Security News > 2022 > July > Hackers can unlock Honda cars remotely in Rolling-PWN attacks

A team of security researchers found that several modern Honda car models have a vulnerable rolling code mechanism that allows unlocking the cars or even starting the engine remotely.
Called Rolling-PWN, the weakness enables replay attacks where a threat actor intercepts the codes from the keyfob to the car and uses them to unlock or start the vehicle.
The keyless entry system in modern cars rely on rolling codes produced by a pseudorandom number generator algorithm to ensure that unique strings are used each time the keyfob button is pressed.
The rolling code mechanism was introduced to prevent fixed code flaws that enabled man-in-the-middle replay attacks like the one we covered in March, which is still exploitable in older models.
The vulnerability is tracked as CVE-2021-46145 and is described as an issue "Related to a non-expiring rolling code and counter resynchronization" in the keyfob subsystem in Honda.
"The key fobs in the referenced vehicles are equipped with rolling code technology that would not allow the vulnerability as represented in the report," stated Honda.
News URL
Related news
- Hacker pleads guilty to SIM swap attack on US SEC X account (source)
- whoAMI attacks give hackers code execution on Amazon EC2 instances (source)
- Microsoft: Hackers steal emails in device code phishing attacks (source)
- Chinese Hackers Exploit MAVInject.exe to Evade Detection in Targeted Cyber Attacks (source)
- Bybit Hack Traced to Safe{Wallet} Supply Chain Attack Exploited by North Korean Hackers (source)
- Hackers Exploit Paragon Partition Manager Driver Vulnerability in Ransomware Attacks (source)
- Hackers Exploit AWS Misconfigurations to Launch Phishing Attacks via SES and WorkMail (source)
- New ‘Rules File Backdoor’ Attack Lets Hackers Inject Malicious Code via AI Code Editors (source)
- TechRepublic EXCLUSIVE: New Ransomware Attacks are Getting More Personal as Hackers ‘Apply Psychological Pressure” (source)
- Hackers Repurpose RansomHub's EDRKillShifter in Medusa, BianLian, and Play Attacks (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2022-01-06 | CVE-2021-46145 | Authentication Bypass by Capture-replay vulnerability in Honda Civic 2012 The keyfob subsystem in Honda Civic 2012 vehicles allows a replay attack for unlocking. | 5.3 |