Researchers have demonstrated how exploiting a serious vulnerability in the Honda Remote Keyless System risks the security of numerous vehicles. Specifically, exploiting this bug allows an adversary to lock, unlock, or even start any Honda Civic.
Honda Remote Keyless System Vulnerability
Sharing the details in a GitHub post, the researchers, Ayyappan Rajesh and HackingIntoYourHeart explained how they could control multiple vehicles without the respective remotes. It is possible due to a vulnerability in how the Honda Remote Keyless Entry (RKE) System communicates with separate vehicles.
As explained, the system sends the same RF signals to each vehicle it interacts with – that too, unencrypted. Thus, an intercepting adversary can exploit this flaw to target any desired vehicle via replay attacks.
The remote keyless system on various Honda vehicles send the same, unencrypted RF signal for each door-open, door-close, boot-open and remote start (if applicable). This allows for an attacker to eavesdrop on the request and conduct a replay attack.
To test the exploit, the researchers used a few simple tools, including, FCCID.io, HackRF One, Gqrx, and GNURadio. Then, they could lock or unlock a target car, or control the engine remotely using the same sequence.
The researchers have shared separate videos as proof of concept in their GitHub post, demonstrating these attacks. As stated, this bug (CVE-2022-27254) affects all 2016-2020 Honda Civic (LX, EX, EX-L, Touring, Si, Type R) models.
Recommended Mitigations
Ironically, multiple media sources have quoted Honda expressing no plans to address this flaw in older models. As Chris Martin, Honda spokesperson, stated,
Honda has not verified the information reported by researchers and cannot confirm if its vehicles are vulnerable to this type of attack. Honda has no plan to update older vehicles at this time.
Researchers have shared a few mitigation strategies to address this problem. Briefly, they advise the manufacturers to implement “hoping codes” (different codes for every authentication). Whereas, they suggest users to use a Faraday Pouch for the keyfob, or adopt the passive keyless entry (PKE) system, instead of the RKE.