IT security researchers Kevin2600 and Wesley Li from the Star-V Lab took a closer look at Honda’s radio key system and stumbled across a vulnerability that would allow unauthorized persons to remotely open all Honda models from 2012 to 2022 or even to start. A remedy is not yet in sight.
Basically, a rolling code in a keyless opening system serves to prevent so-called replay attacks, the researchers explain. In a replay attack, attackers can record the radio communication with a software-defined radio (SDR) and simply play it back to open a car. With the rolling code, a so-called rolling code synchronizing counter is incremented each time a key is pressed. As a result, simply playing back an old communication does not work to open the car – the code required is now different.
According to the researchers, however, the vehicle accepts a “sliding window” of codes in order to avoid the consequences of accidentally pressing the key. Honda vehicles resynchronized the counter by sending the commands in continuous sequence. If the counter is synchronized again, commands from the previous cycle work again. Therefore, these commands could later be used to open the car at will. The vulnerability even received an entry in the Common Vulnerabilities and Exposures database: CVE-2021-46145, CVSS 5.3risk “medium“.
On a specially set up Github page for the Rolling Pwn vulnerability, in addition to a rough description of the attack, there are also frequently asked questions and videos intended to prove that the attack works. However, they do not want to publish tools with which the attacks can be carried out, so that nobody goes out with them and steals cars.
According to their report, the discoverers have successfully tested the gap on the following models: Honda Civic (2012), Honda X-RV (2018), Honda C-RV (2020), Honda Accord (2020), Honda Odyssey (2020), Honda Inspire (2021), Honda Fit (2022), Honda Civic (2022), Honda VE-1 (2022) and Honda Breeze (2022).
According to their own statements, the IT researchers have found indications that such vulnerabilities also affect other manufacturers and plan to publish further details at a later date. For this reason they called the attack Rolling Pwn instead of Honda Pwn.
They point out that while other researchers have found similar vulnerabilities in Honda vehicles, the old attacks were fixed code that enabled the simple replay attacks. Kevin2600 and Wesley Li finally contacted Honda using the customer service form, but have not yet received a response. They demonstrated the first attempts at the end of December 2021 on Twitter. They put the project page online last weekend.
A Honda spokesman told Vice that the company had investigated similar allegations in the past and these proved to be without substance. Although there is not enough information to assess the credibility of this report, the radio keys of the vehicles mentioned have rolling code technology that prevents the vulnerability mentioned in the report. In addition, the videos, which are supposed to serve as evidence of missing rolling code, did not show enough evidence to substantiate these allegations.
Such security gaps are often found in keyless entry systems for vehicles. About two months ago, researchers managed to crack Tesla Model 3 and Tesla Y using a Bluetooth attack.