Modern vehicles are often equipped with a remote keyless entry system. These RKE systems allow unlocking or starting the vehicle remotely. The goal of our research was to evaluate the resistance of a modern-day RKE system. Our research disclosed a Rolling-PWN attack vulnerability affecting all Honda vehicles currently existing on the market (From the Year 2012 up to the Year 2022). This weakness allows anyone to permanently open the car door or even start the car engine from a long distance.
The Rolling-PWN bug is a serious vulnerability. We found it in a vulnerable version of the rolling codes mechanism, which is implemented in huge amounts of Honda vehicles. A rolling code system in keyless entry systems is to prevent replay attack. After each keyfob button pressed the rolling codes synchronizing counter is increased. However, the vehicle receiver will accept a sliding window of codes, to avoid accidental key pressed by design. By sending the commands in a consecutive sequence to the Honda vehicles, it will be resynchronizing the counter. Once counter resynced, commands from the previous cycle of the counter worked again. Therefore, those commands can be used later to unlock the car at will.
0: Please show me Rolling-PWN in action?
We have successfully tested the 10 most popular models of Honda vehicles from the Year 2012 up to the Year 2022 from the attacker's perspective. Therefore, we strongly believe the vulnerability affects all Honda vehicles currently existing on the market.
· Honda Civic 2012
· Honda X-RV 2018
· Honda C-RV 2020
· Honda Accord 2020
· Honda Odyssey 2020
· Honda Inspire 2021
· Honda Fit 2022
· Honda Civic 2022
· Honda VE-1 2022
· Honda Breeze 2022
· Honda Accord 2021(Verified by Rob Stumpf from thedrive)
Please see the demo videos down below. Note that, even the keyfob pressed multiple times, we are still able to open the door repeatedly. Meaning the rolling code mechanism has been pwned.
1: Why it is called the Rolling-PWN, not a Honda-PWN?
Because this bug may exist in other brands of vehicles too ;)
2: Who found the Rolling-PWN Bug?
A team of security Researchers Kevin2600 and Wesley Li from Star-V Lab independently discovered this bug.
3: Am I affected by the bug?
As long as the vulnerable version of Honda vehicles is in use, it can be abused.
4: Is there an assigned CVE for Rolling-PWN?
CVE-2021-46145 is the official reference to this bug. CVE is the Standard for Information Security Vulnerability Names maintained by MITRE.
5: Can I detect if someone has exploited this against me?
Probably not. The exploitation does not leave any traces in traditional log files. But considering the ease of exploitation and attacks leaving no trace, this threat should take seriously.
6: Is this a Honda vehicle only Bug?
No. Although the main targets for the research is Honda Automobiles. But we have leads to show the impact of this vulnerability also applies to other car manufacturers. We will release more details in the future.
7: Is the risk real?
We have successfully tested the latest models of Honda vehicles. And we strongly believe the vulnerability affects all Honda vehicles currently existing on the market. Please see the field test video down below.
8: What makes this Bug unique or what's the Difference between CVE-2022-27254 and CVE-2019-20626?
During the research, we noticed the other researchers
have found similar vulnerabilities in Honda vehicles. Based on the description "The remote keyless system on Honda HR-V 2017 vehicles sends the same RF signal for each door-open request, which might allow a replay attack".
What they found is a FIXED CODE vulnerability, meaning where an attacker can records the transmission in advance and replays it later to cause the car door to lock or unlock.
However, most modern vehicles includes Honda Automobiles implemented the proprietary rolling codes mechanism, which exactly prevents fixed code replay attack like CVE-2022-27254. The bug we discovered regard to the design flaw of rolling codes mechanism from Honda Motors. Which need to take very seriously.
9: Is there more technical information about Rolling-PWN?
You can follow the author on Twitter [@kevin2600]. However, we will not be releasing any tools required to go out and steal the affected vehicles. At a later stage, we will release technical information in order to encourage more researchers to get involved in the car security research.
10: How to patch the modern automobile for Rolling-PWN bug like this?
The common solution requires us to bring the vehicle back to a local dealership as a recall. But the recommended mitigation strategy is to upgrade the vulnerable BCM firmware through Over-the-Air (OTA) Updates if feasible. However, some old vehicles may not support OTA.
11: What does Honda think about this Rolling-PWN Bug?
We have searched through the Honda official website, but we can not find any contact info for report Vulnerability. Seems Honda motor DOES NOT have a department to deal with security related issue for their products. And a person who works at HONDA has told us "The best way to report the Honda vulnerability is to contact customer service". Therefore, we filed a report to Honda Customer service.
Honda spokesperson first denied the bug's existence "The keyfobs in the referenced vehicles are equipped with rolling code technology that would not allow the vulnerability as represented in the report".
But after Rob Stumpf from thedrive confirmed and reproduced the bug. Honda has changed the tone by replied the Email "We acknowledge that with the method that you describe it is possible to mimic Remote Keyless commands and gain access to certain vehicles".
However, in the end Honda concluded this is a low risk to the customers, and Honda regularly improves security features as new models are introduced that would thwart this and similar approaches. So lets fingers crossed.