Security News > 2022 > March > Honda bug lets a hacker unlock and start your car via replay attack

Honda bug lets a hacker unlock and start your car via replay attack
2022-03-25 07:28

Researchers have disclosed a 'replay attack' vulnerability affecting select Honda and Acura car models, that allows a nearby hacker to unlock your car and even start its engine from a short distance.

Honda owners may be able to take some action to protect themselves against this attack.

This week, multiple researchers disclosed a vulnerability that can be used by a nearby attacker to unlock some Honda and Acura car models, and start their engines wirelessly.

The vulnerability, tracked as CVE-2022-27254, is a Man-in-the-Middle attack or more specifically a replay attack in which an attacker intercepts the RF signals normally sent from a remote key fob to the car, manipulates these signals, and re-sends these at a later time to unlock the car at will.

In 2020, Berry had reported a similar flaw affecting the following Honda and Acura models but alleged that Honda ignored his report and "Continued to implement 0 security measures against this very simple 'replay/replay and edit' attack."

Note, in their statement to us, Honda explicitly mentions it has not verified the information reported by the researchers and cannot confirm if Honda's vehicles are actually vulnerable to this type of attack.


News URL

https://www.bleepingcomputer.com/news/security/honda-bug-lets-a-hacker-unlock-and-start-your-car-via-replay-attack/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2022-03-23 CVE-2022-27254 Authentication Bypass by Capture-replay vulnerability in Honda Civic 2018 Firmware
The remote keyless system on Honda Civic 2018 vehicles sends the same RF signal for each door-open request, which allows for a replay attack, a related issue to CVE-2019-20626.
high complexity
honda CWE-294
5.3