Hackers can unlock Honda cars remotely in Rolling-PWN attacks

Here it comes…the era of cyber

13 Likes

Sounds like they didn’t understand key pair generator and made up their own hard coded algorithm and the cat is out of the bag.

Don’t roll your own crypto

How could I replicate this attack to see if my car is vulnerable?

I think it was Honda that was recently outed as having no generator at all instead there was only a few thousand codes that got rotated.

It was compared to another case that an American car manufacturer had (GM I think) where customers at a car park could pop each other’s trunks because there were only so many codes to program the keys with.

EDIT: It wasn’t that they had a list of codes. It was that they hard coded a key which was rebroadcast every time. No cryptography at all. This was reported in 2021.

This is almost (but not quite) as bad as GM or Ford or whatever only issuing 1000 combinations to 10s of thousands of vehicles allowing fobs to open random cars at chance.

Can confirm this happened to my parent’s 2001 GMC Yukon. We were at a parking lot at Costco, and when my mom pressed unlock the SUV across the isle from us also unlocked (I think it was a Chevy Suburban). Was super weird.

I don’t think there’s a technical walk through but I swore there was on CVE-2022-27254 or CVE-2019-20626, a similar attack. I think just about any SDR can handle this, as far as needed equipment.

https://rollingpwn.github.io/rolling-pwn/

Oh yeah, glad to see more companies go with the “If we deny it hard enough, it might go away” approach. Thats job security right there

Well hell… I have a Honda I think is affected by this. A 2014 civic si with the push button start. What the he’ll can I do to stop this? Hide a kill switch or something?

The article says Honda isn’t acknowledging the vulnerability so all you can do is garage it and/or disable the remote lock

But to be fair any motivated thief who goes through the trouble of getting the equipment to pull this off already can steal your car using traditional means

The civic was already the #3 most stolen vehicle in the US

NICB identifies Civic as the most stolen car in the US from 2012-2019. Then #2 and #3 as the Ford F150 took it’s place.

You’ll also notice similar generation Honda cars since honda reuses their lock and safety mechanisms. So if it’s on the Civic, it’ll be on the CRV. And if it’s on the Accord, it’ll be on the Civic the next year.

Had this happen to my car (not honda) multiple times (usually at night and the doors were left open), insurance companies dont cover this type of thing as theres no sign of entry.

Keyfobs are one of the worst features ever put on a car.

its more of the car industrys approach to digital security. we need to make them responsible for the lax take on it.