A duo of researchers has released a proof-of-concept (PoC) demonstrating the ability for a malicious actor to remote lock, unlock, and even start Honda and Acura vehicles by means of what's called a replay attack.
The attack is made possible, thanks to a vulnerability in its remote keyless system (CVE-2022-27254) that affects Honda Civic LX, EX, EX-L, Touring, Si, and Type R models manufactured between 2016 and 2020. Credited with discovering the issue are Ayyappan Rajesh, a student at UMass Dartmouth, and Blake Berry (HackingIntoYourHeart).
"A hacker can gain complete and unlimited access to locking, unlocking, controlling the windows, opening the trunk, and starting the engine of the target vehicle where the only way to prevent the attack is to either never use your fob or, after being compromised (which would be difficult to realize), resetting your fob at a dealership," Berry explained in a GitHub post.
The underlying issue is that the remote key fob on the affected Honda vehicles transmits the same, unencrypted radio frequency signal (433.215MHz) to the car, effectively enabling an adversary to intercept and replay the request at a later time to wirelessly start the engine as well as lock and unlock the doors.
This is not the first time a flaw of this kind has been uncovered in Honda vehicles. A related issue discovered in 2017 Honda HR-V models (CVE-2019-20626, CVSS score: 6.5) is said to have been "seemingly ignored" by the Japanese company, Berry alleged.
"Manufacturers must implement Rolling Codes, otherwise known as hopping code," Rajesh said. "It is a security technology commonly used to provide a fresh code for each authentication of a remote keyless entry (RKE) or passive keyless entry (PKE) system."
In response to the findings, Honda said "this is generally not a new assertion with several past unconfirmed iterations of similar key fob devices, and in my opinion doesn’t merit any further reporting," and that it "has no plan to update older vehicles at this time."
"Legacy technology utilized by multiple automakers to remotely lock and unlock doors may be vulnerable to determined and very technologically sophisticated thieves," Honda spokesperson Chris Martin told The Hacker News.
"At this time, it appears that the devices only appear to work within close proximity or while physically attached to the target vehicle, requiring local reception of radio signals from the vehicle owner’s key fob when the vehicle is opened and started nearby."
"Further, access to a vehicle without other means to drive the vehicle, while hi-tech in nature, does not provide thieves an advantage much greater than more traditional and certainly easier ways to gain entry to a vehicle. And there is no indication that the type of device in question is widely used."
"Also, for Acura and Honda vehicles, while certain models feature a remote start feature, a vehicle started remotely cannot be driven until a valid key fob with a separate immobilizer chip is present in the vehicle, reducing the likelihood of a vehicle theft. There is no indication that the reported vulnerability to door locks has resulted in an ability to actually drive an Acura or Honda vehicle."
