Has your Honda been PWNed? - security flaw

[Fremdon Ferndock]

Researchers have discovered a vulnerability in Honda vehicles that could allow hackers to unlock doors and start the cars remotely. The security flaw has been named “RollingPWN,” and it affects all Honda models released between 2012 and 2022, according to the researchers.

Each button press sends a new code from the key fob to the car, which should (theoretically) render old codes unusable. But Kevin2600 found that it’s possible to roll back these codes, retrieve an old one and reuse it to unlock the doors and start the car from a distance of up to 98 feet. The exploit is also undetectable, leaving no trace after being used.

The team suggests a solution requires a recall of all affected vehicles, but given how many Hondas use rolling codes, that doesn’t seem feasible.

https://www.msn.com/en-us/autos/news/ho ... r-AAZntcC

I actually got a Faraday bag on Amazon for my keyfob, but I don't think that would prevent this hack, which depends on the culprit just being within range to pick up your wireless keyfob signal when you lock your car and walk away. Any ideas?

[anon_investor]

Researchers have discovered a vulnerability in Honda vehicles that could allow hackers to unlock doors and start the cars remotely. The security flaw has been named “RollingPWN,” and it affects all Honda models released between 2012 and 2022, according to the researchers.

Each button press sends a new code from the key fob to the car, which should (theoretically) render old codes unusable. But Kevin2600 found that it’s possible to roll back these codes, retrieve an old one and reuse it to unlock the doors and start the car from a distance of up to 98 feet. The exploit is also undetectable, leaving no trace after being used.

The team suggests a solution requires a recall of all affected vehicles, but given how many Hondas use rolling codes, that doesn’t seem feasible.

https://www.msn.com/en-us/autos/news/ho ... r-AAZntcC

I actually got a Faraday bag on Amazon for my keyfob, but I don't think that would prevent this hack, which depends on the culprit just being within range to pick up your wireless keyfob signal when you lock your car and walk away. Any ideas?

Would that require a remote starter?

[prd1982]

It can start the car, but not drive away. That requires the FOB to be in the car.

Given the number of times I hear that cars are stolen while the FOB was left in the car, this process seems like over kill.

If they capture the code because you are starting the car, it likely doesn’t help the thief, since you are likely to drive away. So it requires they capture you remotely locking the car. I don’t know about others, but I count on the car locking itself automatically when I walk away.

[BBBob]

I actually got a Faraday bag on Amazon for my keyfob, but I don't think that would prevent this hack, which depends on the culprit just being within range to pick up your wireless keyfob signal when you lock your car and walk away. Any ideas?

Could you just wrap it in a handmade tin foil sleeve?

[nydoc]

Will it start my 2016 crv remotely now? I can’t wait for this hack.

[Normchad]

This isn’t something I’m going to worry about.

[anon_investor]

It can start the car, but not drive away. That requires the FOB to be in the car.

Given the number of times I hear that cars are stolen while the FOB was left in the car, this process seems like over kill.

If they capture the code because you are starting the car, it likely doesn’t help the thief, since you are likely to drive away. So it requires they capture you remotely locking the car. I don’t know about others, but I count on the car locking itself automatically when I walk away.

Wait, how can I start my car from 96 feet a way? Really tell me. I would love to not have to go outside and push the start button in my car to start it in the winter to warm up before going inside to finish my cup of coffee. My car does not have an auto starter, I kind of wish I did, my old car did.

[prd1982]

[My car does not have an auto starter, I kind of wish I did, my old car did.

There are places that will install remote starters

[anon_investor]

[My car does not have an auto starter, I kind of wish I did, my old car did.

There are places that will install remote starters

I am too cheap.

I had one in my old car when I lived in the midwest, didn't need it when I lived in the mid-Atlantic, but wish I had one now in the Northeast. Maybe for my next car.

[samsoes]

My 2015 Accord still has one of these things they call a "key" ... I actually have to insert it into this little hole and turn it in order for the car to start. Will this hack affect me, and my car start without this thing they call a "key" being inserted into the little hole and turned?

