Despite Honda’s insistence that the cars have security features designed to prevent attackers from doing just that, security researchers and The Drive’s Rob Stumpf recently posted videos of themselves remotely unlocking and starting a number of Honda vehicles using handheld radios. The researchers claim that a flaw in the keyless entry system of many Honda vehicles produced between 2012 and 2022 has made this hack possible. The flaw has been given the name Rolling-PWN.
The fundamental idea behind Rolling-PWN is comparable to previous attacks used against Teslas and VWs as well as other devices; using radio equipment, someone records a legitimate radio signal from a key fob and then broadcasts it back to the car. It’s known as a replay attack, and you’re correct if you believe that some form of cryptography should make it possible to defend against this kind of attack. When you press the button to unlock your car, it unlocks, and that specific signal shouldn’t ever unlock your car again, according to the theory behind the rolling key system that many modern cars employ.
However, not every recent Honda has that level of protection, as Jalopnik points out. Researchers have also discovered flaws in surprisingly recent Hondas (specifically, Civics from 2016 to 2020), which used an unencrypted, constant signal instead. Even vehicles with rolling code systems, such as the 2020 Honda CR-V, Accord, and Odyssey, may be susceptible to the recently discovered attack, according to Honda. Videos of the hack being used to unlock rolling code vehicles can be found on Rolling-website. PWN’s Stumpf was able to, well, pretty much pwn a 2021 Accord with the exploit, starting its engine remotely before unlocking it.
According to Honda, its key fobs and vehicles are equipped with security features that “would not allow the vulnerability as represented in the report” to be exploited. In other words, the company claims that the attack shouldn’t be feasible, but it is undoubtedly feasible in some way. The Drive’s demonstration was published on Monday, and we contacted the company for a response regarding it, but we did not receive one right away.
In other words, because the system is designed to have some tolerances (so you can use your keyless entry even if the button gets pressed once or twice while you’re away from the car, and so the car and remote stay in sync), its security system can be defeated. The attack, according to the Rolling-PWN website, works because it’s able to resynchronize the car’s code counter, meaning that it’ll accept old codes. The website also asserts that it affects “all Honda vehicles currently existing on the market,” but it acknowledges that only a few model years have actually been tested.
Even more concerning, the website implies that other automaker brands may also be impacted, but it provides few specifics. While that makes me warily glance at my Ford, it’s actually probably for the best because, if the security researchers are acting responsibly, they should be contacting automakers to let them know about the problem before details are made public. Jalopnik claims that when the researchers contacted Honda, they were instructed to file a report with customer service, which isn’t exactly standard security procedure.