Honda And Acura Replay Attack Lets Hackers Remotely Unlock And Start These Cars
We can sometimes forget how deeply computers are integrated into our lives beyond standard computing devices like phones, laptops, and desktop PCs. The hackability of computer systems beyond these devices can be a stark reminder of the ubiquity of computer systems. Just last week, a hacker was found to have stolen 400 gallons of fuel from a gas station in North Carolina. Now this week, a group of cybersecurity researchers published a proof of concept for a vulnerability in Honda’s remote keyless system.
The researchers posted videos demonstrating the use of a radio transceiver to lock, unlock, and remote start a 10th generation (2016-2021) Honda Civic. The videos serve as proof of the capacity for hackers to exploit a vulnerability in Honda’s remote keyless system. The vulnerability is listed in the National Vulnerability Database (NVD) as CVE-2022-27254.
Honda’s remote keyless system sends the same radio frequency (RF) code for each request, rather than employing a rolling code technique that changes the code after every request. As a result, Hondas and Acuras are open to replay Man-in-the-Middle (MitM) attacks, where a nearby attacker intercepts the RF codes sent by the remote keyless system and later uses them to lock, unlock, or remote start the car. If Honda’s remote keyless system used rolling codes, then a code intercepted by an attacker could not be re-used, but, since the codes are fixed, an attacker can re-transmit an intercepted code and successfully lock, unlock, or remote start the target vehicle.
The researchers posted videos demonstrating the use of a radio transceiver to lock, unlock, and remote start a 10th generation (2016-2021) Honda Civic. The videos serve as proof of the capacity for hackers to exploit a vulnerability in Honda’s remote keyless system. The vulnerability is listed in the National Vulnerability Database (NVD) as CVE-2022-27254.
Honda’s remote keyless system sends the same radio frequency (RF) code for each request, rather than employing a rolling code technique that changes the code after every request. As a result, Hondas and Acuras are open to replay Man-in-the-Middle (MitM) attacks, where a nearby attacker intercepts the RF codes sent by the remote keyless system and later uses them to lock, unlock, or remote start the car. If Honda’s remote keyless system used rolling codes, then a code intercepted by an attacker could not be re-used, but, since the codes are fixed, an attacker can re-transmit an intercepted code and successfully lock, unlock, or remote start the target vehicle.
As far as we can tell, this vulnerability has appeared before in the NVD under two different Common Vulnerabilities and Exposures (CVE) identifiers. CVE-2019-20626 dates back to 2019 and pertains to the 2017 Honda HR-V. The other CVE identifer, CVE-2021-46145, was registered in the NVD after a researcher published a proof of concept for an exploit of the vulnerability on a 2012 Honda Civic. Blake Berry, a member of the group that brought the vulnerability to light again this week, also previously published a video demonstrating the exploit on a 2016 Honda Accord and confirmed that it worked on a 2009 Acura TSX, a 2018 Honda Civic Hatchback, and a 2020 Honda Civic LX. However, Berry speculates that all Honda and Acura vehicles that use Honda’s remote keyless system are vulnerable.
A Honda spokesperson told BleepingComputer that it has not verified these vulnerabilities, but that if the company’s vehicles are vulnerable, “Honda has no plan to update older vehicles at this time.” The spokesperson added that “It's important to note, while Honda regularly improves security features as new models are introduced, determined and technologically sophisticated thieves are also working to overcome those features.” The spokesperson also pointed out that this hack is relatively sophisticated compared to other means that thieves can use to access vehicles and requires thieves to be within close proximity of a vehicle while the owner is using the remote keyless system.
A Honda spokesperson told BleepingComputer that it has not verified these vulnerabilities, but that if the company’s vehicles are vulnerable, “Honda has no plan to update older vehicles at this time.” The spokesperson added that “It's important to note, while Honda regularly improves security features as new models are introduced, determined and technologically sophisticated thieves are also working to overcome those features.” The spokesperson also pointed out that this hack is relatively sophisticated compared to other means that thieves can use to access vehicles and requires thieves to be within close proximity of a vehicle while the owner is using the remote keyless system.
