In a test experiment, security researchers succeeded in exploiting a Honda security vulnerability by hacking the radio key of several of the manufacturer’s vehicle models. This allowed the cars to be opened and started remotely.
Honda security flaw allows remote access
Researchers Kevin2600 and Wesley Li from security firm Star-V Lab used a simple test to crack the wireless keys of various Honda models, allowing them to open and start the vehicles.
They call the whole thing a “RollingPWN” attack because they assume that such remote access would be just as easy with vehicles from other manufacturers. All of the manufacturer’s models from 2012 to 2022 are affected by the Honda security vulnerability, and ten different vehicles have been tested by the duo.
“We have successfully tested the latest models of Honda vehicles. And we strongly believe that the vulnerability affects all Honda models currently on the market,” the security researchers write in the report.
Car keys still insecure
A vulnerable version of the rolling codes mechanism in the keys was used for this purpose. This is actually used as an authentication method in radio-based key systems, where the sender transmits an ever-changing so-called next code to the receiver.
This is actually to prevent replay attacks, since each next code is unique. “The rolling PWN bug is a serious vulnerability,” the researchers write further.
This coincides with the results of a test that the German automobile club ADAC had published in February of this year. In it, one can conclude that keyless systems in only 24 of 500 cars were sufficiently protected.
Honda itself apparently does not have a reporting system for vulnerabilities in the security systems, as the security researchers further explain. According to the report, they contacted customer service, at the behest of a Honda employee, to inform the automaker of the problems.
Honda has no plans for updates
The website BleepingComputer then contacted Honda, which responded with a statement that was not really satisfactory. According to the statement, they have not yet verified the information provided by the research team and currently cannot determine any vulnerability of their own vehicles.
Should there be a vulnerability, however, has “Honda currently no plans to provide older vehicles with an update”. The reason given is that corresponding hacks are only possible from a short distance to the respective car.
Opposite the magazine Motherboard Honda comes to a very similar statement. It says it does not see sufficient evidence of a bug or problem in the security researchers’ evidence videos.
- More safety for cars: EU regulation makes assistance systems mandatory
The researchers, on the other hand, recommend having affected vehicles updated in the workshop using over-the-air (OTA) updates, if this option were offered at all. Whether the security vulnerability had been exploited in the own car, could not be proven accordingly. Caution is therefore advisable.