Honda bug lets a hacker unlock and launch your car through a replay attack


Researchers have revealed a “replay attack” vulnerability affecting select Honda and Acura car models, allowing a nearby hacker to unlock your car and even start the engine from a short distance.

The attack consists of a threat actor that captures the RF signals sent from your key fob to the car and retransmits those signals to take control of your car’s remote control system.

The vulnerability remains largely unresolved in older models, according to researchers. But Honda owners may be able to take action to protect themselves from this attack.

From wireless unlocking to keyless engine start

This week, multiple researchers revealed a vulnerability that could be used by a nearby attacker to unlock some Honda and Acura car models and start their engines wirelessly.

The vulnerability, tracked as CVE-2022-27254, is a Man-in-the-Middle (MitM) attack or more specifically a replay attack in which an attacker intercepts the RF signals normally sent from a remote control to the car. sent, these signals and resends them at a later time to unlock the car at will.

A video shared by the researchers also demonstrates the remote engine launch aspect of the flaw, although no technical details or proof-of-concept (PoC) exploit code were shared at this time:

The researchers who discovered the vulnerability are computer scientist Blake Berry, University of Massachusetts professors Hong Liu and Ruolin Zhou, and Cybereason CSO. Sam Curry†

According to researchers, the vehicles affected by this bug are mainly the 2016-2020 Honda Civic (LX, EX, EX-L, Touring, Si, Type R) cars.

In a GitHub repository, Berry shared that it was also possible to manipulate and resend the captured commands to achieve a completely different result.

For example, in one of his tests, Berry recorded the “lock” command sent by the keychain, which consisted of the following bits.

653-656, 667-668, 677-680, 683-684, 823-826, 837-838, 847-850, 853-854

Berry then “turned around” and re-send these bits to the vehicle, which in turn caused the vehicle to unlock.

It is also not the first time that such a defect has been reported in cars.

In 2020, Berry had reported a similar error (CVE-2019-20626) affecting the following Honda and Acura models, but claimed that Honda ignored his report and “continued to implement 0 security measures against these very simple” replay/replay and edit’ attack.”

2009 Acura TSX 2016 Honda Accord V6 Touring Sedan 2017 Honda HR-V (CVE-2019-20626) 2018 Honda Civic Hatchback 2020 Honda Civic LX

The researchers’ advice to car manufacturers is to implement ‘rolling codes’, also known as hopping codes. This security technology creates new codes for each authentication request, and as such, these codes cannot be ‘replayed’ by an attacker at a later time.

In January 2022, researcher Kevin2600 had also revealed a similar vulnerability, tracked as CVE-2021-46145, but mentioned that the particular keyless system used rolling codes, making the attack much less effective:

So plus that one [CVE-2021-46145] I discovered a few months ago that we now have at least 3 CVEs related to Honda Well done! @Honda πŸ˜›

β€” Kevin2600 (@Kevin2600) March 24, 2022

Honda has ‘no plan’ to update older models

To better understand the impact of this vulnerability and Honda’s plans to address the flaw, BleepingComputer reached out to Honda.

Honda told us that multiple automakers are using legacy technology to implement remote lock-unlock functionality, and as such can be vulnerable to “determined and highly technologically advanced thieves.”

β€œAt this point, it appears that the devices only appear to work nearby or physically attached to the target vehicle, requiring local reception of radio signals from the vehicle owner’s key fob when the vehicle is opened and nearby will be launched,” a Honda spokesman told BleepingComputer.

Note that Honda explicitly states in their statement to us that it has not verified the information reported by the investigators and cannot confirm whether Honda’s vehicles are actually vulnerable to this type of attack.

But if the vehicles are vulnerable, “Honda has no plans at this time to update older vehicles,” the company tells BleepingComputer.

“It’s important to note that while Honda regularly improves security features as new models are introduced, determined and technologically advanced thieves are also working to overcome those features.”

Furthermore, the company states that a nearby thief could use other means to gain access to a vehicle, rather than relying on hi-tech hacks like this one, and there is no indication that the type of interceptor device in question is widely used. Although the remote engine starting aspect of the error remains problematic as it goes well beyond a simple door unlock hack.

The researchers suggest that consumers keep their key fobs in signal-blocking ‘Faraday bags’ when not in use, although that approach still won’t protect against a determined attacker who eavesdrops on signals when the fob is used.

Another suggestion from the researchers is that consumers opt for Passive Keyless Entry (PKE) over Remote Keyless Entry (RKE), which would “make it significantly more difficult for an attacker to clone/read the signal due to the proximity they would have”. must be to do that.”

“If you believe you have been the victim of this attack, the only current solution is to reset your key fob at the dealership,” the researchers concluded.

This post Honda bug lets a hacker unlock and launch your car through a replay attack

was original published at “”