[jebmke]

It can start the car, but not drive away. That requires the FOB to be in the car.

Given the number of times I hear that cars are stolen while the FOB was left in the car, this process seems like over kill.

If they capture the code because you are starting the car, it likely doesn’t help the thief, since you are likely to drive away. So it requires they capture you remotely locking the car. I don’t know about others, but I count on the car locking itself automatically when I walk away.

Wait, how can I start my car from 96 feet a way? Really tell me. I would love to not have to go outside and push the start button in my car to start it in the winter to warm up before going inside to finish my cup of coffee. My car does not have an auto starter, I kind of wish I did, my old car did.

I'm glad ours does not have this. My fear is that it gets started without realizing the garage door is down and my office fills up with CO.

The keyless remotes have a battery risk as well. My wife's Camry locked her out in town once and I had to bring another fob to get into the car. When we replace the battery in her fob it worked fine so I'm assuming it was just a dead battery.

[JoeRetire]

The keyless remotes have a battery risk as well. My wife's Camry locked her out in town once and I had to bring another fob to get into the car. When we replace the battery in her fob it worked fine so I'm assuming it was just a dead battery.

My Honda keyless remote actually has a key inside for this reason.

[jebmke]

The keyless remotes have a battery risk as well. My wife's Camry locked her out in town once and I had to bring another fob to get into the car. When we replace the battery in her fob it worked fine so I'm assuming it was just a dead battery.

My Honda keyless remote actually has a key inside for this reason.

I think the Camry must as well - there is a small slot on the handle. One thing I have noticed is that the car can keep running even if the person with the fob walks away. Not sure if that is a glitch in our car or a feature. I do worry about the car staying "on" in the garage. It is a hybrid so you don't hear a thing until the IC engine kicks in. Could be it only works that way if there is someone in the car (seat sensor?). I rarely drive the thing so I have no idea how 90% of the car actually works; most of the stuff on the instrument panel is useless and distracting. I suppose there might be a way to shut down all the displays except the speedo but I'd have to read the manual.

[prd1982]

[
My fear is that it gets started without realizing the garage door is down and my office fills up with CO.

At least for my 2017 CRV, the engine stops after 10 minutes

[jebmke]

[
My fear is that it gets started without realizing the garage door is down and my office fills up with CO.

At least for my 2017 CRV, the engine stops after 10 minutes

The only time I've experience this is when I was in the car (passenger) and the driver left the scene (shopping) with the car running. The car definitely stayed on more than 10 minutes. Could be a seat sensor that detects passenger.

[Fremdon Ferndock]

It can start the car, but not drive away. That requires the FOB to be in the car.

Given the number of times I hear that cars are stolen while the FOB was left in the car, this process seems like over kill.

If they capture the code because you are starting the car, it likely doesn’t help the thief, since you are likely to drive away. So it requires they capture you remotely locking the car. I don’t know about others, but I count on the car locking itself automatically when I walk away.

That's not correct. Once the car is started you can drive it without a fob. My car also is set to lock when I walk away, but you realize of course that is because the fob is sending a wireless signal automatically, don't you? If you have a faraday bag, you can verify this yourself by placing the fob in the bag before you walk away -- it won't lock.

[JoeRetire]

One thing I have noticed is that the car can keep running even if the person with the fob walks away. Not sure if that is a glitch in our car or a feature.

Normally, you can program it to beep and/or shut down when the fob isn't near.

[JoeRetire]

Could be a seat sensor that detects passenger.

In a Camry? No.

[Teague]

If it were an issue in, say, my Bugatti Chiron which I was driving to the DefCon hackers' conference, I might be slightly concerned. But as reported, nope.

[prd1982]

It can start the car, but not drive away. That requires the FOB to be in the car.

Given the number of times I hear that cars are stolen while the FOB was left in the car, this process seems like over kill.

