Researchers have demonstrated how a severe security flaw in the Honda Remote Keyless System might jeopardise the security of a various vehicles. An adversary can exploit this security vulnerability to lock, unlock, or even start any Honda Civic.
The researchers, Ayyappan Rajesh and HackingIntoYourHeart, revealed how they were able control many vehicles without the need of remote controls in a GitHub post. It’s possible because of a security flaw in the way the Honda Remote Keyless Entry (RKE) System communicates with separate vehicles.
The system sends the same unencrypted RF signals to each vehicle it interacts with. As a result, an intercepting adversary can exploit this security flaw to target any chosen vehicle via replay attacks.
“The remote keyless system on various Honda vehicles send the same, unencrypted RF signal for each door-open, door-close, boot-open and remote start (if applicable). This allows for an attacker to eavesdrop on the request and conduct a replay attack.”
The researchers used a few simple tools to test the exploit, including FCCID.io, HackRF One, Gqrx, and GNURadio. Then, using the same sequence, they could lock or unlock a target car or remotely control the engine.
In their GitHub post, the researchers have shared separate videos that demonstrate these attacks as proof of concept. This vulnerability (CVE-2022-27254) affects all Honda Civic (LX, EX, EX-L, Touring, Si, Type R) models from 2016 to 2020.
Mitigation
Honda, ironically, has stated that it has no plans to fix the problem in older models, according to several media sources. As Chris Martin, Honda spokesperson, stated, “Honda has not verified the information reported by researchers and cannot confirm if its vehicles are vulnerable to this type of attack. Honda has no plan to update older vehicles at this time.”
To address this issue, researchers have shared a few mitigation strategies. In a nutshell, they advise manufacturers to use “hoping codes” (different codes for every authentication). Instead of the RKE, they recommend users using a Faraday Pouch for the keyfob or using the passive keyless entry (PKE) system.