WTF?! Researchers recently discovered a vulnerability that allows hackers to remotely unlock and launch multiple Honda vehicle models. The affected model list identifies 10 of Honda’s most popular models as vulnerable. To make matters worse, the current findings lead researchers to believe that the vulnerability could be present on all Honda vehicles from 2012 to 2022.
The vulnerability, dubbed RollingPWN by researchers, exploits part of Honda’s keyless entry system. The current entry system is based on a rolling code model that creates a new access code every time owners press the fob button. Once spent, the previous ones must be disabled to prevent replay attacks. Instead, researchers Kevin26000 and Wesley Li found that the old codes could be rolled back and used to gain unwanted access to the vehicle.
The researchers tested the vulnerability in several Honda models ranging from 2012 to 2022. The list of affected test vehicles includes:
- Honda Civic 2012
- Honda XR-V 2018
- Honda CR-V 2020
- Honda Accord 2020
- Honda Odyssey 2020
- Honda Inspire 2021
- Honda Fit 2022
- Honda Civic 2022
- Honda VE-1 2022
- Honda Breeze 2022
Based on the exploit’s listing and successful testing, Kevin26000 and Li are confident that the vulnerability could affect all Honda vehicles, not just the top ten listed above.
Providing a fix for the vulnerability can be as complex as the exploit itself. Honda could patch the flaw via an over-the-air (OTA) firmware update, but many of the affected cars do not offer OTA support. The larger pool of potentially affected vehicles makes a recall scenario unlikely.
— Kevin2600 (@Kevin2600) July 7, 2022
For now, research is underway to determine how widespread the vulnerability is. Based on the nature of the attack, Kevin26000 and Li strongly suspect that the problem could affect other automakers as well.
The finding is just one of many access issues discovered in Honda’s car line this year. In March, researchers identified a man-in-the-middle exploit (CVE-2022-27254) where RF signals can be intercepted and manipulated for later use. Kevin26000 had also reported a similar replay attack (CVE-2021-46145) in January 2022.