Millions of Honda cars could be at risk of theft following the reveal of a new remote hacking risk.
Security researchers from Star-V Lab have uncovered a technique that allows anyone to unlock a vehicle, open doors and even start the engine using a handheld radio due to a vulnerability in the car’s keyfob.
A number of leading Honda models released between 2012 and 2022 are apparently affected by the flaw, including the Accord, Civic, C-RV and X-RV.
Honda remote flaw
The researchers have teamed up with journalist Rob Stumpf from The Drive (opens in new tab) to show off the vulnerability, which they’ve dubbed Rolling-PWN.
The issue is contained within the rolling codes mechanism, including within the keyless entry system (aka the keyfob) in order to prevent replay “man-in-the-middle” attacks.
The team found that every time the keyfob button is pressed, it increases the chance of certain codes being accepted to give access to the vehicle. The team notes that the receiver within the vehicle accepts a “sliding window of codes” primarily in order to avoid accidental key presses.
Each time the button is pressed, the rolling codes synchronizing counter is increased, and so by sending certain commands in a consecutive sequence, the counter will resychronize, opening it up to previous commands that can be used to access the vehicle.
“The Rolling-PWN bug is a serious vulnerability,” the team wrote in a blog post (opens in new tab) outlining its findings. “We found it in a vulnerable version of the rolling codes mechanism, which is implemented in huge amounts of Honda vehicles.”
The researchers note that anyone with a specific vehicle make could be at risk, and users may not even be able to detect if the flaw has been used against them.
They also warn that the threat could affect vehicles from other brands, and that Honda doesn’t currently seem to have a fix, or even noticed the issue. The researchers note that they have tried to file a report, but could not find a proper way to do so, so instead contacted Honda Customer Service.
A spokesperson for Honda told Vice (opens in new tab) that the report wasn’t credible and that the allegations are unfounded.
“The key fobs in the referenced vehicles are equipped with rolling code technology that would not allow the vulnerability as represented in the report,” the company said.
“In addition, the videos offered as evidence of the absence of rolling code do not include sufficient evidence to support the claims,” the company added.