Hackers Uncover Ways To Unlock and Start Nearly All Modern Honda-Branded Vehicles (thedrive.com) 40
An anonymous reader quotes a report from The Drive: Hackers have uncovered ways to unlock and start nearly all modern Honda-branded vehicles by wirelessly stealing codes from an owner's key fob. Dubbed "Rolling Pwn," the attack allows any individual to "eavesdrop" on a remote key fob from nearly 100 feet away and reuse them later to unlock or start a vehicle in the future without owner's knowledge. Despite Honda's dispute that the technology in its key fobs "would not allow the vulnerability," The Drive has independently confirmed the validity of the attack with its own demonstration.
Older vehicles used static codes for keyless entry. These static codes are inherently vulnerable, as any individual can capture and replay them at will to lock and unlock a vehicle. Manufacturers later introduced rolling codes to improve vehicle security. Rolling codes work by using a Pseudorandom Number Generator (PRNG). When a lock or unlock button is pressed on a paired key fob, the fob sends a unique code wirelessly to the vehicle encapsulated within the message. The vehicle then checks the code sent to it against its internal database of valid PRNG-generated codes, and if the code is valid, the car grants the request to lock, unlock, or start the vehicle. The database contains several allowed codes, as a key fob may not be in range of a vehicle when a button is pressed and may transmit a different code than what the vehicle is expecting to be next chronologically. This series of codes is also known as a "window," When a vehicle receives a newer code, it typically invalidates all previous codes to protect against replay attacks. This attack works by eavesdropping on a paired keyfob and capturing several codes sent by the fob. The attacker can later replay a sequence of valid codes and re-sync the PRNG. This allows the attacker to re-use older codes that would normally be invalid, even months after the codes have been captured.
[...] Contrary to Honda's claim, I independently confirmed the vulnerability by capturing and replaying a sequence of lock and unlock requests with my 2021 Honda Accord and a Software-Defined Radio. Despite being able to start and unlock the car, the vulnerability doesn't allow the attacker to actually drive off with the vehicle due to the proximity functionality of the key fob. However, the fact that a bad actor can get this far is already a bad sign. At this time, the following vehicles may be affected by the vulnerability: 2012 Honda Civic, 2018 Honda X-RV, 2020 Honda C-RV, 2020 Honda Accord, 2021 Honda Accord, 2020 Honda Odyssey, 2021 Honda Inspire, 2022 Honda Fit, 2022 Honda Civic, 2022 Honda VE-1, and 2022 Honda Breeze. It's not yet clear if this affects any Acura-branded vehicles. "[W]e've looked into past similar allegations and found them to lack substance," said a Honda spokesperson in a statement to The Drive. "While we don't yet have enough information to determine if this report is credible, the key fobs in the referenced vehicles are equipped with rolling code technology that would not allow the vulnerability as represented in the report. In addition, the videos offered as evidence of the absence of rolling code do not include sufficient evidence to support the claims."
Older vehicles used static codes for keyless entry. These static codes are inherently vulnerable, as any individual can capture and replay them at will to lock and unlock a vehicle. Manufacturers later introduced rolling codes to improve vehicle security. Rolling codes work by using a Pseudorandom Number Generator (PRNG). When a lock or unlock button is pressed on a paired key fob, the fob sends a unique code wirelessly to the vehicle encapsulated within the message. The vehicle then checks the code sent to it against its internal database of valid PRNG-generated codes, and if the code is valid, the car grants the request to lock, unlock, or start the vehicle. The database contains several allowed codes, as a key fob may not be in range of a vehicle when a button is pressed and may transmit a different code than what the vehicle is expecting to be next chronologically. This series of codes is also known as a "window," When a vehicle receives a newer code, it typically invalidates all previous codes to protect against replay attacks. This attack works by eavesdropping on a paired keyfob and capturing several codes sent by the fob. The attacker can later replay a sequence of valid codes and re-sync the PRNG. This allows the attacker to re-use older codes that would normally be invalid, even months after the codes have been captured.
