A recent research report has found that certain models of Honda cars are vulnerable to a “Rolling-PWN” exploit.
This exploit allows thieves to gain access to the car by permanently unlocking its doors or even starting it from a distance.
How keyless systems work
Many modern vehicles use a remote keyless entry system that allows owners to unlock or even start the car from a distance.
While convenient, this system has flaws and is relatively simple in how it works.
At first, the remote keyless device (key fob) sent a unique static coded signal that the car recognised and acted on.
Each code was unique and thus secure. However, hackers could remotely record these static codes and repeat them – much like stealing someone’s computer or phone password.
As a result, car manufacturers updated the system into a “rolling code” format.
The rolling code format allows the key fob to send a different, new code each time it’s activated from a “Pseudorandom Number Generator”.
The system uses a synchronised counter to ensure both the key fob and car remain in the same place on the code list.
The car then reads this code and compares it to its internal lists of valid generated codes before accepting it.
One fundamental problem with this system is if you accidentally activate your key fob outside your car’s range – rolling the keys code along its generated list but leaving the car on the previous code.
The system includes a sliding window of codes that will re-synchronise the car’s lists after you’ve sent several signals from the key fob.
It is this sliding window feature that is the cause of the current Rolling-PWN vulnerability.
The Rolling-PWN problem
The Rolling-PWN vulnerability is due to the re-synchronise feature and how it can be abused.
A prospective thief need only send a consecutive sequence of codes they recorded previously. Once received, it will reset the car’s position on its code list – validating the thief’s codes.
Once the car has resynced with the false code sender, it will accept its old codes and validate the requests to lock, unlock, or start its engine.
Unfortunately, this exploit of the rolling code system is almost undetectable – as you won’t be alerted to a thief stealing your transmitted key fob codes.
A journalist for The Drive recently successfully performed the exploit on his own Honda using a Software-Defined Radio and his 2021 Honda Accord.
Affected vehicles
While this exploit was specifically investigated with Honda vehicles released onto the market from 2012 to 2022, the hack can potentially be done with any vehicle that has a key fob system.
Listed below are the confirmed vulnerable Honda vehicles, as taken from the report.
- 2012 Honda Civic
- 2018 Honda X-RV
- 2020 Honda C-RV
- 2020 Honda Accord
- 2020 Honda Odyssey
- 2021 Honda Inspire
- 2022 Honda Fit
- 2022 Honda Civic
- 2022 Honda VE-1
- 2022 Honda Breeze
Thus far, the manufacturer has not released any official indication of fixing the exploit, however, it’s possible the vulnerability could be resolved with an over-the-air update to newer models.
Older models may have to be taken to a dealership directly if the Rolling-PWN attack is confirmed by Honda to be a real issue.
Join the discussion