Honda Remote Keyless Entry Exploit Discovered

[vetali]

Summary

 

A serious flaw in Honda's Remote Keyless Entry (RKE) system has been discovered. Dubbed the "Rolling Pwn Attack," it allows someone with fairly inexpensive hardware to execute an exploit on the rolling code security authentication system. It can currently perform all button commands on the keyfob (lock, unlock, remote start, trunk/hatch release, and theoretically the sliding door function on Odyssey vans). It cannot allow you to drive away with the vehicle, as the proximity system prevents it. The person(s) that discovered this exploit believe it can be possible on other manufacturers as well.

 

 

Quotes

Quote

... When a lock or unlock button is pressed on a paired key fob, the fob sends a unique code wirelessly to the vehicle encapsulated within the message. The vehicle then checks the code sent to it against its internal database of valid PRNG-generated [Pseudorandom Number Generator] codes, and if the code is valid, the car grants the request to lock, unlock, or start the vehicle.

The database contains several allowed codes, as a key fob may not be in range of a vehicle when a button is pressed and may transmit a different code than what the vehicle is expecting to be next chronologically. This series of codes is also known as a "window," When a vehicle receives a newer code, it typically invalidates all previous codes to protect against replay attacks.

 

This attack works by eavesdropping on a paired keyfob and capturing several codes sent by the fob. The attacker can later replay a sequence of valid codes and re-sync the PRNG. This allows the attacker to re-use older codes that would normally be invalid, even months after the codes have been captured.

Honda's PR then denies these claims, citing that the exact code exploited will prevent such exploits despite being duplicated by neutral parties.

 

Quote

"[W]e’ve looked into past similar allegations and found them to lack substance," said a Honda spokesperson in a statement to The Drive. "While we don’t yet have enough information to determine if this report is credible, the key fobs in the referenced vehicles are equipped with rolling code technology that would not allow the vulnerability as represented in the report. In addition, the videos offered as evidence of the absence of rolling code do not include sufficient evidence to support the claims."

 

 

My thoughts

As a Honda dealer tech, very little information is provided to us about the RKE security system for good reason. The most interesting thing to me is it works with model year 22 Civics, which means the newest generation of Honda's smart access system is vulnerable. While articles cite that newer Honda models support OTA updates, that only applies to infotainment and telematics. Anything dealing with ECM, TCM, ABS, Body control, integrated driver support systems, smart access uses a J2534 rewrite program with the dealerships software and requires a compatible vehicle communications interface (VCI) plugged into the diagnostic port. Although this is changing in a few weeks to a newer software, it wont change the process. I am unsure if models pre-smart access units that used the combined keyless access/TPMS modules will have the ability to be updated without module replacement. Due to the chip shortage, that may not be feasible for several years if at all. I had a car wait 6 months for a keyless access/TPMS module recently, and one going on 7 months waiting on a smart access module.

 

Sources

https://www.thedrive.com/news/i-tried-the-honda-keyfob-hack-on-my-own-car-it-totally-worked

[Chiyawa]

Anything with wireless and electronics are prone to hacking. I still prefer the manual key insert method.

[Somerandomtechyboi]

Bet ppl that own old cars are laughing theyre asses off at all these dumb hacks and exploits on new cars, i mean you dont even need to wire the damn thing and itll work

[vetali]

4 minutes ago, Somerandomtechyboi said:

Bet ppl that own old cars are laughing theyre asses off at all these dumb hacks and exploits on new cars, i mean you dont even need to wire the damn thing and itll work

Depends. Seen shaved keys get into and start older cars within seconds.

[bmx6454]

16 minutes ago, vetali said:

Depends. Seen shaved keys get into and start older cars within seconds.

would have to find my kill-switch(s) first lol, and know how to drive stick.

[Somerandomtechyboi]

20 minutes ago, vetali said:

Depends. Seen shaved keys get into and start older cars within seconds.

Basically the same as wiring i assume, but no exploits to just let you in without damaging the car and setting off alarms to alert everyone not to mention the noise, also manual transmission

[vetali]

3 minutes ago, bmx6454 said:

would have to find my kill-switch(s) first lol, and know how to drive stick.

Yeah after that incident I wired a switch to the shift interlock (automatic). You can start it, but you aren't going anywhere lol.

[Arika]

More and more i find myself only wanting to buy older cars without all this new bullshit technology.

