Numerous modern Honda car models could risk getting hacked, as researchers had recently identified a vulnerability that allows threat actors to unlock the doors of affected cars or start their engines remotely. The vulnerability is widely known as the ‘Rolling Pwn Attack’ that activates replay attacks that aid hackers in intercepting codes from a keyfob tool to the car that allow them to unlock or start it.
Honda car models launched between 2021 to 2022 might be included in the list of those prone to vulnerability, including a few popular models like Honda Inspire 2021, Honda Civic 2022, Honda VE-1 2022, and Honda Breeze 2022, among others.
Modern cars, such as some of the latest Honda models, use a keyless entry system that relies on a pseudorandom number generator (PRNG) algorithm that produces unique strings of codes used each time a person presses the keyfob button.
These keyless cars have a code counter that checks chronologically, increasing the count on every new code it receives. In instances that a person accidentally presses their keyfob or when their car is out of range, non-chronological mechanisms are also accepted.
From research, experts identified that modern Honda cars’ code counter gets re-synchronised when the vehicle is locked or unlocked consecutively. For this reason, the car accepts old codes from previous sessions that should have already been voided.
The vulnerability of the Honda cars begins with a hacker equipped with a software-defined radio (SDR) kit that could collect consecutive code sequences and replay them to unlock the car’s doors or start its engine.
Tracked as CVE-2021-46145 with a medium severity, experts describe this flaw as an issue associated with a non-expiring rolling code and counter resynchronisation within Honda’s keyfob subsystem. The flaw was first detailed in December 2021 and was tested on a 2012 model of a Honda Civic. But experts highlight that the flaw could also impact newer models of Honda cars.
Another researcher added that as long as the resynchronisation sequence has been replayed, hackers could still perform their objectives despite how long it has passed since the codes were captured. Nonetheless, it is also important to note that these hackers cannot drive a Honda vehicle away if the keyfob is out of proximity.
From a recent statement by Honda’s representative, they have denied the vulnerability and said that the claims against their car models are baseless and insufficient. Moreover, they also clarified that the rolling code mechanism in their car models would not allow the possibility of the flaw as reported.
