Honda key fob flaw lets hackers remotely unlock and start cars

The hackers demonstrating the radio replay attack using a vulnerable Honda key fob. Honda said it could not determine if the attack was “credible.” Image Credits: Star-V Lab

Security researchers have revealed a vulnerability in Honda’s keyless entry system that could allow hackers to remotely unlock and start potentially “all Honda vehicles currently existing on the market.”

The “Rolling-Pwn” attack, uncovered by Star-V Lab security researchers Kevin2600 and Wesley Li, exploits a vulnerability in the way Honda’s keyless entry system transmits authentication codes between the car and the key fob. It works in a similar way to the recently discovered Bluetooth replay attack affecting some Tesla vehicles; using easily purchasable radio equipment, the researchers were able to eavesdrop and capture the codes, then broadcast them back to the car in order to gain access.

This allowed the researchers to remotely unlock and start the engines of cars affected by the vulnerability, which includes models from as far back as 2012 and as recent as 2022. But according to The Drive, which independently tested and verified the vulnerability on a Honda Accord 2021, the key fob flaw doesn’t allow an attacker to drive off with the vehicle.

As noted by the researchers, this kind of attack should be prevented by the vehicle’s rolling codes mechanism — a system introduced to prevent replay attacks by providing a new code for each authentication of a remote keyless entry. Vehicles have a counter that checks the chronology of the generated codes, increasing the count when it receives a new code.

Kevin2600 and Wesley Li found that the counter in Honda vehicles is resynchronized when the car vehicle gets lock and unlock commands in a consecutive sequence, causing the car to accept codes from previous sessions that should have been invalidated.

“By sending the commands in a consecutive sequence to the Honda vehicles, it will be resynchronizing the counter,” the researchers write. “Once counter resynced, commands from the previous cycle of the counter worked again. Therefore, those commands can be used later to unlock the car at will.”

The researchers say they tested their attack on several Honda models, including the Honda Civic 2012, Honda Accord 2020 and Honda Fit 2022, but warn that the security vulnerability could affect “all Honda vehicles currently existing on the market” and may also affect other manufacturers’ cars.

The security researchers say they attempted to contact Honda about the vulnerability but found that the company “does not have a department to deal with security-related issues for their products.” As such, they reported the issue to Honda customer service but have not yet received a response.

In a statement given to The Drive, the company initially insisted that the technology in its key fobs “would not allow the vulnerability as represented in the report.”

However, in a statement given to TechCrunch, Honda spokesperson Chris Naughton said the company “can confirm claims that it is possible to employ sophisticated tools and technical know-how to mimic Remote Keyless commands and gain access to certain vehicles or ours.

“However, while it is technically possible, we want to reassure our customers that this particular kind of attack, which requires continuous close-proximity signal capture of multiple sequential RF transmissions, cannot be used to drive the vehicle away. Furthermore, Honda regularly improves security features as new models are introduced that would thwart this and similar approaches,” Naughton said, noting that while the company has “no plan” to update older vehicles, redesigned 2022 and 2023 model year vehicles have an improved system that would prevent this type of attack from working.

As noted by the security researchers, fixing the flaw would be difficult due to the fact that older vehicles don’t support over-the-air (OTA) updates. Worryingly, the researchers also warned there’s no way to guard against the hack and no way to determine if it happened to you.

Updated with comment from Honda.