[vetali]

7 minutes ago, Arika S said:

More and more i find myself only wanting to buy older cars without all this new bullshit technology.

I have 2 older beaters in case my daily driver gets a bad module and has to wait 6-9 months for a replacement. See it way too much recently at work. Trying to sell one of the beaters, but gas prices are too high right now for that rig to be desirable.

 

 

[GuiltySpark_]

*yawn*

 

Some of you are acting like this is a common thing. We're not going back to keys for modern cars.

 

And I'M the old one.

[Somerandomtechyboi]

13 minutes ago, Arika S said:

More and more i find myself only wanting to buy older cars without all this new bullshit technology.

Yea id prefer to avoid that nonsense, makes car easy to steal, steals your data, and weighs down your car

 

Though i wouldnt buy new anyways cause im looking for rwd stuff, those 82-84 dx going for dirt cheap and its a bulletproof car too, more simple = less points of failiure and less garbage in the way of modding or even doing basic maintenence

[GoodBytes]

Meh. Car has a GPS, it can be tracked if stolen. You have insurances as well. 

 

keyless and keyfob, both aren't perfect security wise. If someone wants to steel your car, they'll do it. But I suspect the only thing that would be stolen is your catalytic converter.

[wanderingfool2]

So from what I can see, it almost seems like a standard replay attack...except that maybe Honda forgot to invalidate older rolling codes...so you have a greater window for the replay opportunity.

 

This doesn't seem too big of a deal, if they were sophisticated enough to do that they are also sophisticated enough to make the relay device to actually steal a remote start car while you sleep.

 

3 hours ago, Somerandomtechyboi said:

Bet ppl that own old cars are laughing theyre asses off at all these dumb hacks and exploits on new cars, i mean you dont even need to wire the damn thing and itll work

I'd like to introduce your vehicle to a screwdriver.  Jokes aside, a screwdriver literally was used to break the lock on my old vehicle...so yea, I bet the new car people are laughing at your $300 lock repair.

 

2 hours ago, Somerandomtechyboi said:

Yea id prefer to avoid that nonsense, makes car easy to steal, steals your data, and weighs down your car

 

Though i wouldnt buy new anyways cause im looking for rwd stuff, those 82-84 dx going for dirt cheap and its a bulletproof car too, more simple = less points of failiure and less garbage in the way of modding or even doing basic maintenence

At the cost of fuel efficiency.  Also newer vehicles are harder to steal...notice how this attack you can't actually steal the vehicle.

 

Fuel overall ends up being of a large portion of vehicles cost, which new ones can save quite a bit (if you are going back to the era where there wasn't electronics)

[RedRound2]

3 hours ago, Arika S said:

More and more i find myself only wanting to buy older cars without all this new bullshit technology.

Older cars have thingy inside the window that unlocks the car. You can take a ruler and insert it from outside the window - and after you poke around you'll unlock the door. And then you can just hotwire it to start and run away

 

In case that doesn't work, you could always break a window as well. 

 

Jokes aside, newer cars are much harder to steal. They have GPS, they're always cloud connected in case you want to disable the car through app or set geofence, plus features like Sentry mode will alert you in case someone is too close to your car and doing shady shit

[Somerandomtechyboi]

1 minute ago, RedRound2 said:

Jokes aside, newer cars are much harder to steal. They have GPS, they're always cloud connected in case you want to disable the car through app or set geofence, plus features like Sentry mode will alert you in case someone is too close to your car and doing shady shit

Interesting, havent really seen any of these features since ppl here in indo mostly drive lower end cars 

 

26 minutes ago, wanderingfool2 said:

I'd like to introduce your vehicle to a screwdriver.  Jokes aside, a screwdriver literally was used to break the lock on my old vehicle...so yea, I bet the new car people are laughing at your $300 lock repair

A kill switch or 3 will make the car basically unstealable but i wonder if you can install a kill switch in newer cars, ive only seen it done in older ones

 

27 minutes ago, wanderingfool2 said:

At the cost of fuel efficiency.  Also newer vehicles are harder to steal...notice how this attack you can't actually steal the vehicle.

