Hackers steal Honda cars as the company tries to hide a vulnerability in its dongles

According to experts, hackers steal Honda cars – attackers are able to remotely open doors and start car engines using a vulnerability in the keyless entry system.

The researchers named the vulnerability RollingPWN and said that all cars manufactured by Honda between 2012 and 2022 are affected.

You might also be interested to know what Unusual YTStealer Malware Targets YouTubers are.

The description of the RollingPWN attack on Github says that the problem lies in a vulnerable version of the rolling codes mechanism, which is used in almost all modern Honda models.

The vulnerability itself (CVE-2021-46145) lies in non-expiring rolling codes and counter resynchronization. As soon as the counter is resynchronized, the codes from the previous cycle begin to work, which can be exploited by attackers.

The Rolling-PWN bug is a serious vulnerability. We found it in a vulnerable version of the rolling codes mechanism, which is implemented in huge amounts of Honda vehicles. A rolling code system in keyless entry systems is to prevent a replay attack. After each keyfob button pressed the rolling codes synchronizing counter is increased. However, the vehicle receiver will accept a sliding window of codes, to avoid accidental key pressed by design. By sending the commands in a consecutive sequence to the Honda vehicles, it will be resynchronizing the counter. Once counter resynced, commands from the previous cycle of the counter worked again. Therefore, those commands can be used later to unlock the car at will.experts write.

The experts successfully tested the attack on the 10 most popular Honda car models from 2012 to 2022, including:

  1. Honda Civic 2012
  2. Honda X-RV 2018
  3. Honda C-RV 2020
  4. Honda Accord 2020
  5. Honda Odyssey 2020
  6. Honda Inspire 2021
  7. Honda Fit 2022
  8. Honda Civic 2022
  9. Honda VE-1 2022
  10. Honda Breeze 2022

Despite all the accusations and evidence, Honda denies the existence of RollingPWN.

The experts also noted that it is impossible to detect traces of an attack using the vulnerability, since it leaves no entries in the logs. In order not to become a victim of such an attack, the researchers recommend updating the vulnerable firmware of the key fob and placing it in a Faraday cage for prevention. If you have already become a victim of RollingPWN, then you should immediately contact the dealership and reset the key fob.

Recall that not only Honda suffers from hackers. This year, researchers have found many vulnerabilities in Tesla electric vehicles. Vulnerabilities in the Bluetooth LE protocol and Tesla key cards allowed attackers to enter the interior of an electric car and start the engine.

About the author

Carina Wilson

With over 10 years' experience of writing for online and print media, I'm an expert in delivering clear and compelling copy.

I've written for a leading SEO copywriting agency as well as writing for some of the UK’s best known brands, magazines and newspapers.

Leave a Comment