Hackers Uncover Ways To Unlock and Start Nearly All Modern Honda-Branded Vehicles

An anonymous reader quotes a report from The Drive: Hackers have uncovered ways to unlock and start nearly all modern Honda-branded vehicles by wirelessly stealing codes from an owner's key fob. Dubbed "Rolling Pwn," the attack allows any individual to "eavesdrop" on a remote key fob from nearly 100 feet away and reuse them later to unlock or start a vehicle in the future without owner's knowledge. Despite Honda's dispute that the technology in its key fobs "would not allow the vulnerability," The Drive has independently confirmed the validity of the attack with its own demonstration.

Older vehicles used static codes for keyless entry. These static codes are inherently vulnerable, as any individual can capture and replay them at will to lock and unlock a vehicle. Manufacturers later introduced rolling codes to improve vehicle security. Rolling codes work by using a Pseudorandom Number Generator (PRNG). When a lock or unlock button is pressed on a paired key fob, the fob sends a unique code wirelessly to the vehicle encapsulated within the message. The vehicle then checks the code sent to it against its internal database of valid PRNG-generated codes, and if the code is valid, the car grants the request to lock, unlock, or start the vehicle. The database contains several allowed codes, as a key fob may not be in range of a vehicle when a button is pressed and may transmit a different code than what the vehicle is expecting to be next chronologically. This series of codes is also known as a "window," When a vehicle receives a newer code, it typically invalidates all previous codes to protect against replay attacks. This attack works by eavesdropping on a paired keyfob and capturing several codes sent by the fob. The attacker can later replay a sequence of valid codes and re-sync the PRNG. This allows the attacker to re-use older codes that would normally be invalid, even months after the codes have been captured.

[...] Contrary to Honda's claim, I independently confirmed the vulnerability by capturing and replaying a sequence of lock and unlock requests with my 2021 Honda Accord and a Software-Defined Radio. Despite being able to start and unlock the car, the vulnerability doesn't allow the attacker to actually drive off with the vehicle due to the proximity functionality of the key fob. However, the fact that a bad actor can get this far is already a bad sign. At this time, the following vehicles may be affected by the vulnerability: 2012 Honda Civic, 2018 Honda X-RV, 2020 Honda C-RV, 2020 Honda Accord, 2021 Honda Accord, 2020 Honda Odyssey, 2021 Honda Inspire, 2022 Honda Fit, 2022 Honda Civic, 2022 Honda VE-1, and 2022 Honda Breeze. It's not yet clear if this affects any Acura-branded vehicles. "[W]e've looked into past similar allegations and found them to lack substance," said a Honda spokesperson in a statement to The Drive. "While we don't yet have enough information to determine if this report is credible, the key fobs in the referenced vehicles are equipped with rolling code technology that would not allow the vulnerability as represented in the report. In addition, the videos offered as evidence of the absence of rolling code do not include sufficient evidence to support the claims."

Gone In 60 Seconds, Part 2

[nadass]

At least this bug/flaw/hack/feature would minimize damage to the vehicle -- no broken windows or scratched door jabs. Just a plain-old hot-wire sequence to boot up the car and drive away!

I wonder if a movie sequel would have Nic Cage and Angelina Jolie sit in rocking chairs barking, while holding a wooden cane, "When I was young, we used to..."

Re:Gone In 60 Seconds, Part 2

[zephvark]

I realize that reading an entire article is too much to expect but, this is right there in the summary:

" the vulnerability doesn't allow the attacker to actually drive off with the vehicle due to the proximity functionality of the key fob."

Re:

[splutty]

Uuuuhm... That's been a solved problem for about 100 years.

Re:

[CaptQuark]

Nope. The physical key is only used to get in the door. Once inside, you have to put the key fob in or near a Near Field reader that powers the key enough that it can validate the proximity device. Some have readers hidden in the cup holders, others have them in the central arm rest, and others have them behind the Start button itself. This has been a known problem and solution for many years. https://www.youtube.com/watch?... [youtube.com]

Re:

[thegarbz]

And I guess my car has the proximity reader in the trunk? I mean that's how I found where I left my keys the other day. I went in the car and hit the start button which was a good indication that they were in the car somewhere.

Don't generalise. Not every car is the the same. There are differences in implementation all over the place and common sense isn't common anymore.

