Vulnerability in Honda Cars Let Hackers Unlock & Start Remotely

In nearly all Honda models, hackers were able to open the doors and start the car remotely. A remote keyless entry system is often fitted to modern vehicles, allowing for effortless access to the vehicle. 

A remote keyless entry system allows the vehicle to be unlocked or started remotely through a mobile device. Recently, Kevin2600, a security professional, conducted a test to assess the level of resistance to an RKE system that is in use today.

Based on the results of this analysis, it was discovered that all Honda vehicles that have been manufactured between the years 2012 and 2022 have a Rolling-PWN attack vulnerability.

This vulnerability could be exploited by any hacker from afar to open the car door permanently or, in the worst-case scenario, even start the engine of the car as well.

Flaw Profile

• CVE ID: CVE-2021-46145
• Description: The keyfob subsystem in Honda Civic 2012 vehicles allows a replay attack for unlocking. This is related to a non-expiring rolling code and counter-resynchronization.
• Base Score: 5.3
• Severity: MEDIUM

Technical Analysis

A software-defined radio allows an attacker to capture the code that the car owner uses to unlock the vehicle by exploiting a vulnerability in software-defined radios. 

The hacker would then be able to open the car as well by replaying the process. As far as 30 meters can be observed in some cases, it is possible to perform the attack from that distance. 

Kevin2600 and his co-workers broke into Honda models using a method known as rolling code in order to get the code to work. As a result, every time the keyfob is used, a different code will be sent to the car, which in turn will be used to unlock it.

Ideally, this would prevent the code from being captured and reused in the future. A flaw has been found, however, which allows the researchers to revert the code to an older version, and then open the car by reusing the older code.

Vulnerable Honda Models

In order to test the attack on different Honda models, Kevin2600 headed to a Honda dealership with his colleagues. There were 10 Honda models that were found to be vulnerable during the visit. 

It is for this reason that they believe that the attack will be able to affect all Honda models produced between 2012 and 2022.

Here below we have mentioned all the tested vulnerable Honda models:-

• Honda Civic 2012
• Honda X-RV 2018
• Honda C-RV 2020
• Honda Accord 2020
• Honda Odyssey 2020
• Honda Inspire 2021
• Honda Fit 2022
• Honda Civic 2022
• Honda VE-1 2022
• Honda Breeze 2022

In the past few months, there have been many attacks on modern cars and other targets aimed at unlocking them. It would be fair to conclude that attacks such as these are now one of the most common forms of attacks that are being conducted.

Moreover, there is no way to tell if somebody is attempting to exploit the flaw in your car as it leaves no traces, and there is no way to tell if they have been successful.

Apart from this, it’s recommended that owners could take their car to the local Honda dealership or else patch the keyfob’s vulnerable firmware. to fix the issue.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.