The Dangerous Defect Found In Hondas
According to the FBI, 721,885 vehicles were stolen in the U.S. in 2019, which accounted for a loss of $6.4 billion — and even more alarming, that number increased by 11.8% in 2020. When focusing on 2021 in particular, the National Insurance Crime Bureau says the Honda Civic, Honda Accord, and Honda CR-V were among the top 10 most stolen vehicle models in the United States. Interestingly, of the Honda vehicles that made the list, older cars (1997 to 2000) were stolen more often than newer ones, which may be due to potential security flaws that were addressed in later model years.
However, the 2017 through 2019 Honda CRV model years were among the most stolen vehicles in Canada in 2019, and they don't fit the bill of old vehicles with outdated technology. "It's very possible that thieves have developed a decoder that allows them to clone the signals emitted by these vehicles' key fobs", the National Director of Investigative Services at the Insurance Bureau of Canada told The Globe and Mail. Despite automakers taking steps to address that problem, researchers are still finding different ways to expose security vulnerabilities in modern vehicles that utilize remote key fobs — and Honda vehicles are currently at the center of it.
Some Honda cars are vulnerable to replay attacks
A couple of researchers have published details on an exploit they call the Rolling Pwn Attack that enabled them to remotely unlock and start some 2012 through 2022 model year Honda vehicles. The exploit involves Honda's keyless entry system, which relies on rolling codes to prevent unauthorized access to the vehicle. The rolling code system is designed to create a new code every time the driver presses the key fob so that a potential thief can't use old codes to access the vehicle. This means even if hackers intercepted a signal from the key fob using a replay device, they wouldn't be able to use it.
Ladies and gentlemen, it is my honor to presenting you the Rolling-Pwn attack research on Honda Keyfob system. (https://t.co/UqJEJofxtr) pic.twitter.com/3ZccqfJrUa
— Kevin2600 (@Kevin2600) July 7, 2022
Nevertheless, the report says that Honda's system is designed in such a way that it's possible for someone to intercept codes from remote keyless fobs from almost 100 feet away and then reuse those old rolling codes to access the vehicle. Once the hackers have synchronized the rolling codes, they can replay them to unlock the car and start the engine. Beyond that, the recycled rolling codes can reportedly be used repetitively with no time lapse that makes them invalid.
The researchers claim that the vulnerability likely affects all Honda models from 2012 to 2022, though they say they have successfully used the replay attack on 10 different Honda models. The Drive also verified the exploit by unlocking and starting a 2021 Honda Accord using an SDR (software-defined radio) device without a key fob.
Honda's response isn't reassuring
After the research was published, Honda was initially skeptical about its credibility due to insufficient evidence, according to The Drive. However, a company spokesperson told TechCrunch that "it is possible to employ sophisticated tools and technical know-how to mimic Remote Keyless commands and gain access to certain vehicles or ours."
Honda also clarified that "while it is technically possible, we want to reassure our customers that this particular kind of attack, which requires continuous close-proximity signal capture of multiple sequential RF transmissions, cannot be used to drive the vehicle away." In other words, Honda doesn't seem to think it's a big concern. The researchers who discovered the vulnerability report as much on the Rolling Pwn website, where they shared a screenshot of an email allegedly from Honda's customer service that acknowledges the issue, but says it is "a lower risk to customers" due to the combination of requiring some tech skills to pull off and not being suitable for actually driving the car.
While an over-the-air update could technically be used to address the vulnerability, such updates can't be used with older Honda vehicles that lack connectivity. Instead, the automaker says the latest model year vehicles it will introduce to the market will include an updated system with improved security.