WTF?! Researchers not too long ago uncovered a vulnerability that might permit hackers to unlock and begin a number of Honda automobile fashions remotely. The impacted mannequin record identifies 10 of Honda’s hottest fashions as weak. To make issues worse, the present findings lead researchers to imagine that the vulnerability might be current on all Honda automobiles from 2012 via 2022.
The safety flaw, dubbed RollingPWN by researchers, exploits a part of Honda’s keyless entry system. The present entry system depends on a rolling code mannequin that creates a brand new entry code every time house owners press the fob button. Once issued, the earlier ones ought to be made unusable to forestall replay assaults. Instead, researchers Kevin26000 and Wesley Li found the previous codes might be rolled again and used to acquire undesirable entry to the automobile.
The researchers examined the vulnerability throughout a number of Honda fashions starting from 2012 via 2022. The record of affected take a look at automobiles consists of:
- Honda Civic 2012
- Honda XR-V 2018
- Honda CR-V 2020
- Honda Accord 2020
- Honda Odyssey 2020
- Honda Inspire 2021
- Honda Fit 2022
- Honda Civic 2022
- Honda VE-1 2022
- Honda Breeze 2022
Based on the record and profitable checks of the exploit, Kevin26000 and Li strongly imagine the vulnerability may have an effect on all Honda automobiles and never simply the preliminary ten listed above.
Providing a repair for the vulnerability could also be as advanced because the exploit itself. Honda may patch the flaw through an over-the-air (OTA) firmware replace, however lots of the vehicles affected do not present OTA assist. The bigger pool of doubtless impacted automobiles makes a recall state of affairs unlikely.
Ladies and gents, it’s my honor to presenting you the Rolling-Pwn assault analysis on Honda Keyfob system. ( pic.twitter.com/3ZccqfJrUa
— Kevin2600 (@Kevin2600) July 7, 2022
For now, analysis is ongoing to find out how widespread the vulnerability is. Based on the character of the assault, Kevin26000 and Li strongly suspect that the problem can also impression different automotive makers.
The discovering is only one extra in a collection of entry vulnerabilities found throughout Honda’s line of automobiles this 12 months. In March, researchers recognized a man-in-the-middle exploit (CVE-2022-27254) the place RF indicators might be intercepted and manipulated for later use. Kevin26000 had additionally reported an analogous replay assault (CVE-2021-46145) again in January 2022.