If they capture the code because you are starting the car, it likely doesn’t help the thief, since you are likely to drive away. So it requires they capture you remotely locking the car. I don’t know about others, but I count on the car locking itself automatically when I walk away.

That's not correct. Once the car is started you can drive it without a fob. My car also is set to lock when I walk away, but you realize of course that is because the fob is sending a wireless signal automatically, don't you? If you have a faraday bag, you can verify this yourself by placing the fob in the bag before you walk away -- it won't lock.

I think there is some confusion here. Speaking for my 2017 CRV:

* if I get into the car and press the start button, you can walk away with the FOB and the car continues to run.

* If I use the remote to “start” the car, the engine turns on and the ac/heater comes on. However, the doors remain locked. Even I could get into the car, the car will not move. When you move the gear lever, the car stops.

You must have the FOB In the car to actually get the engine running where the car can be moved.

Is anyone acing a different experience?

[Fremdon Ferndock]

Apparently, this hack is something different from using your fob to remote-start your Honda. It allows the culprit to essentially duplicate what your fob is doing when you use it to unlock and start your car yourself. A device (readily available on the internet) is used to intercept the wireless signal from your fob, and it defeats the rolling-pwn security utilized by Honda by allowing the attacker to slide back to the code that works. If the rolling-pwn security process would actually erase previous codes, this wouldn't be possible; but the previous codes are saved in memory for some unknown reason.

From the original article:

Modern vehicles are often equipped with a remote keyless entry system. These RKE systems allow unlocking or starting the vehicle remotely. The goal of our research was to evaluate the resistance of a modern-day RKE system. Our research disclosed a Rolling-PWN attack vulnerability affecting all Honda vehicles currently existing on the market (From the Year 2012 up to the Year 2022). This weakness allows anyone to permanently open the car door or even start the car engine from a long distance.

https://rollingpwn.github.io/rolling-pwn/

[prd1982]

This weakness allows anyone to permanently open the car door or even start the car engine from a long distance.

Note that it doesn’t mention stealing or driving your car. I believe this is a partial start designed for running the AC or heater. I don’t believe a remote start allows you to put the car in gear (at least with my 2017 CRV).

[Fremdon Ferndock]

This weakness allows anyone to permanently open the car door or even start the car engine from a long distance.

Note that it doesn’t mention stealing or driving your car. I believe this is a partial start designed for running the AC or heater. I don’t believe a remote start allows you to put the car in gear (at least with my 2017 CRV).

You could be right. But a logical conclusion is that if the attacker can essentially duplicate your keyfob to unlock and start the engine they should be able to drive the car too. They are holding a device which is doing the same thing your keyfob does because it clones the effective wireless code. The remote start on your keyfob is specifically designed so that you can start your car from a distance to warm up, but the doors remain locked and the car undrivable to prevent someone from hopping in and driving away. I don't think this hack is the same thing as the remote start on your fob.

[Normchad]

Honestly, this sounds a lot better than getting car jacked……. I’m a fan!

[Jack FFR1846]

This sounds far less concerning than the Jeep hacking flaw. You need to know the VIN and then can hack into the vehicle and control all kinds of cool things like turning on lights, hazards, radio, shut off the car. Here's one of the descriptions of how they did this after they told Jeep about it and they ignored them.

https://www.youtube.com/watch?v=RZVYTJarPFs

[Fremdon Ferndock]

I'm interested in this topic because someone actually had their Honda stolen off a parking lot in a park where I walk all the time. It was later found, inside looted and locked up, but no-one seemed to know how it got stolen. But there are usually people around and sitting in other vehicles nearby when we park there. Would be easy enough for them to use this hack. If I were doing it, I'd probably sit around in my car in various parking lots waiting for a nice expensive-looking Honda to pull up and park nearby. Probably have my buddy with me, so he could drive off in the stolen vehicle and I could follow him. Or maybe I'd just unlock the vehicle and find stuff inside to steal and then lock it back up and go on to the next victim.