[...] Contrary to Honda's claim, I independently confirmed the vulnerability by capturing and replaying a sequence of lock and unlock requests with my 2021 Honda Accord and a Software-Defined Radio. Despite being able to start and unlock the car, the vulnerability doesn't allow the attacker to actually drive off with the vehicle due to the proximity functionality of the key fob. However, the fact that a bad actor can get this far is already a bad sign. At this time, the following vehicles may be affected by the vulnerability: 2012 Honda Civic, 2018 Honda X-RV, 2020 Honda C-RV, 2020 Honda Accord, 2021 Honda Accord, 2020 Honda Odyssey, 2021 Honda Inspire, 2022 Honda Fit, 2022 Honda Civic, 2022 Honda VE-1, and 2022 Honda Breeze. It's not yet clear if this affects any Acura-branded vehicles. "[W]e've looked into past similar allegations and found them to lack substance," said a Honda spokesperson in a statement to The Drive. "While we don't yet have enough information to determine if this report is credible, the key fobs in the referenced vehicles are equipped with rolling code technology that would not allow the vulnerability as represented in the report. In addition, the videos offered as evidence of the absence of rolling code do not include sufficient evidence to support the claims."
Gone In 60 Seconds, Part 2 (Score:1)
I wonder if a movie sequel would have Nic Cage and Angelina Jolie sit in rocking chairs barking, while holding a wooden cane, "When I was young, we used to..."
Re:Gone In 60 Seconds, Part 2 (Score:4, Insightful)
I realize that reading an entire article is too much to expect but, this is right there in the summary:
" the vulnerability doesn't allow the attacker to actually drive off with the vehicle due to the proximity functionality of the key fob."
Re: (Score:2)
Uuuuhm... That's been a solved problem for about 100 years.
Re: (Score:3)
Nope. The physical key is only used to get in the door. Once inside, you have to put the key fob in or near a Near Field reader that powers the key enough that it can validate the proximity device. Some have readers hidden in the cup holders, others have them in the central arm rest, and others have them behind the Start button itself. This has been a known problem and solution for many years. https://www.youtube.com/watch?... [youtube.com]
Re: (Score:2)
And I guess my car has the proximity reader in the trunk? I mean that's how I found where I left my keys the other day. I went in the car and hit the start button which was a good indication that they were in the car somewhere.
Don't generalise. Not every car is the the same. There are differences in implementation all over the place and common sense isn't common anymore.
Re: (Score:2)
If you read a little closer, the PP incorrectly said that even keyless start dashboards have a physical key slot to be used when the battery in the fob died, which would make them susceptible to hot wiring. I was explaining that the car manufacturers have a system to allow drivers to start their cars even if the fob battery is dead. That doesn't mean YOUR car can't still sense your fob with a good battery when it is in your trunk.
Of course I'm generalizing. Every car manufacturer has a slightly different
Re: (Score:2)
Alas (for yourself and others), the hotwiring remark was not meant in the traditional sense. It meant whatever the next vogue expression for hotwiring a car will be when some TikToker coins a new expression for "jumpstarting" an EV that doesn't use a physical key into the ignition but instead "hijacks" into the car's diagnostics systems (with physical/wired or
Kevin is right. Honda is wrong (Score:4, Informative)
The Honda comment seems to be confusing this with another issue they had earlier this year. Kevin isn't a BS person, I trust what he says. It has ALSO been reproduced by other known people.
ADDITIONALLY, the same vulnerability was independently discovered by some other people, who had planned give a talk on it at Blackhat in a few weeks:
https://www.blackhat.com/us-22... [blackhat.com]
Garage door openers (Score:2)
Isn't this basically the same attack that's used on garage door openers?
Reply older codes so it trusts your fake codes?
I'm surprised this was let happen over a decade later.
Re:Garage door openers (Score:4, Interesting)
If you are referring to Rolljam, that worked by jamming the first signal and recording it, then jamming the second signal, recording it, and playing back the first signal instead to open the garage door.
