Are you the owner of a Honda car? If so I suggest you carefully read the results of a research conducted by a group of researchers who have discovered a flaw baptized as Rolling-PWN attack that can be exploited by a remote attacker to unlock the vehicle and even start the engine for some. models.
The Rolling-Pwn Attack vulnerability, coded as Cve-2021-46145, was independently discovered by research team Kevin2600 and Star-V Lab expert Wesley Li in select Honda models.
Before going into the details of the research let’s clarify some basic concepts such as a remote keyless system (Rke). A keyless remote access (RKE) system allows you to remotely unlock or start a vehicle. The research conducted by the researchers focused precisely on the keyless remote access (RKE) system used by the car manufacturer Honda. Indeed, according to experts, the problem could affect all Honda vehicles on the market and produced from the year 2012 until the year 2022.
The case
Too easy to hack a car, demonstration at the French show
by Vincenzo Borgomeo
Experts have discovered the flaw in the mechanism known as “rolling code” implemented in many Honda models to prevent so-called replay attacks.
Each time we press the car remote control button a code is sent to the vehicle. However, it could happen that you accidentally press the button several times, for this reason the cars accept a set of codes that can be sent to them, precisely in order to be able to receive a series of admissible codes within a window that provides more permissible codes within a sequence established by the authentication algorithm. The problem discovered by the researchers consists in the possibility of reusing codes sent by the remote control at a later time to open the car or start it remotely.
Engines
Qualcomm brings 5G to Stellantis cars: it starts with Maserati
by Vincenzo Borgomeo
“We found it in a vulnerable version of the mechanism of rolling code, which is implemented in many Honda vehicles. A variable code system in keyless access systems serves to prevent replay attacks. After each press of the remote control button, the rotating code synchronization counter is incremented. However, the vehicle receiver will accept a scrollable code window, to avoid accidental key presses based on the design. reads the Description of Rolling Pwn Attack published on GitHub. “By sending the commands in sequence to Honda vehicles, the counter will be resynchronized. Once the counter resynchronized, the commands from the previous counter cycle worked again. Therefore, those controls can be used later to unlock the car at will.
The researchers also posted a series of PoC videos, below is an attack on a Honda CRV:
The researchers pointed out that there is no way to find out if someone exploited the flaw against a model because the attack leaves no traces in traditional log files.
How can the flaw be resolved?
According to experts, it will be necessary to recall the cars affected by the vulnerability in dealerships and for those vehicles that implement the over-the-air (OTA) update mode, or remotely, it will simply be necessary to distribute the new firmware remotely.
Connected cars, who attacks them and how?
by Pierlugi Paganini
“The common solution requires us to return the vehicle to a local dealership as a recall. But the recommended mitigation strategy is to update the vulnerable Bcm firmware via over-the-air (OTA) updates if possible. However, some older vehicles may not support Ota. “Expert advice.
The research team has certainly tested the act against the 10 most popular models of Honda vehicles marketed from the year 2012 through the year 2022, including:
· Honda Civic 2012
Honda X-RV 2018
Honda C-RV 2020
2020 Honda Accord
· Honda Odyssey 2020
· Honda Inspire 2021
· Honda Fit 2022
· Honda Civic 2022
· Honda VE-1 2022
· Honda Breeze 2022
The worrying aspect of this story is that Honda seems to have no intention of resolving the problem for older vehicles in the short term, at least according to the statements made to the BleepingComputer website which contacted the automaker on the subject.
“Note, in their statement, Honda explicitly mentions that it has not verified the information reported by the researchers and cannot confirm whether Honda vehicles are indeed vulnerable to this type of attack.
But if the vehicles were vulnerable, “Honda has no plans to update older vehicles right now,” the company tells BleepingComputer. “
The question remains whether the problem is related only to vehicles produced by Honda, or whether other manufacturers are impacted. According to experts, other car manufacturers could suffer the same problems.