Saturday, December 2, 2023

Vulnerability in Honda Cars Let Hackers Unlock & Start Remotely

In nearly all Honda models, hackers were able to open the doors and start the car remotely. A remote keyless entry system is often fitted to modern vehicles, allowing for effortless access to the vehicle. 

A remote keyless entry system allows the vehicle to be unlocked or started remotely through a mobile device. Recently, Kevin2600, a security professional, conducted a test to assess the level of resistance to an RKE system that is in use today.

Based on the results of this analysis, it was discovered that all Honda vehicles that have been manufactured between the years 2012 and 2022 have a Rolling-PWN attack vulnerability.

This vulnerability could be exploited by any hacker from afar to open the car door permanently or, in the worst-case scenario, even start the engine of the car as well.

Flaw Profile

  • CVE ID: CVE-2021-46145
  • Description: The keyfob subsystem in Honda Civic 2012 vehicles allows a replay attack for unlocking. This is related to a non-expiring rolling code and counter-resynchronization.
  • Base Score: 5.3 
  • Severity: MEDIUM

Technical Analysis

A software-defined radio allows an attacker to capture the code that the car owner uses to unlock the vehicle by exploiting a vulnerability in software-defined radios. 

The hacker would then be able to open the car as well by replaying the process. As far as 30 meters can be observed in some cases, it is possible to perform the attack from that distance. 

Kevin2600 and his co-workers broke into Honda models using a method known as rolling code in order to get the code to work. As a result, every time the keyfob is used, a different code will be sent to the car, which in turn will be used to unlock it.

Ideally, this would prevent the code from being captured and reused in the future. A flaw has been found, however, which allows the researchers to revert the code to an older version, and then open the car by reusing the older code.

Vulnerable Honda Models

In order to test the attack on different Honda models, Kevin2600 headed to a Honda dealership with his colleagues. There were 10 Honda models that were found to be vulnerable during the visit. 

It is for this reason that they believe that the attack will be able to affect all Honda models produced between 2012 and 2022.

Here below we have mentioned all the tested vulnerable Honda models:-

  • Honda Civic 2012
  • Honda X-RV 2018
  • Honda C-RV 2020
  • Honda Accord 2020
  • Honda Odyssey 2020
  • Honda Inspire 2021
  • Honda Fit 2022
  • Honda Civic 2022
  • Honda VE-1 2022
  • Honda Breeze 2022

In the past few months, there have been many attacks on modern cars and other targets aimed at unlocking them. It would be fair to conclude that attacks such as these are now one of the most common forms of attacks that are being conducted.

Moreover, there is no way to tell if somebody is attempting to exploit the flaw in your car as it leaves no traces, and there is no way to tell if they have been successful.

Apart from this, it’s recommended that owners could take their car to the local Honda dealership or else patch the keyfob’s vulnerable firmware. to fix the issue.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.


Latest articles

Active Attacks Targeting Google Chrome & ownCloud Flaws: CISA Warns

The CISA announced two known exploited vulnerabilities active attacks targeting Google Chrome & own...

Cactus Ransomware Exploiting Qlik Sense code execution Vulnerability

A new Cactus Ransomware was exploited in the code execution vulnerability to Qlik Sense...

Hackers Bypass Antivirus with ScrubCrypt Tool to Install RedLine Malware

The ScrubCrypt obfuscation tool has been discovered to be utilized in attacks to disseminate the RedLine Stealer...

Hotel’s Hacked Logins Let Attacker Steal Guest Credit Cards

According to a recent report by Secureworks, a well-planned and advanced phishing attack was...

Critical Zoom Vulnerability Let Attackers Take Over Meetings

Zoom, the most widely used video conferencing platform has been discovered with a critical...

Hackers Using Weaponized Invoice to Deliver LUMMA Malware

Hackers use weaponized invoices to exploit trust in financial transactions, embedding malware or malicious...

US-Seized Crypto Currency Mixer Used by North Korean Lazarus Hackers

The U.S. Treasury Department sanctioned the famous cryptocurrency mixer Sinbad after it was claimed...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

API Attack Simulation Webinar

Live API Attack Simulation

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked.The session will cover:an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Related Articles