 

Fuel overall ends up being of a large portion of vehicles cost, which new ones can save quite a bit (if you are going back to the era where there wasn't electronics)

If i cared about fuel cost savings then i would just go diesel, after all you can use alot more fuels on a diesel engine than a gas one, including veggie oil

 

Also have you considered older vehicles usually run on lower octane fuel? I think some new vehicles have some timing retard or whatever other mitigations to stop detonation from occuring on lower octane fuels but not sure if all of them have these safety features, esp the lower end ones

[Blademaster91]

34 minutes ago, wanderingfool2 said:

I'd like to introduce your vehicle to a screwdriver.  Jokes aside, a screwdriver literally was used to break the lock on my old vehicle...so yea, I bet the new car people are laughing at your $300 lock repair.

A $300 lock repair vs. possibly thousands and waiting months for a new remote key lock system, yeah I think I'd rather use a manual key.

3 minutes ago, Somerandomtechyboi said:

A kill switch or 3 will make the car basically unstealable but i wonder if you can install a kill switch in newer cars, ive only seen it done in older ones

iirc you can but installing one is much more complicated due to newer cars having a bunch of computer modules all connected together and you can get weird errors if you want to bypass anything.

14 minutes ago, RedRound2 said:

always cloud connected

I don't want my car connected to the cloud as that is another way for it to get hacked, and if the cloud server goes down good luck being able to drive your car.

[RedRound2]

4 minutes ago, Somerandomtechyboi said:

Interesting, haven't really seen any of these features since ppl here in indo mostly drive lower end cars 

Yeah they're becoming more and more widespread in newer cars

4 minutes ago, Somerandomtechyboi said:

A kill switch or 3 will make the car basically unstealable but i wonder if you can install a kill switch in newer cars, ive only seen it done in older ones

Yup, internet connected cars do have a kill switch. At least some of them have. You can also put geo fencing features where the car sort of stops working beyond an area

[RedRound2]

3 minutes ago, Blademaster91 said:

I don't want my car connected to the cloud as that is another way for it to get hacked, and if the cloud server goes down good luck being able to drive your car.

Umm, I hope you actually don't think the low level vehicle functions always relies on cloud connection. That's more of a doomsday future scenario, but currently all these cars work without internet as well. 

[Somerandomtechyboi]

2 minutes ago, Blademaster91 said:

iirc you can but installing one is much more complicated due to newer cars having a bunch of computer modules all connected together and you can get weird errors if you want to bypass anything.

This is why i dont want a new car along with all the damn cloud stuff, modifying and even fixing can be a massive pain cause computers with proprietary code while an old car just slap on whatever the hell you want and if it works it works if it doesnt then need more improvisation

 

I dont have much knowledge on new cars since i dont wanna bother with em anyways, too damn expensive and fwd (not fun except civic or cars that have massive communities around em which are usually quite expensive), a computer to help make the car more efficient but also being able to run the thing without an ecu would be ideal since ecu brings efficiency and if it dies or something you can still run the car but unfortunately some stuff just cant run w/o ecu like fuel injectors

[wanderingfool2]

20 minutes ago, Blademaster91 said:

A $300 lock repair vs. possibly thousands and waiting months for a new remote key lock system, yeah I think I'd rather use a manual key.

Except that isn't the worry.  It's not like the thief can walk by all Honda's and unlock your door.  They literally have to record the press from my understanding.  Not like it was fully broken.

 

So yea, I'd prefer this method than having a lock that can be broken via screwdriver.  Also...like everything, the easiest way to enter a vehicle to steal the stuff is just smashing a window

 

27 minutes ago, Somerandomtechyboi said:

A kill switch or 3 will make the car basically unstealable but i wonder if you can install a kill switch in newer cars, ive only seen it done in older ones

I mean some of the newer vehicles you can literally track the location when it's stolen.  If all vehicles adopted some of the features new vehicles have, I'd bet they would be stolen less often (or at least recovered more)...e.g. Tesla's were 90% less likely to be stolen

[strajk-]

Article mentions models ranging from 2012 up to today:

• 2012 Honda Civic
• 2018 Honda X-RV
• 2020 Honda C-RV
• 2020 Honda Accord
• 2021 Honda Accord
• 2020 Honda Odyssey
• 2021 Honda Inspire
• 2022 Honda Fit
• 2022 Honda Civic
• 2022 Honda VE-1
• 2022 Honda Breeze

 

I am pretty sure that the 2014-2016 models are affected as well, highly doubt that my 2016 Civic Type R GT uses different tech than the aforementioned models.

