Experts demonstrate how to unlock several Honda models via Rolling-PWN attack

Bad news for the owners of several Honda models, the Rolling-PWN Attack vulnerability can allow unlocking their vehicles.

A team of security Researchers Kevin2600 and Wesley Li from Star-V Lab independently discovered a flaw in Honda models, named the Rolling-PWN Attack vulnerability (CVE-2021-46145), that can allow unlocking their vehicles-

A remote keyless entry system (RKE) allows remotely unlocking or starting a vehicle. The researchers tested a remote keyless entry system (RKE) that allows to remotely unlock or start a vehicle and discovered the Rolling-PWN attack issue. According to the experts, the issue affects all Honda vehicles on the market (From the Year 2012 up to the Year 2022).

Successful exploitation of this flaw can allow attackers to permanently open the car door or even start the engine of a vehicle.

The issue resides in a version of the rolling codes mechanism implemented in many Honda models to prevent replay attacks.

“We found it in a vulnerable version of the rolling codes mechanism, which is implemented in huge amounts of Honda vehicles. A rolling code system in keyless entry systems is to prevent replay attack. After each keyfob button pressed the rolling codes synchronizing counter is increased. However, the vehicle receiver will accept a sliding window of codes, to avoid accidental key pressed by design.” reads the description of the Rolling Pwn Attack published on GitHub. “By sending the commands in a consecutive sequence to the Honda vehicles, it will be resynchronizing the counter. Once counter resynced, commands from the previous cycle of the counter worked again. Therefore, those commands can be used later to unlock the car at will.”

The experts successfully tested the attack against 10 most popular models of Honda vehicles from the Year 2012 up to the Year 2022, including:

  · Honda Civic 2012
  · Honda X-RV 2018
  · Honda C-RV 2020
  · Honda Accord 2020
  · Honda Odyssey 2020
  · Honda Inspire 2021
  · Honda Fit 2022
  · Honda Civic 2022
  · Honda VE-1 2022
  · Honda Breeze 2022

The researchers also published a set of PoC videos, below is an attack against a Honda CRV:

The researchers pointed out that there is no possibility to discover if someone has exploited the flaw against a model because the exploitation does not leave any traces in traditional log files.

How to fix the issue?

“The common solution requires us to bring the vehicle back to a local dealership as a recall. But the recommended mitigation strategy is to upgrade the vulnerable BCM firmware through Over-the-Air (OTA) Updates if feasible. However, some old vehicles may not support OTA.” the experts recommended.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Rolling-PWN Attack)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.