Security researchers have discovered a way to remotely unlock and start a wide variety of Honda vehicles using an exploit that targets the vehicles’ key fobs. Honda has attempted to brush aside the claims, but the hack appears to be quite easily reproducible. Even a reporter from The Drive managed to test out the exploit and successfully hacked his own car. Researchers say there’s no way to guard against the hack and no way to determine if it happened to you.
The attack, which has been dubbed “Rolling Pwn,” targets a bug in Honda’s remote keyless entry system, exploiting the way vehicles transmit authentication codes between the car and the key fob. Using easily purchasable hardware, the researchers were able to digitally eavesdrop on and capture those codes, then redeploy them at will. This allowed them to easily unlock and start cars affected by the vulnerability, which included models from as far back as 2012 and as recent as 2022.
Quite disturbingly, there doesn’t appear to be any fix for this issue. A Common Vulnerabilities and Exposures (CVE) log has been entered, but it doesn’t list a patch. Even worse, the researchers write that there’s no way to tell whether someone has targeted your car with the exploit, as the “exploitation does not leave any traces in traditional log files.” In other words, someone could execute the exploit, rifle through your car, take it for a spin, park it where you left it, and, unless you caught them, you would have no way of knowing that anything happened except for a suspiciously low gas tank.
The issue was discovered by a pseudonymous researcher who goes by “Kevin2600,” and his research partner, Wesley Li. The research highly resembles — but differs slightly — from threat research on a similar Honda vulnerability that was discovered in March. The “Rolling Pwn” researchers write:
“The goal of our research was to evaluate the resistance of a modern-day RKE [remote keyless entry] system. Our research disclosed a Rolling-PWN attack vulnerability affecting all Honda vehicles currently existing on the market (From the Year 2012 up to the Year 2022),” the researchers wrote. “This weakness allows anyone to permanently open the car door or even start the car engine from a long distance.”
The research identifies the following models as being vulnerable to the exploit: 2012 Honda Civic, 2018 Honda X-RV, 2020 Honda C-RV, 2020 Honda Accord, 2021 Honda Accord, 2020 Honda Odyssey, 2021 Honda Inspire, 2022 Honda Fit, 2022 Honda Civic, 2022 Honda VE-1, 2022 Honda Breeze. However, other vehicles besides Honda could also be affected, researchers write.
Rob Stumpf, of The Drive, tested out the exploit for himself and shared a video of the hijacked car starting up:
I was able to replicate the Rolling Pwn exploit using two different key captures from two different times.
So, yes, it definitely works. https://t.co/ZenCB3vX5z pic.twitter.com/RBAO7ZtlXZ
— Rob Stumpf (@RobDrivesCars) July 10, 2022
Unfortunately, Honda doesn’t appear to be taking the research too seriously. Kevin2600 says that he reached out to Honda about the vulnerability he was told to contact customer service. When Vice News reached out, the company apparently sent them a statement claiming that the research was “old news.” A company spokesperson told the outlet:
“We’ve looked into past similar allegations and found them to lack substance. While we don’t yet have enough information to determine if this report is credible, the key fobs in the referenced vehicles are equipped with rolling code technology that would not allow the vulnerability as represented in the report. In addition, the videos offered as evidence of the absence of rolling code do not include sufficient evidence to support the claims…”
“As expected Honda denied the bug exists. So best luck to all Honda owners :P,” the researcher tweeted, following the publication of Vice’s story.
Gizmodo also reached out to Honda for comment and will update this story if it responds.