Security experts have discovered that a bug in some models of Honda and Acura cars allows a nearby attacker to unlock the car and even start its engine using a replay attack.
The idea of the attack is not new and lies in the fact that a hacker can intercept the signals coming from the key fob to the car, and then reproduce them in order to gain control over the remote access system to the car without a key.According to experts, 2016-2020 Honda Civic cars (LX, EX, EX-L, Touring, Si, Type R) are mainly affected by this problem. At the same time, the equipment needed for the attacks is not at all complicated: the experts used HackRF One SDR, a laptop, an account on FCCID.io, access to the Gqrx SDR software, and the GNURadio toolkit.
The vulnerability, which received the identifier CVE-2022-27254, belongs to the Man-in-the-Middle (MitM) type, or rather, as noted above, is a replay attack. In particular, among the details published by the researchers on GitHub, there is a video that clearly demonstrates the remote start of the engine. The authors of these experiments are security experts Ayyappan Rajesh, Blake Berry, head of security at Cybereason Sam Curry, and his professors from the University of Massachusetts at Dartmouth.
On GitHub, the researchers write that it is possible to use the intercepted commands and retransmit them to achieve a wide variety of results. For example, in one of the tests, Berry recorded the “Close” command sent by the key fob, which consisted of the following bits: 653-656, 667-668, 677-680, 683-684, 823-826, 837-838, 847-850, 853-854. The expert “flipped” them and re-sent those bits to the car, which in turn led to it being unlocked.
Interestingly, in 2020, Berry already reported a similar vulnerability (CVE-2019-20626) affecting a number of Honda and Acura models, but then he wrote that Honda representatives ignored his report, without using any security measures against this simple attack. This issue affected the following cars:
- 2009 Acura TSX
- 2016 Honda Accord V6 Touring Sedan
- 2017 Honda HR-V
- 2018 Honda Civic Hatchback
- 2020 Honda Civic LX
To protect against such vulnerabilities, the researchers recommend that car manufacturers use so-called “rolling codes”: this technology creates fresh codes for each authentication request, so an attacker cannot reproduce the codes later.
When Bleeping Computer contacted Honda for comment, the company said many automakers use outdated technology to implement remote lock and unlock, and therefore may be vulnerable to “decisive and tech-savvy thieves.”
The company believes that a nearby attacker can use other means to access the vehicle (that is, he can simply open the car physically), and he does not need to resort to such high-tech hacks at all. In addition, the Honda statement emphasizes that there is no indication that the type of attack in question is being used in any general way.
Let me remind you that we also reported that Volkswagen reports data breach affecting over 3.3 million Audi owners, as well as that Audi and Volkswagen customer data put on sale.