Re:

[CaptQuark]

If you read a little closer, the PP incorrectly said that even keyless start dashboards have a physical key slot to be used when the battery in the fob died, which would make them susceptible to hot wiring. I was explaining that the car manufacturers have a system to allow drivers to start their cars even if the fob battery is dead. That doesn't mean YOUR car can't still sense your fob with a good battery when it is in your trunk.

Of course I'm generalizing. Every car manufacturer has a slightly different

Re:

[nadass]

I appreciate your little snarky response, but that's NOT what I was referring to -- literally, my first words related to the COSMETICS OF THE CAR!

Alas (for yourself and others), the hotwiring remark was not meant in the traditional sense. It meant whatever the next vogue expression for hotwiring a car will be when some TikToker coins a new expression for "jumpstarting" an EV that doesn't use a physical key into the ignition but instead "hijacks" into the car's diagnostics systems (with physical/wired or

Kevin is right. Honda is wrong

[raymorris]

The Honda comment seems to be confusing this with another issue they had earlier this year. Kevin isn't a BS person, I trust what he says. It has ALSO been reproduced by other known people.

ADDITIONALLY, the same vulnerability was independently discovered by some other people, who had planned give a talk on it at Blackhat in a few weeks:

https://www.blackhat.com/us-22... [blackhat.com]

Garage door openers

[AvitarX]

Isn't this basically the same attack that's used on garage door openers?

Reply older codes so it trusts your fake codes?

I'm surprised this was let happen over a decade later.

Re:Garage door openers

[dasunt]

Isn't this basically the same attack that's used on garage door openers?

Reply older codes so it trusts your fake codes?

If you are referring to Rolljam, that worked by jamming the first signal and recording it, then jamming the second signal, recording it, and playing back the first signal instead to open the garage door.

So your remote sends "012", it gets jammed, you press it again and it sends "345", that is jammed and the first code is sent instead - "012" - allowing the hacker to send "345" to unlock the garage door.

This is more devious - the device captures a sequence of codes - say "012", "345" "678" "901", etc. Then when it replies that sequence, the car resyncs to that device.

Probably the thinking is that one has two fobs for the same car, and if one is lost, the owner can use the backup fob and have it working, even if it hasn't been used in months.

But as we see, it opens this up for a unique replay attack.

Re:

[AvitarX]

That's probably what I was thinking of, I didn't recall the jamming part.

It still seems like a pretty obvious attack that relies on security through obscurity.

Re:

[theshowmecanuck]

And then there are cars where you don't have to press a button on a key fob, even if you have buttons on your key fob. My car works like the proximity feature for keeping the car running after the push start. I put my hand in the door handle and because I'm in close proximity with the key fob, the doors unlock and I open them. Truthfully though, I'd rather use the key for the door and the ignition, with a chip in the key for antitheft.

"We've... found them to lack substance"

[93 Escort Wagon]

Perhaps, as a public service, someone should drive off with this guy's car - preferably during a press conference.

Re:

[PPH]

OK. Now I've got to post this [youtube.com].

Re:

[freeze128]

Sorry, the Honda spokesperson drives a BMW.

PRNGs Again

[TechyImmigrant]

> "[W]e've looked into past similar allegations and found them to lack substance,"

If they screwed up the PRNG design, then all security is lost.

They should put a bigger battery in and a two way radio. Then implement an MITM secure cryptographic protocol along with round trip time based authentication to prevent relay attacks.

Re:

[AmiMoJo]

The PRNG seems to be fine, the issue is that codes can be re-used.

The system was designed to accept a range of codes, so that when the keyfob and the car get out of sync a little they can recover and the owner doesn't have to take it to the dealer to be fixed.

Unfortunately they didn't think to keep track of codes that had been used and disable them, so they can't be repeated.

To execute the attack an attacker has to capture a code, i.e. be within range when the owner uses the keyfob. That is a major issue fo

Always a price for convenience

[Slashythenkilly]

Funny how safe the credit card industry touted the chip technology in their cards before quietly upgrading them while their lawyers kept Matt & Jamie from exposing vulnerabilities. Its well known that well padded thieves can obtain burst transmitters to unlock any car they want. The real question is how much loss is the insurance industry going to tolerate. Locks only keep out honest people.

Re:

[Fly Swatter]

The jokes on you, when the car is recovered the clutch will be burned, gears all thrashed and every corner panel will be dimpled like it was in a bumper car derby. The good news is they can sort of fix everything so you won't be getting a new car out of it.

Oh wait no it won't - anyone can learn to drive a manual - it is not like some secret handshake. That thief will just learn on the fly which takes two or three tries.

