Security researchers and The Drive’s Rob Stumpf recently released a video of their use of a handheld radio to unlock and remotely start several Honda vehicles, though the car company insists the cars have security protections that would prevent an attacker from doing such a thing. According to the researchers, the hack was made possible because of a vulnerability in the keyless entry system of many Honda cars built between 2012 and 2022.
They call this vulnerability Rolling-PWN.
The basic concept of Rolling-PWN is similar to the attacks we’ve seen before against Volkswagen and Tesla and other devices where someone uses a radio device to record a legitimate radio signal from a key fob and then transmits it to the car. This is called a replay attack, and if you think it should be possible to defend against this attack with some sort of cryptography then you are right. In theory, many modern cars use a rolling key system, which basically means that each signal only works once; when the button is pressed to unlock the car, the car is unlocked and that exact signal should not be unlocked again.
But as Jalopnik points out, not every recent Honda car has this level of protection. The researchers also found vulnerabilities, and surprisingly, recent Honda cars (especially 2016 through 2020 Civics) instead use an unencrypted signal that doesn’t change. Even those cars with the rolling code system – including the 2020 CR-V, Accord, and Odyssey – could be vulnerable to the recently discovered attack. stumpf even used the vulnerability to fool a 2021 Accord, whose remotely turned on the car’s engine and unlocked it.
Honda told The Drive, however, that the security systems it installs in its key fobs and cars do not allow the vulnerabilities described in the report to be implemented. In other words, the company says such an attack couldn’t happen – but apparently, it somehow exists.
According to the Rolling-PWN website, this attack worked because it was able to resynchronize the car’s code counter, meaning it would accept the old code – basically because the system was built with some tolerance so its security system could be defeated. The site also claims that it affects all existing Honda cars currently on the market, though it says they’ve actually only tested it on a handful of models.
And more worryingly, the site suggests that other brands of cars are also affected, but is vague on the details.