Hackers Say They Can Unlock and Start Honda Cars Remotely

They key fobs of several Honda models have a flaw that could allow hackers to unlock and start the cars.
Screen Shot 2022-07-07 at 1
Image: Kevin2600
Screen Shot 2021-02-24 at 3
Hacking. Disinformation. Surveillance. CYBER is Motherboard's podcast and reporting on the dark underbelly of the internet.

Hackers could unlock and remotely start virtually all models of Honda cars, according to security researchers.

On Thursday, a security researcher who goes by Kevin2600 published a technical report and videos on a vulnerability that he claims allows anyone armed with a simple hardware device to steal the code to unlock Honda vehicles. Kevin2600, who works for cybersecurity firm Star-V Lab, dubbed the attack RollingPWN. 

Advertisement

“This weakness allows anyone to permanently open the car door or even start the car engine from a long distance,” Kevin2600 wrote in his report. “The Rolling-PWN bug is a serious vulnerability. We found it in a vulnerable version of the rolling codes mechanism, which is implemented in huge amounts of Honda vehicles.”

In a phone call, Kevin2600 explained that the attack relies on a weakness that allows someone using a software defined radio—such as HackRF—to capture the code that the car owner uses to open the car, and then replay it so that the hacker can open the car as well. In some cases, he said, the attack can be performed from 30 meters (approximately 98 feet) away. 

In the videos, Kevin2600 and his colleagues show how the attack works by unlocking different models of Honda cars with a device connected to a laptop.

The Honda models that Kevin2600 and his colleagues tested the attack on use a so-called rolling code mechanism, which means that—in theory—every time the car owner uses the keyfob, it sends a different code to open it. This should make it impossible to capture the code and use it again. But the researchers found that there is a flaw that allows them to roll back the codes and reuse old codes to open the car, Kevin2600 said.

Advertisement

The researcher told Motherboard that he and his colleagues went to a Honda dealership to test the attack on different models, and found that 10 of them are vulnerable, which makes them think all Honda models from 2012 to 2022 are vulnerable to this attack.

A Honda spokesperson told Motherboard that the vulnerability found by Kevin2600 is “old news.”

“Thus, I’d hope that you would treat it as such and move on to something current rather than creating a new round of people thinking that this is a ‘new’ thing,” the spokesperson wrote in an email. 

The spokesperson was referring to research from earlier this year, which focused on fixed codes, and not rolling codes. 

“We’ve looked into past similar allegations and found them to lack substance. While we don’t yet have enough information to determine if this report is credible, the key fobs in the referenced vehicles are equipped with rolling code technology that would not allow the vulnerability as represented in the report. In addition, the videos offered as evidence of the absence of rolling code do not include sufficient evidence to support the claims,” the spokesperson wrote.

Do you research similar vulnerabilities? We’d love to hear from you. You can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, Wickr/Telegram/Wire @lorenzofb, or email lorenzofb@vice.com

These kinds of attacks to unlock cars and other targets are relatively common. Earlier this year, other security researchers found a similar issue with other Honda cars, although in that case the problem was with fixed codes, as opposed to rolling codes. Then in June, researchers demonstrated that they were able to unlock Tesla cars with a similar attack. Well-known security researcher Samy Kamkar has made these attacks one of his trademarks, building devices to unlock garage doors and cars

Kevin2600 wrote that the attack does not leave any traces, so there’s no way to know if anyone has exploited the flaw to open your car. To fix the issue, he wrote, the ideal would be a recall so owners could take the car back to their local dealership, but it’s also possible that the keyfob’s vulnerable firmware could be patched. 

Subscribe to our podcast, CYBER. Subscribe to our new Twitch channel.