The keyless entry systems of several Honda models are vulnerable to replay attacks allowing the unlock and ignition

Two security researchers have discovered a replay attack vulnerability in some Honda and Acura cars that allows a nearby hacker to unlock the vehicle and start the engine. Snooze attacks require a nearby hacker to capture and send back RF signals to trick the remote keyless entry system.

The man-in-the-middle (MiM) attack variant, tracked as CVE-2022-27254, allows an attacker to intercept and modify RF signals sent from a remote key fob to the car and retransmit them later to unlock the vehicle at will.

Security researchers Blake Berry and Ayyappan Rajesh are credited with discovering the flaw, but have yet to release proof-of-concept (POC) code or technical details.

What is a remote keyless entry system?

A remote keyless entry system allows the owner to unlock the car without relying on a button, panel or physical key. It automatically unlocks the car at the touch of the door handle when a remote keyless fob is nearby.

The system relies on short-range radio signals, but can also be connected to mobile networks to allow owners to lock/unlock the car from several miles away. Similarly, range extenders could allow cars parked at home to be unlocked or started remotely.

Which vehicles are vulnerable to keyless entry replay attacks?

Researchers noted that the bug affects Honda Civic family cars manufactured between 2016 and 2020. These include the Honda Civic LX, EX, EX-L, Touring, Si and Type R.

In 2020 Berry listing the following vehicle models as vulnerable to keyless entry replay attacks tracked as CVE-2019-20626.

  • 2009 Acura TSX
  • 2016 Honda Accord V6 Touring Sedan
  • 2017 Honda HR-V
  • 2018 Honda Civic Hatchback
  • 2020 Honda Civic LX

Another security researcher reported that the 2012 Honda Civic was vulnerable to tracked replay attacks like CVE-2021-46145.

“This attack is even worse than the ‘rolljam’ security flaw that Samy Kamkar demonstrated in 2015,” said Chris Clements, vice president of Solutions Architecture at Cerberus Sentinelnoted.

“At least with this attack, the car and the remotes have implemented ‘rolling codes’ that change with each transmission to prevent simply intercepting and replaying the same code over and over again.

“With this new attack on Honda vehicles, once an attacker captures the codes, it effectively gives them indefinite access to control the locking, unlocking, and in some cases the remote engine start functionality of the vehicle. a specific car.”

Does Honda plan to repair vehicles vulnerable to replay attacks?

Honda has played down the threats posed by repeat attacks on its remote keyless entry system, arguing that the exploit requires an attacker to be nearby or physically connected to the vehicle.

Additionally, Honda said sophisticated attackers are relentless in overcoming new security features, while others rely on cruder methods to steal vehicles.

“It’s important to note that while Honda regularly improves security features as new models are introduced, determined and technologically sophisticated thieves also strive to circumvent these features,” BleepingComputer said. reported.

The tech website quoted the Honda employee as saying “Honda has no plans to update older vehicles at this time.”

“Honda’s comments that exploiting this vulnerability would require ‘determined and technologically very sophisticated thieves’ appear to belittle the problem,” Clements said. “It’s like shouting your password into a room and hoping no one is listening. Yes, it has to be someone close enough to hear and then know what to do with it, but after that it’s very simple to exploit.

Clements predicts that replay attacks on remote keyless entry systems could “get massive over time.” Therefore, car owners have to decide whether to sue the risk or toss the devices.

How to protect against replay attacks

The researchers advised automakers to implement rolling codes to prevent attackers from replaying unlock signals. This method ensures that a new code is used for each authentication request.

The man-in-the-middle attack allows #hackers to intercept radio signals between key fobs and keyless entry systems, modify the signals and replay them to authenticate themselves. #cybersecurity #respectdataClick to tweet

They too informed car owners to store their key fobs in signal-blocking Faraday pouches when not in use. However, a hacker could still pick up the signals each time the key fob is used and replay the commands to the car’s keyless entry system later.

Similarly, researchers have advised automakers to implement passive keyless entry (PKE) systems instead of remote keyless entry (RKE) systems.

Comments are closed.