Security News > 2022 > July > Hackers can unlock Honda cars remotely in Rolling-PWN attacks
A team of security researchers found that several modern Honda car models have a vulnerable rolling code mechanism that allows unlocking the cars or even starting the engine remotely.
Called Rolling-PWN, the weakness enables replay attacks where a threat actor intercepts the codes from the keyfob to the car and uses them to unlock or start the vehicle.
The keyless entry system in modern cars rely on rolling codes produced by a pseudorandom number generator algorithm to ensure that unique strings are used each time the keyfob button is pressed.
The rolling code mechanism was introduced to prevent fixed code flaws that enabled man-in-the-middle replay attacks like the one we covered in March, which is still exploitable in older models.
The vulnerability is tracked as CVE-2021-46145 and is described as an issue "Related to a non-expiring rolling code and counter resynchronization" in the keyfob subsystem in Honda.
"The key fobs in the referenced vehicles are equipped with rolling code technology that would not allow the vulnerability as represented in the report," stated Honda.
News URL
Related news
- Chinese hackers targeted sanctions office in Treasury attack (source)
- Hackers exploit critical Aviatrix Controller RCE flaw in attacks (source)
- Hackers use FastHTTP in new high-speed Microsoft 365 password attacks (source)
- Subaru Starlink flaw let hackers hijack cars in US and Canada (source)
- Google says hackers abuse Gemini AI to empower their attacks (source)
- Hacker pleads guilty to SIM swap attack on US SEC X account (source)
- whoAMI attacks give hackers code execution on Amazon EC2 instances (source)
- Microsoft: Hackers steal emails in device code phishing attacks (source)
- Chinese Hackers Exploit MAVInject.exe to Evade Detection in Targeted Cyber Attacks (source)
Related Vulnerability
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2022-01-06 | CVE-2021-46145 | Authentication Bypass by Capture-replay vulnerability in Honda Civic 2012 The keyfob subsystem in Honda Civic 2012 vehicles allows a replay attack for unlocking. | 5.3 |