Security News > 2022 > March > Hackers remotely start, unlock Honda Civics with $300 tech

Hackers remotely start, unlock Honda Civics with $300 tech
2022-03-25 15:00

If you're driving a Honda Civic manufactured between 2016 and 2020, this newly reported key fob hijack should start your worry engine.

Their research suggests that Honda Civic LX, EX, EX-L, Touring, Si, and Type R vehicles manufactured between 2016 and 2020 all have this vulnerability.

According to the team, "Various Honda vehicles send the same, unencrypted RF signal for each door-open, door-close, boot-open and remote start. This allows for an attacker to eavesdrop on the request and conduct a replay attack." The GitHub page created for the vulnerability hosts three separate proof-of-concept videos showcasing their results.

The CVE page for this vulnerability makes mention of another, CVE-2019-20626, the same vulnerability found in 2017 Honda HR-V vehicles, which Paraguayan security researcher Victor Casares demonstrated in a 2019 Medium post.

An unrelated but similar problem in 2012 Honda Civics allows for a similar attack, but with a different cause: a non-expiring rolling code and counter resync.

In 2016, The Register reported on an experiment in which researchers cloned a Volkswagen key fob and were able to use it to potentially unlock 100 million vehicles.


News URL

https://go.theregister.com/feed/www.theregister.com/2022/03/25/honda_civic_hack/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2020-03-23 CVE-2019-20626 Authentication Bypass by Capture-replay vulnerability in Honda Hr-V 2017 Firmware
The remote keyless system on Honda HR-V 2017 vehicles sends the same RF signal for each door-open request, which might allow a replay attack.
low complexity
honda CWE-294
6.5
6.5