Security researchers and The Drive’s Rob Stumpf have recently posted videos of themselves unlocking and remotely starting several Honda vehicles using handheld radios, despite the company’s insistence that the cars have security protections meant to stop attackers from doing that very thing. According to the researchers, this hack is made possible because of a vulnerability in the keyless entry system in many Hondas made between 2012 and 2022. They’ve dubbed the vulnerability Rolling-PWN.
The basic concept for Rolling-PWN is similar to attacks we’ve seen before used against VWs and Teslas, as well as other devices; using radio equipment, someone records a legitimate radio signal from a key fob, then broadcasts it back to the car. It’s called a replay attack, and if you’re thinking that it should be possible to defend against this kind of attack with some sort of cryptography, you’re right. In theory, many modern cars use what’s called a rolling key system, basically making it so that each signal will only work once; you press the button to unlock your car, your car unlocks, and that exact signal shouldn’t ever unlock your car again.
But as Jalopnik points out, not every recent Honda has that level of protection. Researchers have also found vulnerabilities where surprisingly recent Hondas (2016 to 2020 Civics, specifically) instead used an unencrypted signal that doesn’t change. And even those that do have rolling code systems — including the 2020 CR-V, Accord, and Odyssey, Honda tells Vice — may be vulnerable to the recently-uncovered attack. Rolling-PWN’s website has videos of the hack being used to unlock those rolling code vehicles, and Stumpf was able to… well, pretty much pwn a 2021 Accord with the exploit, turning on its engine remotely and then unlocking it.
Honda told The Drive that the security systems it puts in its key fobs and cars “would not allow the vulnerability as represented in the report” to be carried out. In other words, the company says the attack shouldn’t be possible — but clearly, it is somehow. We’ve asked the company for comment on The Drive’s demonstration, which was published on Monday, but it didn’t immediately reply.
According to the Rolling-PWN website, the attack works because it’s able to resynchronize the car’s code counter, meaning that it’ll accept old codes — basically, because the system is built to have some tolerances (so you can use your keyless entry even if the button gets pressed once or twice while you’re away from the car, and so the car and remote stay in sync), its security system can be defeated. The site also claims that it affects “all Honda vehicles currently existing on the market,” but admits that it’s only actually been tested on a handful of model years.
Even more worryingly, the site suggests that other brands of cars are also affected, but is vague on the details. While that makes me nervously eye my Ford, it’s actually probably a good thing — if the security researchers are following standard responsible disclosure procedures, they should be reaching out to automakers and giving them a chance to address the issue before details are made public. According to Jalopnik, the researchers had reached out to Honda, but were told to file a report with customer service (which isn’t really standard security practice).