Thursday, March 28, 2024

Vulnerability in Honda Cars Let Hackers Unlock & Start Remotely

In nearly all Honda models, hackers were able to open the doors and start the car remotely. A remote keyless entry system is often fitted to modern vehicles, allowing for effortless access to the vehicle. 

A remote keyless entry system allows the vehicle to be unlocked or started remotely through a mobile device. Recently, Kevin2600, a security professional, conducted a test to assess the level of resistance to an RKE system that is in use today.

Based on the results of this analysis, it was discovered that all Honda vehicles that have been manufactured between the years 2012 and 2022 have a Rolling-PWN attack vulnerability.

This vulnerability could be exploited by any hacker from afar to open the car door permanently or, in the worst-case scenario, even start the engine of the car as well.

Flaw Profile

  • CVE ID: CVE-2021-46145
  • Description: The keyfob subsystem in Honda Civic 2012 vehicles allows a replay attack for unlocking. This is related to a non-expiring rolling code and counter-resynchronization.
  • Base Score: 5.3 
  • Severity: MEDIUM

Technical Analysis

A software-defined radio allows an attacker to capture the code that the car owner uses to unlock the vehicle by exploiting a vulnerability in software-defined radios. 

The hacker would then be able to open the car as well by replaying the process. As far as 30 meters can be observed in some cases, it is possible to perform the attack from that distance. 

Kevin2600 and his co-workers broke into Honda models using a method known as rolling code in order to get the code to work. As a result, every time the keyfob is used, a different code will be sent to the car, which in turn will be used to unlock it.

Ideally, this would prevent the code from being captured and reused in the future. A flaw has been found, however, which allows the researchers to revert the code to an older version, and then open the car by reusing the older code.

Vulnerable Honda Models

In order to test the attack on different Honda models, Kevin2600 headed to a Honda dealership with his colleagues. There were 10 Honda models that were found to be vulnerable during the visit. 

It is for this reason that they believe that the attack will be able to affect all Honda models produced between 2012 and 2022.

Here below we have mentioned all the tested vulnerable Honda models:-

  • Honda Civic 2012
  • Honda X-RV 2018
  • Honda C-RV 2020
  • Honda Accord 2020
  • Honda Odyssey 2020
  • Honda Inspire 2021
  • Honda Fit 2022
  • Honda Civic 2022
  • Honda VE-1 2022
  • Honda Breeze 2022

In the past few months, there have been many attacks on modern cars and other targets aimed at unlocking them. It would be fair to conclude that attacks such as these are now one of the most common forms of attacks that are being conducted.

Moreover, there is no way to tell if somebody is attempting to exploit the flaw in your car as it leaves no traces, and there is no way to tell if they have been successful.

Apart from this, it’s recommended that owners could take their car to the local Honda dealership or else patch the keyfob’s vulnerable firmware. to fix the issue.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.

Website

Latest articles

Wireshark 4.2.4 Released: What’s New!

Wireshark stands as the undisputed leader, offering unparalleled tools for troubleshooting, analysis, development, and...

Zoom Unveils AI-Powered All-In-One AI Work Workplace

Zoom has taken a monumental leap forward by introducing Zoom Workplace, an all-encompassing AI-powered...

iPhone Users Beware! Darcula Phishing Service Attacking Via iMessage

Phishing allows hackers to exploit human vulnerabilities and trick users into revealing sensitive information...

2 Chrome Zero-Days Exploited at Pwn2Own 2024: Patch Now

Google has announced a crucial update to its Chrome browser, addressing several vulnerabilities, including...

The Moon Malware Hacked 6,000 ASUS Routers in 72hours to Use for Proxy

Black Lotus Labs discovered a multi-year campaign by TheMoon malware targeting vulnerable routers and...

Hackers Actively Exploiting Ray AI Framework Flaw to Hack Thousands of Servers

A critical vulnerability in Ray, an open-source AI framework that is widely utilized across...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Mitigating Vulnerability Types & 0-day Threats

Mitigating Vulnerability & 0-day Threats

Alert Fatigue that helps no one as security teams need to triage 100s of vulnerabilities.

  • The problem of vulnerability fatigue today
  • Difference between CVSS-specific vulnerability vs risk-based vulnerability
  • Evaluating vulnerabilities based on the business impact/risk
  • Automation to reduce alert fatigue and enhance security posture significantly

Related Articles