[anon_investor]

I'm interested in this topic because someone actually had their Honda stolen off a parking lot in a park where I walk all the time. It was later found, inside looted and locked up, but no-one seemed to know how it got stolen. But there are usually people around and sitting in other vehicles nearby when we park there. Would be easy enough for them to use this hack. If I were doing it, I'd probably sit around in my car in various parking lots waiting for a nice expensive-looking Honda to pull up and park nearby. Probably have my buddy with me, so he could drive off in the stolen vehicle and I could follow him. Or maybe I'd just unlock the vehicle and find stuff inside to steal and then lock it back up and go on to the next victim.

Get the "Club"?

[mnsportsgeek]

It can start the car, but not drive away. That requires the FOB to be in the car.

Given the number of times I hear that cars are stolen while the FOB was left in the car, this process seems like over kill.

If they capture the code because you are starting the car, it likely doesn’t help the thief, since you are likely to drive away. So it requires they capture you remotely locking the car. I don’t know about others, but I count on the car locking itself automatically when I walk away.

Wait, how can I start my car from 96 feet a way? Really tell me. I would love to not have to go outside and push the start button in my car to start it in the winter to warm up before going inside to finish my cup of coffee. My car does not have an auto starter, I kind of wish I did, my old car did.

I'm glad ours does not have this. My fear is that it gets started without realizing the garage door is down and my office fills up with CO.

The keyless remotes have a battery risk as well. My wife's Camry locked her out in town once and I had to bring another fob to get into the car. When we replace the battery in her fob it worked fine so I'm assuming it was just a dead battery.

If your battery runs out, hold the fob next to the start button and start the car.

Then stop ignoring the warning you’ve been getting to change the battery and change the battery

Also, every factory remote start I’ve ever used shuts off after 10-15 minutes for safety reasons. It’s the third party ones you have to worry about.

[prd1982]

I found this on th web:

Martin (Honda spokesperson) told The Record that if started remotely, Acura and Honda vehicles cannot be driven until a valid key fob with a separate immobilizer chip is present in the vehicle. He added that there is “no indication that the reported vulnerability to door locks has resulted in an ability to actually drive an Acura or Honda vehicle.”

As to the person mentioning a stolen car, I'm guessing the owner forgot to turn the engine off and walked away. The doors don't lock and the car could just be driven away. The car beeps when you open the door but easy to miss if distracted.

[Fremdon Ferndock]

It is damnably hard to disable the keyless fob system if you're concerned about this issue. It would be nice if auto manufacturers just put a switch on the thing so you could do that, but so far I don't think any do. I bought a Faraday bag on Amazon. It's a small pouch that I can put the fob into before I stuff it into my pocket. It blocks the RF signal from the fob. Of course, the fob has to be outside the bag to work so you have to worry about getting the signal hacked when you lock the vehicle.

I just read a solution that supposedly will work with an Audi, so I think I'll try it on my Honda. It was this: remove the key from the fob and then leave the fob in the car. When you use the key to lock the car, it turns off the fob. So then the only way to unlock the car is with the key. I'm guessing that with Honda, the fob won't turn off, or you can't lock the car with the key with the fob inside. We'll see it this works. Rather do this than using the Faraday bag all the time.

[Fremdon Ferndock]

I found this on th web:

Martin (Honda spokesperson) told The Record that if started remotely, Acura and Honda vehicles cannot be driven until a valid key fob with a separate immobilizer chip is present in the vehicle. He added that there is “no indication that the reported vulnerability to door locks has resulted in an ability to actually drive an Acura or Honda vehicle.”

As to the person mentioning a stolen car, I'm guessing the owner forgot to turn the engine off and walked away. The doors don't lock and the car could just be driven away. The car beeps when you open the door but easy to miss if distracted.

That's interesting. But they could be talking about the remote start feature on the fob. There are plenty of stories on the internet about vehicles being stolen using this hacking technology. Besides, the last time I talked to a Honda spokesperson, he was trying to sell me a bridge in Brooklyn.