Was expecting this kind of vulnerability coming up sooner or later, took them longer than I thought.

 

Reason why I still got it is because I genuinely don't care, even without wireless tech, if somebody wants to get into your car and steal it he will, regardless how opening a door and starting an engine is managed, there is always a way.

Regardless, I hope that Honda PR stops fucking around and instead acknowledges this in order to push a free no warranty required fix that can be pushed by using their Honda Partner Garages, both the keys and onboard system have to be patched I suppose.

[Beerzerker]

8 hours ago, Arika S said:

More and more i find myself only wanting to buy older cars without all this new bullshit technology.

Fact - Cars ran just fine for decades without all the computerized bullshit.

I've seen vehicles actually come to a stop over some real bullshit code that amounted to nothing to even worry about, much less justify it having to sit overnight wherever the computer decided to stop it, which could really be anywhere.

I used to work on these kinds of things and some of the reasons why an electric vehicle (Industrial) would stop was simply ridiculous. If these same reasons for it stopping/quitting wherever applied to electric cars on the road today, the majority of folks would be raising hell over it and justifyably so in my opinion.

Related to theft - All these modern anti-theft features still amount to the same thing as an old fashioned door lock - It will keep an honest man out but won't stop a determined thief.
However that in itself doesn't mean you have to make it easy on the thieves.

Where I used to work I had an E-Z GO electric golf cart that was "Mine" and I used it all the time but guys from other shifts would also use it and never plug it up after they were done with it, making me have to do without it while it charged... Then they would come in after I had left and do it all over again but didn't take long to break them from doing it.

Because I understood HOW they worked, I was able to wire in a little "Something" that allowed me to make it behave exactly like it had dead batteries even if it was fully charged. Even though it would move, it would literally crawl way slower than walking speed instead of just going and they got the message in short order.
Them watching me get on it and take off normally didn't help them figure out what I had done or was doing to enable full speed operation for myself either so they finally left it alone.

Nothing is theft-proof but you can make it a royal PITA to steal.

 

[Fasterthannothing]

10 hours ago, bmx6454 said:

would have to find my kill-switch(s) first lol, and know how to drive stick.

My sports car has a kill switch and then if they figure that out they better know how to drive stick and if they figure that out it's still going to be stuck in valet mode and I doubt a car stuck at 45mph makes a good getaway vehicle

[MageTank]

10 hours ago, vetali said:

Yeah after that incident I wired a switch to the shift interlock (automatic). You can start it, but you aren't going anywhere lol.

My fuel pump wouldn't kick on in my old S10 unless you first turned the dome light on, lol.

[vetali]

5 hours ago, strajk- said:

Article mentions models ranging from 2012 up to today:

• 2012 Honda Civic
• 2018 Honda X-RV
• 2020 Honda C-RV
• 2020 Honda Accord
• 2021 Honda Accord
• 2020 Honda Odyssey
• 2021 Honda Inspire
• 2022 Honda Fit
• 2022 Honda Civic
• 2022 Honda VE-1
• 2022 Honda Breeze

 

I am pretty sure that the 2014-2016 models are affected as well, highly doubt that my 2016 Civic Type R GT uses different tech than the aforementioned models.

Was expecting this kind of vulnerability coming up sooner or later, took them longer than I thought.

 

Reason why I still got it is because I genuinely don't care, even without wireless tech, if somebody wants to get into your car and steal it he will, regardless how opening a door and starting an engine is managed, there is always a way.

Regardless, I hope that Honda PR stops fucking around and instead acknowledges this in order to push a free no warranty required fix that can be pushed by using their Honda Partner Garages, both the keys and onboard system have to be patched I suppose.

Sounds like everything with the black square fob is affected. Plus the new rounded keys on the 22 and newer Civics and 23 HR-Vs.... for all 20 of those cars they've sold. Safe to assume Acura is affected as well.

 

This exploit wont change thieves from smashing and grabbing, obviously. I do wonder if eventually the proximity feature can be exploited in the future to allow someone to drive off with the car. I don't think the flaw exists in the keys. They should be fine. Likely will need to be reprogrammed to the vehicle if Honda can update the modules.

 

Honda's PR has always been crap. They don't even have the ability to submit a bug/exploit report. You have to go through customer service.... lol