Researchers have disclosed a ‘replay attack’ vulnerability affecting select Honda and Acura car models, that allows a nearby hacker to unlock your car and even start its engine from a short distance.
The attack consists of a threat actor capturing the RF signals sent from your key fob to the car and resending these signals to take control of your car’s remote keyless entry system.
The vulnerability, according to researchers, remains largely unfixed in older models. But Honda owners may be able to take some action to protect themselves against this attack.
From wireless unlocking to keyless engine start
This week, multiple researchers disclosed a vulnerability that can be used by a nearby attacker to unlock some Honda and Acura car models, and start their engines wirelessly.
The vulnerability, tracked as CVE-2022-27254, is a Man-in-the-Middle (MitM) attack or more specifically a replay attack in which an attacker intercepts the RF signals normally sent from a remote key fob to the car, manipulates these signals, and re-sends these at a later time to unlock the car at will.
A video shared by the researchers also demonstrates the remote engine start aspect of the flaw—although no technical details or proof-of-concept (PoC) exploit code were shared at this time:
The researchers credited with discovering the vulnerability are computer scientist Blake Berry, and researcher Ayyappan Rajesh.
According to researchers, the vehicles impacted by this bug primarily include the 2016-2020 Honda Civic (LX, EX, EX-L, Touring, Si, Type R) cars.
In a GitHub repository, Berry shared that it was also possible to manipulate the captured commands and re-transmit them to achieve a different outcome altogether.
For example, in one of his tests, Berry recorded the “lock” command sent by the key fob, which consisted of the following bits.653-656, 667-668, 677-680, 683-684, 823-826, 837-838, 847-850, 853-854
Berry then “flipped” and re-sent these bits to the vehicle, that in turn had the effect of unlocking the vehicle.https://e06bc4b1bbaf4f537e3f6bf6b76ab2a5.safeframe.googlesyndication.com/safeframe/1-0-38/html/container.html
This isn’t the first time that such a flaw has been reported in cars either.
In 2020, Berry had reported a similar flaw (CVE-2019-20626) affecting the following Honda and Acura models but alleged that Honda ignored his report and “continued to implement 0 security measures against this very simple ‘replay/replay and edit’ attack.”
2009 Acura TSX
2016 Honda Accord V6 Touring Sedan
2017 Honda HR-V (CVE-2019-20626)
2018 Honda Civic Hatchback
2020 Honda Civic LX
The researchers’ recommendation for the vehicle manufacturers is that they implement ‘rolling codes,’ also known as hopping codes. This security technology provides fresh codes for each authentication request, and as such these codes cannot be ‘replayed’ by an attacker at a later time.
In January 2022, researcher Kevin2600 had also disclosed a similar vulnerability, tracked as CVE-2021-46145, but mentioned that the particular keyless system used rolling codes, therefore making the attack far less effective:
So plus the one [CVE-2021-46145] I found a few months ago, we now have at least 3 CVEs related to Honda https://t.co/HoVahGCbtA Well done! @Honda :p
To better understand the impact of this vulnerability and Honda’s plans to address the flaw, BleepingComputer reached out to Honda.
Honda told us, multiple automakers use legacy technology for implementing remote lock-unlock functionality, and as such may be vulnerable to “determined and very technologically sophisticated thieves.”
“At this time, it appears that the devices only appear to work within close proximity or while physically attached to the target vehicle, requiring local reception of radio signals from the vehicle owner’s key fob when the vehicle is opened and started nearby,” a Honda spokesperson told BleepingComputer.
Note, in their statement to us, Honda explicitly mentions it has not verified the information reported by the researchers and cannot confirm if Honda’s vehicles are actually vulnerable to this type of attack.
But should the vehicles be vulnerable, “Honda has no plan to update older vehicles at this time,” the company tells BleepingComputer.
“It’s important to note, while Honda regularly improves security features as new models are introduced, determined and technologically sophisticated thieves are also working to overcome those features.”
Further, the company argues that a nearby thief can use other means to access a vehicle, as opposed to relying on hi-tech hacks like these and there is no indication that the type of interception device in question is widely used. Although, the remote engine start aspect of the flaw remains problematic as it goes well beyond a simple door unlock hack.
The researchers suggest that consumers store their key fobs in signal-blocking ‘Faraday pouches’ when not in use, although that approach still won’t protect against a determined attacker eavesdropping on signals when the fob is used.
Another suggestion made by the researchers is for consumers to opt for Passive Keyless Entry (PKE) as opposed to Remote Keyless Entry (RKE), which would make it “significantly harder for an attacker to clone/read the signal due to the proximity they would need to be at to do so.”
“If you believe that you are a victim of this attack, the only current mitigation is to reset your key fob at the dealership,” conclude the researchers.
Update March 26th, 01:48 AM ET: Credits for the vulnerability have been updated as requested by the researchers. An earlier version of the GitHub repository with the demo videos credited the researchers differently but this was later revised.
