Security News > 2022 > July > Hackers can unlock Honda cars remotely in Rolling-PWN attacks

Hackers can unlock Honda cars remotely in Rolling-PWN attacks
2022-07-11 22:10

A team of security researchers found that several modern Honda car models have a vulnerable rolling code mechanism that allows unlocking the cars or even starting the engine remotely.

Called Rolling-PWN, the weakness enables replay attacks where a threat actor intercepts the codes from the keyfob to the car and uses them to unlock or start the vehicle.

The keyless entry system in modern cars rely on rolling codes produced by a pseudorandom number generator algorithm to ensure that unique strings are used each time the keyfob button is pressed.

The rolling code mechanism was introduced to prevent fixed code flaws that enabled man-in-the-middle replay attacks like the one we covered in March, which is still exploitable in older models.

The vulnerability is tracked as CVE-2021-46145 and is described as an issue "Related to a non-expiring rolling code and counter resynchronization" in the keyfob subsystem in Honda.

"The key fobs in the referenced vehicles are equipped with rolling code technology that would not allow the vulnerability as represented in the report," stated Honda.


News URL

https://www.bleepingcomputer.com/news/security/hackers-can-unlock-honda-cars-remotely-in-rolling-pwn-attacks/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2022-01-06 CVE-2021-46145 Authentication Bypass by Capture-replay vulnerability in Honda Civic 2012
The keyfob subsystem in Honda Civic 2012 vehicles allows a replay attack for unlocking.
2.9