[prd1982]

Well i think Toyota is moving to doing remote start only via your phone. So that should address this issue. Of course the reason they are doing this is force you to buy a subscription service. Be curious to see what Honda does.

[RetiredAL]

I just read a solution that supposedly will work with an Audi, so I think I'll try it on my Honda. It was this: remove the key from the fob and then leave the fob in the car. When you use the key to lock the car, it turns off the fob. So then the only way to unlock the car is with the key. I'm guessing that with Honda, the fob won't turn off, or you can't lock the car with the key with the fob inside. We'll see it this works. Rather do this than using the Faraday bag all the time.

If a thief wants into you car, unlocking would be benefit to you compared to breaking out a window.

[Fremdon Ferndock]

I just read a solution that supposedly will work with an Audi, so I think I'll try it on my Honda. It was this: remove the key from the fob and then leave the fob in the car. When you use the key to lock the car, it turns off the fob. So then the only way to unlock the car is with the key. I'm guessing that with Honda, the fob won't turn off, or you can't lock the car with the key with the fob inside. We'll see it this works. Rather do this than using the Faraday bag all the time.

If a thief wants into you car, unlocking would be benefit to you compared to breaking out a window.

It's easier and less attention-generating to simply hack into it than break the window. But on the other hand, there are more people who can throw a rock than use a fob-hacking gizmo.

[prd1982]

In my area, there has been a rise in auto thefts. The police publish numerous PSAs. They don’t ask that you use a Faraday cage, or stop using your FOB. They simply ask that you not leave the FOB in the car. I’m continually amazed by the number of high end cars that are stolen that way.

[nisiprius]

Obligatory:

[Mudpuppy]

In security circles, this is just the latest iteration on a laundry-list of similar bugs with auto key fobs. Auto manufacturers have had a horrible track record in this arena. There was even the rather infamous case of a major car manufacturer suing UK security researchers to prevent them from presenting the results of their research at a US security conference. I was at a subsequent conference where they were able to present their research, although the conference organized that session late in the evening just in case.

Edit to add: And many of these bugs don't require any sort of interaction with the actual key fob. There are more bugs that use the actual key fobs, but there are some pretty glaring bugs, including the one involved in the above lawsuit, that require nothing more than time and proximity to the car.

[Mudpuppy]

My 2015 Accord still has one of these things they call a "key" ... I actually have to insert it into this little hole and turn it in order for the car to start. Will this hack affect me, and my car start without this thing they call a "key" being inserted into the little hole and turned?

I have the same year and probably trim-line Accord as you do. I do like the fact that I can still fully operate the car when the key battery has died (or that one time I had to pull out the battery because the trunk release button got stuck and it kept popping the trunk). I don't have to worry about being locked out of my car due to an ill-timed battery failure, as I can fully lock, unlock, start, and drive the car without a battery installed (as tested during the above trunk release button "fun").

However, the physical key still contains a cryptographic chip that interacts with the car's immobilizer system when you turn the ignition. For our particular trim line, the car won't start if the immobilizer chip in the key is not recognized. For other trim lines with push-button starts, either the car won't start or it can't drive off unless the immobilizer chip is nearby.

Historically, some immobilizer systems have also had cryptographic vulnerabilities which require just proximity and time to crack. However, this particular vulnerability appears to be just in the remote keyless entry systems (e.g., door unlock and other key fob buttons). It could be combined with other "hacks" of the immobilizer system, such as reset sequences (meant for when you lose your keys) or disable sequences (meant to temporarily disable a malfunctioning immobilizer system), to steal the car, but someone could also smash a window and do the same thing.

So as a security person, this ranks in the "annoyance" category, particularly if you're concerned about someone riffling through your trunk or glove box. Basically, don't keep anything of value in your car. Otherwise, if someone were so motivated to steal your car, this just saves them from smashing a window to do so.