Image: Kevin2600
Hacking. Disinformation. Surveillance. CYBER is Motherboard's podcast and reporting on the dark underbelly of the internet.
Advertisement
Advertisement
The researcher told Motherboard that he and his colleagues went to a Honda dealership to test the attack on different models, and found that 10 of them are vulnerable, which makes them think all Honda models from 2012 to 2022 are vulnerable to this attack.A Honda spokesperson told Motherboard that the vulnerability found by Kevin2600 is “old news.”“Thus, I’d hope that you would treat it as such and move on to something current rather than creating a new round of people thinking that this is a ‘new’ thing,” the spokesperson wrote in an email. The spokesperson was referring to research from earlier this year, which focused on fixed codes, and not rolling codes. “We’ve looked into past similar allegations and found them to lack substance. While we don’t yet have enough information to determine if this report is credible, the key fobs in the referenced vehicles are equipped with rolling code technology that would not allow the vulnerability as represented in the report. In addition, the videos offered as evidence of the absence of rolling code do not include sufficient evidence to support the claims,” the spokesperson wrote.
These kinds of attacks to unlock cars and other targets are relatively common. Earlier this year, other security researchers found a similar issue with other Honda cars, although in that case the problem was with fixed codes, as opposed to rolling codes. Then in June, researchers demonstrated that they were able to unlock Tesla cars with a similar attack. Well-known security researcher Samy Kamkar has made these attacks one of his trademarks, building devices to unlock garage doors and cars. Kevin2600 wrote that the attack does not leave any traces, so there’s no way to know if anyone has exploited the flaw to open your car. To fix the issue, he wrote, the ideal would be a recall so owners could take the car back to their local dealership, but it’s also possible that the keyfob’s vulnerable firmware could be patched. Subscribe to our podcast, CYBER. Subscribe to our new Twitch channel.Do you research similar vulnerabilities? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, Wickr/Telegram/Wire @lorenzofb, or email lorenzofb@vice.com