Security researchers have discovered a way to remotely unlock and start a variety of Honda vehicles using an exploit that targets the vehicles’ key fobs. Honda has attempted to brush aside the claims, but the bug appears to be quite widespread and the exploit is easy to reproduce. Even a reporter for The Drive managed to test out it out and successfully hacked his own car. Researchers say there’s no way to guard against the hack and no way to determine if it happened to you.
The attack, which has been dubbed “Rolling Pwn,” targets a bug in Honda’s remote keyless entry system, exploiting the way vehicles transmit authentication codes between the car and the key fob. Using easily purchasable hardware, the researchers were able to digitally eavesdrop on and capture those codes, then redeploy them at will. This allowed them to easily unlock and start cars affected by the vulnerability, which included models from as far back as 2012 and as recent as 2022.
Quite disturbingly, there doesn’t appear to be any fix for this issue. A Common Vulnerabilities and Exposures (CVE) log has been entered, but it doesn’t list a patch. Even worse, the researchers write that there’s no way to tell whether someone has targeted your car with the exploit, as the “exploitation does not leave any traces in traditional log files.” In other words, someone could execute the exploit, unlock your car and rifle through your vehicle, without you ever knowing it had happened.
The issue was discovered by a pseudonymous researcher who goes by “Kevin2600,” and his research partner, Wesley Li. The research highly resembles—but differs slightly—from threat research on a similar Honda vulnerability that was discovered in March. The “Rolling Pwn” researchers write:
“The goal of our research was to evaluate the resistance of a modern-day RKE [remote keyless entry] system. Our research disclosed a Rolling-PWN attack vulnerability affecting all Honda vehicles currently existing on the market (From the Year 2012 up to the Year 2022),” the researchers wrote. “This weakness allows anyone to permanently open the car door or even start the car engine from a long distance.”
The research identifies the following models as being vulnerable to the exploit: 2012 Honda Civic, 2018 Honda X-RV, 2020 Honda C-RV, 2020 Honda Accord, 2021 Honda Accord, 2020 Honda Odyssey, 2021 Honda Inspire, 2022 Honda Fit, 2022 Honda Civic, 2022 Honda VE-1, 2022 Honda Breeze. However, other vehicles besides Honda could also be affected, researchers write.
Rob Stumpf, of The Drive, tested out the exploit for himself and shared a video of the hijacked car starting up:
Unfortunately, Honda doesn’t appear to be taking the research too seriously. Kevin2600 says that when he reached out to Honda about the vulnerability he was told to contact customer service. When Vice News reached out, the company apparently sent them a statement claiming that the research was “old news.” A company spokesperson told the outlet:
“We’ve looked into past similar allegations and found them to lack substance. While we don’t yet have enough information to determine if this report is credible, the key fobs in the referenced vehicles are equipped with rolling code technology that would not allow the vulnerability as represented in the report. In addition, the videos offered as evidence of the absence of rolling code do not include sufficient evidence to support the claims...”
“As expected Honda denied the bug exists. So best luck to all Honda owners :P,” the researcher tweeted, following the publication of Vice’s story.
Gizmodo reached out to Honda for comment and the company eventually got back to us and admitted the vulnerability was a problem. An earlier version of Gizmodo’s story implied that the vulnerability could allow a hacker to drive off with your vehicle, but Honda says that is not possible.
“We can confirm researcher claims that it is possible to employ sophisticated tools and technical know-how to mimic Remote Keyless commands and gain access to certain vehicles or ours,” said a company spokesperson. “However, while it is technically possible, we want to reassure our customers that this particular kind of attack, which requires continuous close-proximity signal capture of multiple sequential RF transmissions, cannot be used to drive the vehicle away. Furthermore, Honda regularly improves security features as new models are introduced that would thwart this and similar approaches.”