Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Transportation Privacy Security

Hackers Uncover Ways To Unlock and Start Nearly All Modern Honda-Branded Vehicles (thedrive.com) 40

An anonymous reader quotes a report from The Drive: Hackers have uncovered ways to unlock and start nearly all modern Honda-branded vehicles by wirelessly stealing codes from an owner's key fob. Dubbed "Rolling Pwn," the attack allows any individual to "eavesdrop" on a remote key fob from nearly 100 feet away and reuse them later to unlock or start a vehicle in the future without owner's knowledge. Despite Honda's dispute that the technology in its key fobs "would not allow the vulnerability," The Drive has independently confirmed the validity of the attack with its own demonstration.

Older vehicles used static codes for keyless entry. These static codes are inherently vulnerable, as any individual can capture and replay them at will to lock and unlock a vehicle. Manufacturers later introduced rolling codes to improve vehicle security. Rolling codes work by using a Pseudorandom Number Generator (PRNG). When a lock or unlock button is pressed on a paired key fob, the fob sends a unique code wirelessly to the vehicle encapsulated within the message. The vehicle then checks the code sent to it against its internal database of valid PRNG-generated codes, and if the code is valid, the car grants the request to lock, unlock, or start the vehicle. The database contains several allowed codes, as a key fob may not be in range of a vehicle when a button is pressed and may transmit a different code than what the vehicle is expecting to be next chronologically. This series of codes is also known as a "window," When a vehicle receives a newer code, it typically invalidates all previous codes to protect against replay attacks. This attack works by eavesdropping on a paired keyfob and capturing several codes sent by the fob. The attacker can later replay a sequence of valid codes and re-sync the PRNG. This allows the attacker to re-use older codes that would normally be invalid, even months after the codes have been captured.

[...] Contrary to Honda's claim, I independently confirmed the vulnerability by capturing and replaying a sequence of lock and unlock requests with my 2021 Honda Accord and a Software-Defined Radio. Despite being able to start and unlock the car, the vulnerability doesn't allow the attacker to actually drive off with the vehicle due to the proximity functionality of the key fob. However, the fact that a bad actor can get this far is already a bad sign. At this time, the following vehicles may be affected by the vulnerability: 2012 Honda Civic, 2018 Honda X-RV, 2020 Honda C-RV, 2020 Honda Accord, 2021 Honda Accord, 2020 Honda Odyssey, 2021 Honda Inspire, 2022 Honda Fit, 2022 Honda Civic, 2022 Honda VE-1, and 2022 Honda Breeze. It's not yet clear if this affects any Acura-branded vehicles.
"[W]e've looked into past similar allegations and found them to lack substance," said a Honda spokesperson in a statement to The Drive. "While we don't yet have enough information to determine if this report is credible, the key fobs in the referenced vehicles are equipped with rolling code technology that would not allow the vulnerability as represented in the report. In addition, the videos offered as evidence of the absence of rolling code do not include sufficient evidence to support the claims."
This discussion has been archived. No new comments can be posted.

Hackers Uncover Ways To Unlock and Start Nearly All Modern Honda-Branded Vehicles

Comments Filter:
  • At least this bug/flaw/hack/feature would minimize damage to the vehicle -- no broken windows or scratched door jabs. Just a plain-old hot-wire sequence to boot up the car and drive away!

    I wonder if a movie sequel would have Nic Cage and Angelina Jolie sit in rocking chairs barking, while holding a wooden cane, "When I was young, we used to..."
    • by zephvark ( 1812804 ) on Monday July 11, 2022 @04:29PM (#62694412)

      I realize that reading an entire article is too much to expect but, this is right there in the summary:

      " the vulnerability doesn't allow the attacker to actually drive off with the vehicle due to the proximity functionality of the key fob."

      • by splutty ( 43475 )

        Uuuuhm... That's been a solved problem for about 100 years.

      • by nadass ( 3963991 )
        I appreciate your little snarky response, but that's NOT what I was referring to -- literally, my first words related to the COSMETICS OF THE CAR!

        Alas (for yourself and others), the hotwiring remark was not meant in the traditional sense. It meant whatever the next vogue expression for hotwiring a car will be when some TikToker coins a new expression for "jumpstarting" an EV that doesn't use a physical key into the ignition but instead "hijacks" into the car's diagnostics systems (with physical/wired or
  • by raymorris ( 2726007 ) on Monday July 11, 2022 @04:39PM (#62694446) Journal

    The Honda comment seems to be confusing this with another issue they had earlier this year. Kevin isn't a BS person, I trust what he says. It has ALSO been reproduced by other known people.

    ADDITIONALLY, the same vulnerability was independently discovered by some other people, who had planned give a talk on it at Blackhat in a few weeks:

    https://www.blackhat.com/us-22... [blackhat.com]

  • Isn't this basically the same attack that's used on garage door openers?

    Reply older codes so it trusts your fake codes?

    I'm surprised this was let happen over a decade later.

    • by dasunt ( 249686 ) on Monday July 11, 2022 @05:31PM (#62694584)

      Isn't this basically the same attack that's used on garage door openers?

      Reply older codes so it trusts your fake codes?

      If you are referring to Rolljam, that worked by jamming the first signal and recording it, then jamming the second signal, recording it, and playing back the first signal instead to open the garage door.

