnerable To This Startling Remote Key Fob Hack

by Nathan WassonTuesday, July 12, 2022, 05:19 PM EDT
honda vehicles vulnereable remote key fob hack news
Earlier this year, we wrote about a vulnerability in Honda’s remote keyless entry (RKE) system that hackers could exploit to lock, unlock, and start certain Honda and Acura vehicles. This particular vulnerability was the result of Honda using fixed codes in its RKE system. Many Honda and Acura key fobs send the same radio frequency (RF) codes for every request. An attacker can intercept these codes and re-transmit them later to access the vehicle in what’s known as a replay attack.

One solution to this security weakness is to employ rolling codes, where the RF codes change after every request so that intercepted codes can’t be reused for a successful replay attack. Honda has implemented rolling codes in some of its newer vehicles, but, according to new research, the company’s implementation of rolling codes doesn’t prevent replay attacks due to a vulnerability dubbed “Rolling-PWN.”

honda vehicles vulnereable remote key fob hack demonstration news
Researcher re-transmitting intercepted codes to unlock a Honda C-RV (source: Rolling-PWN disclosure site)

Honda’s updated RKE system checks RF codes against a synchronizing counter, accepting codes that match up with the counter while rejecting older codes. In theory, this system should prevent attackers from conducting a successful replay attack, as re-transmitted codes won’t match with the synchronizing counter. However, the RKE system includes some programming logic intended to prevent accidental key presses, and a team of researchers from Star-V Lab discovered a way to exploit this programming logic to resynchronize the counter and accept old codes by sending a consecutive lock and unlock code sequence.

The researchers have published demonstration multiple videos as evidence of this exploit, and Rob Stumpf, an automotive journalist for The Drive, was able to replicate the exploit as well. The vulnerability also has also been listed in the National Vulnerability Database as CVE-2021-46145 with a medium severity rating of 5.3. The researchers are of the view that this vulnerability most likely affects all vehicles with Honda’s updated RKE system, which the company began implementing in 2012. The researchers were able to verify that the vulnerability affects the ten most popular Honda vehicles from 2012 to 2022, which are as follows:
  • Honda Civic 2012
  • Honda X-RV 2018
  • Honda C-RV 2020
  • Honda Accord 2020
  • Honda Odyssey 2020
  • Honda Inspire 2021
  • Honda Fit 2022
  • Honda Civic 2022
  • Honda VE-1 2022
  • Honda Breeze 2022
The researchers tried notifying Honda of this vulnerability, but never received a response. After the researchers went public with the vulnerability, a spokesperson for Honda made a statement to Vice questioning the researchers’ findings. “We’ve looked into past similar allegations and found them to lack substance. While we don’t yet have enough information to determine if this report is credible, the key fobs in the referenced vehicles are equipped with rolling code technology that would not allow the vulnerability as represented in the report. In addition, the videos offered as evidence of the absence of rolling code do not include sufficient evidence to support the claims.
Tags:  security, Hackers, cybersecurity, Honda
NW

Nathan Wasson

Nathan grew up with computer hardware news and reviews in the family business and eventually joined the business himself in 2014. He initially joined to make video reviews and help with the podcast, but was soon asked if he would write, and he's been writing about computers ever since. More recently, Nathan has developed a passion for internet privacy, security, and decentralization and likes writing about those topics the most. He spends much of his free time tinkering with Linux distributions, custom Android ROMs, privacy and security tools, and self-hosting solutions. He also started gaming on a PC at a young age and still can't give up Unreal Tournament 2004 and Supreme Commander 2. Beyond computers, Nathan is a car enthusiast and philosophy nerd.

You can follow Nathan on Mastodon and Twitter.

Opinions and content posted by HotHardware contributors are their own.
TOP STORIES
Which New GPU Is For You?
More Results
KEEP INFORMED

Stay updated with the latest news and updates. Subscribe to our newsletter!

Subscribe Now
SITE

Home

Reviews

News

Blogs

Full Site

Sitemap

CATEGORIES

PC Components

Systems

Mobile

IT Infrastructure

Leisure

Videos

COMPANY

About

Advertise

News Tips

Contact

Privacy And Terms

HotTech

MORE

Accessibility

Shop

STAY CONNECTED

Twitter

Facebook

YouTube

RSS

As an Amazon and Howl Technologies Associate, HotHardware earns a commission from qualifying purchases made on this site. This site is intended for informational and entertainment purposes only. The contents are the views and opinion of the author and/or his associates. All products and trademarks are the property of their respective owners. Reproduction in whole or in part, in any form or medium, without express written permission of Hot Hardware, Inc. is prohibited. All content and graphical elements are Copyright © 1999 - 2026 Hot Hardware Inc, Inc.
All rights reserved. Privacy and Terms - Accessibility Commitment