A new security vulnerability has been discovered in Honda vehicles, allowing hackers to open the car doors or even start the engine remotely. The vulnerability, dubbed Rolling-PWN, was independently discovered by two experts, Kevin2600 (Twitter user) and Wesley Li of Star-V Lab.
The Rolling-PWN attack (codenamed CVE-2021-46145) is a serious vulnerability, which uses a remote keyless entry system (RKE), which allows remote access to unlock the car door or access a vehicle from a long distance. start. According to the experts, the problem affects all Honda vehicles currently on the market from the year 2012 to the year 2022.
The Rolling-PWN problem exists in a vulnerable version of the rolling code mechanism, which has been implemented in large numbers of Honda vehicles.
“We found it in a vulnerable version of the rolling codes mechanism, which has been implemented in huge numbers of Honda vehicles. A rolling code system in keyless entry systems is to prevent replay attacks. After each keyfob button is pressed, the rolling codes sync counter is incremented. However, the vehicle receiver accepts a scrolling box of codes to prevent the key from being accidentally pressed by the design,” reads the description of the Rolling Pwn Attack published on GitHub.
“Sending the commands to the Honda vehicles in sequential order will resync the counter. After the counter was resynchronised, the commands from the previous cycle of the counter worked again. Therefore, those commands can be used later to unlock the car at will.”
Security researchers successfully tested the 10 most popular models of Honda vehicles with repeated codes from the year 2012 to the year 2022 and found that the vulnerability specifically affects the below Honda models on the market.
- Honda Civic 2012
- Honda X-RV 2018
- Honda C-RV 2020
- Honda Accord 2020
- Honda Odyssey 2020
- Honda Inspire 2021
- Honda Fit 2022
- Honda Civic 2022
- Honda VE-1 2022
- Honda Breeze 2022
The researchers also published a series of PoC videos, showing how the rolling code mechanism was pwn. The videos also show that the experts were able to repeatedly open the door, even after pressing the keyfob multiple times.
Users who tested the Rolling-PWN bug posted their videos about opening various Hondas:
I was able to replicate the Rolling Pwn exploit with two different keycaps from two different times.
So yes, it certainly works. https://t.co/ZenCB3vX5z pic.twitter.com/RBAO7ZtlXZ
— Rob Stumpf (@RobDrivesCars) July 10, 2022
According to Kevin2600 and Wesley Li, since the exploitation leaves no trace in traditional log files, it is not possible to determine whether someone has exploited the flaw against a model.
What is the solution for the Rolling-PWN bug?
Experts advised that the common solution for the automaker is to recall the affected cars and upgrade the vulnerable BCM firmware via Over-the-Air (OTA) Updates. However, some old vehicles may not support OTA.
The researchers tried to notify Honda of the vulnerability, but were unable to find contact information to report security vulnerabilities with their products. That’s why they reported it to Honda Customer Service, but we haven’t received an answer yet.
Commenting on the Rolling-PWN report, a Honda spokesperson told Vice in a statement: “While we don’t have enough information yet to determine whether this report is credible, the key fob in the vehicles referenced are equipped with rolling code technology that would disallow the vulnerability as depicted in the report, and the videos presented as evidence of the absence of rolling code do not contain sufficient evidence to substantiate the claims.”
This isn’t the first time Honda’s line of vehicles has been found with access vulnerabilities. In March of this year, researchers discovered a vulnerability (CVE-2022-27254) in the remote keyless system that allowed RF signals to be interrupted and manipulated for later use.