WTF?! Researchers lately uncovered a vulnerability that might permit hackers to unlock and begin a number of Honda car fashions remotely. The impacted mannequin record identifies 10 of Honda’s hottest fashions as susceptible. To make issues worse, the present findings lead researchers to imagine that the vulnerability may very well be current on all Honda autos from 2012 by means of 2022.
The safety flaw, dubbed RollingPWN by researchers, exploits a part of Honda’s keyless entry system. The present entry system depends on a rolling code mannequin that creates a brand new entry code every time homeowners press the fob button. As soon as issued, the earlier ones needs to be made unusable to stop replay assaults. As an alternative, researchers Kevin26000 and Wesley Li found the outdated codes may very well be rolled again and used to acquire undesirable entry to the car.
The researchers examined the vulnerability throughout a number of Honda fashions starting from 2012 by means of 2022. The record of affected check autos contains:
- Honda Civic 2012
- Honda XR-V 2018
- Honda CR-V 2020
- Honda Accord 2020
- Honda Odyssey 2020
- Honda Encourage 2021
- Honda Match 2022
- Honda Civic 2022
- Honda VE-1 2022
- Honda Breeze 2022
Based mostly on the record and profitable exams of the exploit, Kevin26000 and Li strongly imagine the vulnerability might have an effect on all Honda autos and never simply the preliminary ten listed above.
Offering a repair for the vulnerability could also be as complicated because the exploit itself. Honda might patch the flaw by way of an over-the-air (OTA) firmware replace, however lots of the automobiles affected do not present OTA help. The bigger pool of probably impacted autos makes a recall state of affairs unlikely.
Girls and gents, it’s my honor to presenting you the Rolling-Pwn assault analysis on Honda Keyfob system. (https://t.co/UqJEJofxtr) pic.twitter.com/3ZccqfJrUa
— Kevin2600 (@Kevin2600) July 7, 2022
For now, analysis is ongoing to find out how widespread the vulnerability is. Based mostly on the character of the assault, Kevin26000 and Li strongly suspect that the difficulty may impression different automobile makers.
The discovering is only one extra in a sequence of entry vulnerabilities found throughout Honda’s line of autos this 12 months. In March, researchers recognized a man-in-the-middle exploit (CVE-2022-27254) the place RF indicators may very well be intercepted and manipulated for later use. Kevin26000 had additionally reported the same replay assault (CVE-2021-46145) again in January 2022.