Earlier this year, we wrote about a vulnerability in Honda’s remote keyless entry (RKE) system
that hackers could exploit to lock, unlock, and start certain Honda and Acura vehicles. This particular vulnerability was the result of Honda using fixed codes in its RKE system. Many Honda and Acura key fobs send the same radio frequency (RF) codes for every request. An attacker can intercept these codes and re-transmit them later to access the vehicle in what’s known as a replay attack.
One solution to this security weakness is to employ rolling codes, where the RF codes change after every request so that intercepted codes can’t be reused for a successful replay attack.
Honda has implemented rolling codes in some of its newer vehicles, but, according to new research, the company’s implementation of rolling codes doesn’t prevent replay attacks due to a vulnerability dubbed “Rolling-PWN.”
Honda’s updated RKE system checks RF codes against a synchronizing counter, accepting codes that match up with the counter while rejecting older codes. In theory, this system should prevent attackers from conducting a successful replay attack, as re-transmitted codes won’t match with the synchronizing counter. However, the RKE system includes some programming logic intended to prevent accidental key presses, and a team of researchers from Star-V Lab discovered a way to exploit this programming logic to resynchronize the counter and accept old codes by sending a consecutive lock and unlock code sequence.
The researchers have published demonstration multiple videos as evidence of this exploit, and Rob Stumpf, an automotive journalist for The Drive, was able to
replicate the exploit as well. The vulnerability also has also been listed in the National Vulnerability Database as CVE-2021-46145 with a medium severity rating of 5.3. The researchers are of the view that this vulnerability most likely affects all vehicles with Honda’s updated RKE system, which the company began implementing in 2012. The researchers were able to verify that the vulnerability affects the ten most popular Honda vehicles from 2012 to 2022, which are as follows:
- Honda Civic 2012
- Honda X-RV 2018
- Honda C-RV 2020
- Honda Accord 2020
- Honda Odyssey 2020
- Honda Inspire 2021
- Honda Fit 2022
- Honda Civic 2022
- Honda VE-1 2022
- Honda Breeze 2022
The researchers tried notifying Honda of this vulnerability, but never received a response. After the researchers went public with the vulnerability, a spokesperson for Honda made a statement to Vice questioning the researchers’ findings. “We’ve looked into past similar allegations and found them to lack substance. While we don’t yet have enough information to determine if this report is credible, the key fobs in the referenced vehicles are equipped with rolling code technology that would not allow the vulnerability as represented in the report. In addition, the videos offered as evidence of the absence of rolling code do not include sufficient evidence to support the claims.”