Honda’s Keyless Access Bug Could Let Thieves Remotely Unlock and Start Vehicles

News

A duo of researchers has released a proof-of-concept (PoC) demonstrating the ability for a malicious actor to remote lock, unlock, and even start Honda and Acura vehicles by means of what’s called a replay attack.

The attack is made possible, thanks to a vulnerability in its remote keyless system (CVE-2022-27254) that affects Honda Civic LX, EX, EX-L, Touring, Si, and Type R models manufactured between 2016 and 2020. Credited with discovering the issue are Ayyappan Rajesh, a student at UMass Dartmouth, and Blake Berry (HackingIntoYourHeart).

Automatic GitHub Backups

“A hacker can gain complete and unlimited access to locking, unlocking, controlling the windows, opening the trunk, and starting the engine of the target vehicle where the only way to prevent the attack is to either never use your fob or, after being compromised (which would be difficult to realize), resetting your fob at a dealership,” Berry explained in a GitHub post.

The underlying issue is that the remote key fob on the affected Honda vehicles transmits the same, unencrypted radio frequency signal (433.215MHz) to the car, effectively enabling an adversary to intercept and replay the request at a later time to wirelessly start the engine as well as lock and unlock the doors.

Prevent Data Breaches

This is not the first time a flaw of this kind has been uncovered in Honda vehicles. A related issue discovered in 2017 Honda HR-V models (CVE-2019-20626, CVSS score: 6.5) is said to have been “seemingly ignored” by the Japanese company, Berry alleged.

“Manufacturers must implement Rolling Codes, otherwise known as hopping code,” Rajesh said. “It is a security technology commonly used to provide a fresh code for each authentication of a remote keyless entry (RKE) or passive keyless entry (PKE) system.”

We have asked Honda for a comment, and we will update the story once we hear back.

Products You May Like

Articles You May Like

US Organizations Still Using Kaspersky Products Despite Ban
Sophisticated TA397 Malware Targets Turkish Defense Sector
Italy’s Data Protection Watchdog Issues €15m Fine to OpenAI Over ChatGPT Probe
Attackers Exploit Microsoft Teams and AnyDesk to Deploy DarkGate Malware
HubPhish Exploits HubSpot Tools to Target 20,000 European Users for Credential Theft

Leave a Reply

Your email address will not be published. Required fields are marked *