Editors note: Honda has since offered clarification concerning the flaw. The story has since been altered to represent that only nearly all Honda vehicles are affected.
Security researchers for Star-V Lab have uncovered a defect in Honda key fobs that makes the company’s vehicles vulnerable to remote hackers, Tech Crunch reported. The defect allows hackers to remotely unlock and potentially start “all Honda vehicles currently existing on the market.”
Known as the “Rolling-Pwn” attack, the hacking method exploits a bug in how Honda’s keyless entry system transmits and receives authentication codes from key fobs. While the vehicles should request a new code for each key fob authentication to prevent replay attacks such as this, lock and unlock commands in a consecutive sequence were found to cause the cars to malfunction and accept old codes hackers discovered while eavesdropping the key fob’s broadcast through radio equipment.
In a statement issued to Tech Crunch, Honda spokesperson Chris Naughton said that the company “can confirm claims that it is possible to employ sophisticated tools and technical know-how to mimic Remote Keyless commands and gain access to certain vehicles or ours.
“However, while it is technically possible, we want to reassure our customers that this particular kind of attack, which requires continuous close-proximity signal capture of multiple sequential RF transmissions, cannot be used to drive the vehicle away. Furthermore, Honda regularly improves security features as new models are introduced that would thwart this and similar approaches.”
The spokesperson said that Honda has “no plan” to update their older vehicles to fix the issue.
In a message to The Atlanta Journal-Constitution, a Honda spokesperson confirmed the researchers’ claims, but also offered a message of reassurance to customers.
“We can confirm researcher claims that it is possible to employ sophisticated tools and technical know-how to mimic Remote Keyless commands and gain access to certain vehicles or ours,” they said. “However, while it is technically possible, we want to reassure our customers that this particular kind of attack, which requires continuous close-proximity signal capture of multiple sequential RF transmissions, cannot be used to drive the vehicle away. Furthermore, Honda regularly improves security features as new models are introduced that would thwart this and similar approaches.”
While newer models’ security measures have been improved as a result of the finding, the company said that older Honda models are not viable for updates.
“The vulnerability in potentially affected vehicles is not susceptible to a software update or other similar remedy as the issue relates to the underlying supplier hardware (present in other OE vehicles as well),” they said. “Honda is not aware of any updated hardware being available. Nevertheless, as previously explained, this attack requires a bad-actor to employ sophisticated tools and technical know-how to mimic Remote Keyless commands and gain access to a vehicle. While it is technically possible, we want to reassure our customers that this particular kind of attack, which requires continuous close-proximity signal capture of multiple sequential RF transmissions, cannot be used to drive the vehicle away and is more difficult to accomplish than other means currently used to break into vehicles.”