Honda’s Keyless Access Bug Could Let Thieves Remotely Unlock and Start Vehicles

Technology

A duo of researchers has released a proof-of-concept (PoC) demonstrating the ability for a malicious actor to remote lock, unlock, and even start Honda and Acura vehicles by means of what’s called a replay attack.

The attack is made possible, thanks to a vulnerability in its remote keyless system (CVE-2022-27254) that affects Honda Civic LX, EX, EX-L, Touring, Si, and Type R models manufactured between 2016 and 2020. Credited with discovering the issue are Ayyappan Rajesh, a student at UMass Dartmouth, and Blake Berry (HackingIntoYourHeart).

Automatic GitHub Backups

“A hacker can gain complete and unlimited access to locking, unlocking, controlling the windows, opening the trunk, and starting the engine of the target vehicle where the only way to prevent the attack is to either never use your fob or, after being compromised (which would be difficult to realize), resetting your fob at a dealership,” Berry explained in a GitHub post.

The underlying issue is that the remote key fob on the affected Honda vehicles transmits the same, unencrypted radio frequency signal (433.215MHz) to the car, effectively enabling an adversary to intercept and replay the request at a later time to wirelessly start the engine as well as lock and unlock the doors.

Prevent Data Breaches

This is not the first time a flaw of this kind has been uncovered in Honda vehicles. A related issue discovered in 2017 Honda HR-V models (CVE-2019-20626, CVSS score: 6.5) is said to have been “seemingly ignored” by the Japanese company, Berry alleged.

“Manufacturers must implement Rolling Codes, otherwise known as hopping code,” Rajesh said. “It is a security technology commonly used to provide a fresh code for each authentication of a remote keyless entry (RKE) or passive keyless entry (PKE) system.”

We have asked Honda for a comment, and we will update the story once we hear back.

Products You May Like

Articles You May Like

Silverada, The Cigarette-Scented Band You Need To Know, Announces A New Song With Rob Leines Dropping This Friday
Google Shielded Email Feature Reportedly in Development; Could Help Users Hide Email Addresses
Yahoo Mail for iOS Updated With AI Features, Gamification Tools
GM lays off 1,000 employees amid reorganization, cost-cutting
‘SNL’ Weekend Update Shreds Matt Gaetz, Pete Hegseth