      So your remote sends "012", it gets jammed, you press it again and it sends "345", that is jammed and the first code is sent instead - "012" - allowing the hacker to send "345" to unlock the garage door.

      This is more devious - the device captures a sequence of codes - say "012", "345" "678" "901", etc. Then when it replies that sequence, the car resyncs to that device.

      Probably the thinking is that one has two fobs for the same car, and if one is lost, the owner can use the backup fob and have it working, even if it hasn't been used in months.

      But as we see, it opens this up for a unique replay attack.

      • by AvitarX ( 172628 )

        That's probably what I was thinking of, I didn't recall the jamming part.

        It still seems like a pretty obvious attack that relies on security through obscurity.

      • And then there are cars where you don't have to press a button on a key fob, even if you have buttons on your key fob. My car works like the proximity feature for keeping the car running after the push start. I put my hand in the door handle and because I'm in close proximity with the key fob, the doors unlock and I open them. Truthfully though, I'd rather use the key for the door and the ignition, with a chip in the key for antitheft.

  • Perhaps, as a public service, someone should drive off with this guy's car - preferably during a press conference.

  • > "[W]e've looked into past similar allegations and found them to lack substance,"

    If they screwed up the PRNG design, then all security is lost.

    They should put a bigger battery in and a two way radio. Then implement an MITM secure cryptographic protocol along with round trip time based authentication to prevent relay attacks.

    • by AmiMoJo ( 196126 )

      The PRNG seems to be fine, the issue is that codes can be re-used.

      The system was designed to accept a range of codes, so that when the keyfob and the car get out of sync a little they can recover and the owner doesn't have to take it to the dealer to be fixed.

      Unfortunately they didn't think to keep track of codes that had been used and disable them, so they can't be repeated.

      To execute the attack an attacker has to capture a code, i.e. be within range when the owner uses the keyfob. That is a major issue fo

  • Funny how safe the credit card industry touted the chip technology in their cards before quietly upgrading them while their lawyers kept Matt & Jamie from exposing vulnerabilities. Its well known that well padded thieves can obtain burst transmitters to unlock any car they want. The real question is how much loss is the insurance industry going to tolerate. Locks only keep out honest people.
  • Replay attacks have always been a thing. The problem with these systems is that the fob generally cannot implement a challenge. So, it is necessary for the car to accept keys that are predictable by both the transmitter and receiver.

    One option is to simply have a megabyte of flash or rom which is time-window synced. And roll it after the end. This requires a time source for the fob which burns through battery.

    Another is to implement a handshake that would require bidirectional communication.

    433Mhz garage do
    • Not sure you're being fair there. The code for even basic critical systems is just absolutely massive and complex. Honda's drive by wire was, what, somewhere to the order of a million lines (of C)

  • If you start me up
    If you start me up, I'll never stop
    If you start me up
    If you start me up, I'll never stop

  • From the people that brought you "steal the car using the Konami code" now 'compromised'?

    I wanna say that the story is older than this, but the gist is here:
    https://www.supercars.net/foru... [supercars.net]
  • The engineers responsible knew full well that without a round trip challenge response there was no way to secure against a resync attack. The engineers told their managers and either it didn't get passed up the chain or more likely Honda has intentionally forgotten. This is a and battery cost savings. The key fob likely can't receive messages. It's not even that good of a cost savings since you could implement a resync after the key fob press so that the key fob is only listening for a tiny fraction of
  • Fun story (Score:4, Funny)

    by LeeLynx ( 6219816 ) on Monday July 11, 2022 @10:57PM (#62695236)
    I had a client once who had their stolen car claim denied by their insurance company, which I won't name here, because the car was impossible to steal - it simply could not be operated without the key fob. They maintained an 'expert' witness in another state who would reliably testify to this. This expense of countering this practice combined with onerous discovery requests meant it was more expensive to pursue a claim than it was worth. While I am, of course, not implying that this unnamed company was doing this for any nefarious purposes, it seems this would make it very easy to deny any claims from those policy holders a less reputable company felt they could paint in a negative light. This would certainly not be a very progressive practice, of course.
  • Honda dealers charge $400 or more to replace lost keys

  • I wonder if anyone has tested Honda motorcycles like the Goldwing that has a FOB and start button
    • You beat me to asking the same question. The Goldwing FOB seems to have a much longer sensing range than I'd expect, based on the illuminated white ring on the ignition knob showing when it can "see" the FOB. The FOB needs to be very close to the 'bike to unlock and start it, but the hack, if it applies, could be from a much longer distance. Using the FOB for the steering lock and ignition makes it seem that a U-lock is also required. I pity the poor fool who tries to actually carry a Goldwing away. It's ma
  • Hallo, danke, dass Sie diese Informationen mit uns geteilt haben. Ich weiß es vorher wirklich nicht. Ich habe eigentlich nach dieser https://www.wort-spielereien.d... [wort-spielereien.de] Website gesucht, weil ich wissen möchte, ob Spielautomat 2 Euro Trick wirklich funktioniert oder nicht und Als ich danach in der Google-Suche gesucht habe, bin ich auf Ihren Beitrag gestoßen.

Truly simple systems... require infinite testing. -- Norman Augustine

Working...