Select Honda car models have a “replay attack” vulnerability that allows an attacker to unlock said cars and even remotely start the engine from a short distance. The vulnerability was discovered by computer scientist Blake Berry and University of Massachusetts professors Hong Liu and Ruolin Zhou, and Cybereason CSO Sam Curry.
The attack involves a threat actor capturing RF signals from your key fob to the car and resending these signals later to unlock the vehicle at will. The vehicles impacted by this bug majorly include the 2016-2020 Honda Civic cars, including the LX, EX, EX-L, Touring, Si, Type R models.
The vulnerability is currently being tracked as CVE-2022-27254 and is a Man-in-the-Middle type of attack. A video published by the researchers on GitHub demonstrates the unlocking and remote engine start aspects of the hack; however, a working proof-of-concept hasn’t been published yet.
Keeping key fob secure is the way to go
The researchers have also mentioned some preventive measures for consumers and manufacturers to help reduce the risk of the key fob signals being captured in the wild. Since most of the vulnerable vehicles are older models, it’s unlikely that Honda will push a security update at the moment.
So, consumers can use a Faraday Pouch for their key fobs, keeping nearby devices from capturing the output RF signal. The researchers also suggest using Passive Keyless Entry (PKE) over Remote Keyless Entry (RKE). PKE makes it harder for the attacker to capture the RF signal considering the proximity required.
On the other hand, manufacturers are advised to implement Rolling Codes, also called hopping codes. This method sends a new code for each authentication cycle of a PKE or RKE system.
The researchers, however, also advise that these measures aren’t foolproof and if users suspect being a victim they should get their key fobs to reset at the dealership.
This isn’t the first flaw of its kind, either. In 2020, Berry reported a similar flaw to Honda tracked as CVE-2019-20626. Honda, however, ignored his report and continued with its zero-security measures approach. Some of the affected cars were as follows:
- 2009 Acura TSX
- 2016 Honda Accord V6 Touring Sedan
- 2017 Honda HR-V (CVE-2019-20626)
- 2018 Honda Civic Hatchback
- 2020 Honda Civic LX
In the News: Lapsus$ hacking group is run by a UK-based teenager
Someone who writes/edits/shoots/hosts all things tech and when he’s not, streams himself racing virtual cars. You can reach out to Yadullah at [email protected], or follow him on Instagram or Twitter.