Manuals are not going away because they are hard to learn, they are going away beca

Re:

[Mal-2]

They are also going away because they are neither faster nor more efficient than their dual-clutch counterparts. So they're the worst of all worlds, except in terms of cost.

Re:

[drinkypoo]

Manuals are also more reliable than DCTs, and vastly cheaper to maintain when something does go wrong. Agreed on performance, even a good slush box is better at shifting than a human.

Re:

[ZombieCatInABox]

When you're 200 kms in the woods on a forest road, and your automatic transmission breaks, even if it's a minor break, you're pretty much fucked. You're not going anywhere, and even if you've had the common sense of bringing a sat phone, be ready to have to wait a long time before someone shows up to get you out.

Manual transmissions also fail, of course, but rarely in a catastrophic, stuck on the side of the road way. If your manual transmission happens to give you trouble when you're 200 kms in to the wood

Re:

[John Smith 2294]

Stuck 200km out in the woods. Sounds like a good place for you.

Not quite, but

[LostMyBeaver]

Replay attacks have always been a thing. The problem with these systems is that the fob generally cannot implement a challenge. So, it is necessary for the car to accept keys that are predictable by both the transmitter and receiver.

One option is to simply have a megabyte of flash or rom which is time-window synced. And roll it after the end. This requires a time source for the fob which burns through battery.

Another is to implement a handshake that would require bidirectional communication.

433Mhz garage do

Re:

[NobleNobbler]

Not sure you're being fair there. The code for even basic critical systems is just absolutely massive and complex. Honda's drive by wire was, what, somewhere to the order of a million lines (of C)

start me up

[awwshit]

If you start me up
If you start me up, I'll never stop
If you start me up
If you start me up, I'll never stop

Honda

[Anonymous Crowded]

From the people that brought you "steal the car using the Konami code" now 'compromised'?

I wanna say that the story is older than this, but the gist is here:
https://www.supercars.net/foru... [supercars.net]

Honda knew

[FeelGood314]

The engineers responsible knew full well that without a round trip challenge response there was no way to secure against a resync attack. The engineers told their managers and either it didn't get passed up the chain or more likely Honda has intentionally forgotten. This is a and battery cost savings. The key fob likely can't receive messages. It's not even that good of a cost savings since you could implement a resync after the key fob press so that the key fob is only listening for a tiny fraction of

Fun story

[LeeLynx]

I had a client once who had their stolen car claim denied by their insurance company, which I won't name here, because the car was impossible to steal - it simply could not be operated without the key fob. They maintained an 'expert' witness in another state who would reliably testify to this. This expense of countering this practice combined with onerous discovery requests meant it was more expensive to pursue a claim than it was worth. While I am, of course, not implying that this unnamed company was doing this for any nefarious purposes, it seems this would make it very easy to deny any claims from those policy holders a less reputable company felt they could paint in a negative light. This would certainly not be a very progressive practice, of course.

this is excellent news

[karlandtanya]

Honda dealers charge $400 or more to replace lost keys

Motorcycles

[doh123]

I wonder if anyone has tested Honda motorcycles like the Goldwing that has a FOB and start button

Re:

[OldGrumpyAndRetired]

You beat me to asking the same question. The Goldwing FOB seems to have a much longer sensing range than I'd expect, based on the illuminated white ring on the ignition knob showing when it can "see" the FOB. The FOB needs to be very close to the 'bike to unlock and start it, but the hack, if it applies, could be from a much longer distance. Using the FOB for the steering lock and ignition makes it seem that a U-lock is also required. I pity the poor fool who tries to actually carry a Goldwing away. It's ma

Re: Motorcycles

[nasch]

FOB or fob?

Re:

[OldGrumpyAndRetired]

That's a good question, and I have no idea why I (or autocorrect) used FOB vs fob. My mistake. Honda calls it the SMART key, always capitalized, in the owner's manual, and I have no idea why they do that.

Thanks

[TomokoMoore]

Hallo, danke, dass Sie diese Informationen mit uns geteilt haben. Ich weiß es vorher wirklich nicht. Ich habe eigentlich nach dieser https://www.wort-spielereien.d... [wort-spielereien.de] Website gesucht, weil ich wissen möchte, ob Spielautomat 2 Euro Trick wirklich funktioniert oder nicht und Als ich danach in der Google-Suche gesucht habe, bin ich auf Ihren Beitrag gestoßen.