So your remote sends "012", it gets jammed, you press it again and it sends "345", that is jammed and the first code is sent instead - "012" - allowing the hacker to send "345" to unlock the garage door.
This is more devious - the device captures a sequence of codes - say "012", "345" "678" "901", etc. Then when it replies that sequence, the car resyncs to that device.
Probably the thinking is that one has two fobs for the same car, and if one is lost, the owner can use the backup fob and have it working, even if it hasn't been used in months.
But as we see, it opens this up for a unique replay attack.
Re: (Score:2)
That's probably what I was thinking of, I didn't recall the jamming part.
It still seems like a pretty obvious attack that relies on security through obscurity.
Re: (Score:3)
And then there are cars where you don't have to press a button on a key fob, even if you have buttons on your key fob. My car works like the proximity feature for keeping the car running after the push start. I put my hand in the door handle and because I'm in close proximity with the key fob, the doors unlock and I open them. Truthfully though, I'd rather use the key for the door and the ignition, with a chip in the key for antitheft.
"We've... found them to lack substance" (Score:2)
Perhaps, as a public service, someone should drive off with this guy's car - preferably during a press conference.
Re: (Score:2)
OK. Now I've got to post this [youtube.com].
Re: (Score:2)
PRNGs Again (Score:2)
> "[W]e've looked into past similar allegations and found them to lack substance,"
If they screwed up the PRNG design, then all security is lost.
They should put a bigger battery in and a two way radio. Then implement an MITM secure cryptographic protocol along with round trip time based authentication to prevent relay attacks.
Re: (Score:2)
The PRNG seems to be fine, the issue is that codes can be re-used.
The system was designed to accept a range of codes, so that when the keyfob and the car get out of sync a little they can recover and the owner doesn't have to take it to the dealer to be fixed.
Unfortunately they didn't think to keep track of codes that had been used and disable them, so they can't be repeated.
To execute the attack an attacker has to capture a code, i.e. be within range when the owner uses the keyfob. That is a major issue fo
Always a price for convenience (Score:1)
Re: (Score:2)
Oh wait no it won't - anyone can learn to drive a manual - it is not like some secret handshake. That thief will just learn on the fly which takes two or three tries.
Manuals are not going away because they are hard to learn, they are going away beca
Re: (Score:2)
They are also going away because they are neither faster nor more efficient than their dual-clutch counterparts. So they're the worst of all worlds, except in terms of cost.
Re: (Score:2)
Manuals are also more reliable than DCTs, and vastly cheaper to maintain when something does go wrong. Agreed on performance, even a good slush box is better at shifting than a human.
Re: (Score:2)
When you're 200 kms in the woods on a forest road, and your automatic transmission breaks, even if it's a minor break, you're pretty much fucked. You're not going anywhere, and even if you've had the common sense of bringing a sat phone, be ready to have to wait a long time before someone shows up to get you out.
Manual transmissions also fail, of course, but rarely in a catastrophic, stuck on the side of the road way. If your manual transmission happens to give you trouble when you're 200 kms in to the wood
Re: (Score:1)
Not quite, but (Score:2)
One option is to simply have a megabyte of flash or rom which is time-window synced. And roll it after the end. This requires a time source for the fob which burns through battery.
Another is to implement a handshake that would require bidirectional communication.
433Mhz garage do
Re: (Score:1)
Not sure you're being fair there. The code for even basic critical systems is just absolutely massive and complex. Honda's drive by wire was, what, somewhere to the order of a million lines (of C)
start me up (Score:2)
If you start me up
If you start me up, I'll never stop
If you start me up
If you start me up, I'll never stop
Honda (Score:2)
I wanna say that the story is older than this, but the gist is here:
https://www.supercars.net/foru... [supercars.net]
Honda knew (Score:2)
Fun story (Score:4, Funny)
this is excellent news (Score:2)
Honda dealers charge $400 or more to replace lost keys
Motorcycles (Score:1)
Re: (Score:1)
Re: Motorcycles (Score:2)
FOB or fob?
Re: (Score:1)
Thanks (Score:1)