If you’re driving a Honda Civic manufactured between 2016 and 2020, this newly reported key fob hijack should start your worry engine.
Keyless entry exploits are nothing new. Anyone armed with the right equipment can sniff out a lock or unlock code and retransmit it. This particular issue with some Honda vehicles is just the latest demonstration that auto manufacturers haven’t adapted their technology to keep up with known threats.
CVE-2022-27254, tied to this discovery, was the work of four researchers: Professors Hong Liu and Ruolin Zhou from the University of Massachusetts, computer scientist Blake Berry, and Sam Curry, CSO at Cybereason. Their research suggests that Honda Civic LX, EX, EX-L, Touring, Si, and Type R vehicles manufactured between 2016 and 2020 all have this vulnerability.
According to the team, “various Honda vehicles send the same, unencrypted RF signal for each door-open, door-close, boot-open and remote start. This allows for an attacker to eavesdrop on the request and conduct a replay attack.” The GitHub page created for the vulnerability hosts three separate proof-of-concept videos showcasing their results.
Attackers only needed a few easily sourced components to execute their attack: a laptop, the GNURadio development toolkit, Gqrx software-defined radio (SDR) receiver software, access to the FCCID.io website, and a HackRF One SDR. The only cost associated with the attack (besides owning a laptop) is purchasing the HackRF One, which retails in the mid-$300 range. All software used in the attack is free and open source.
A common problem
The CVE page for this vulnerability makes mention of another, CVE-2019-20626, the same vulnerability found in 2017 Honda HR-V vehicles, which Paraguayan security researcher Victor Casares demonstrated in a 2019 Medium post.
- US DoJ reveals Russian supply chain attack targeting energy sector
- Distributor dumps Kaspersky to show solidarity with Ukraine
- We blocked North Korea’s Chrome exploit, says Google
- Microsoft Azure developers targeted by 200-plus data-stealing npm packages
An unrelated but similar problem in 2012 Honda Civics allows for a similar attack, but with a different cause: a non-expiring rolling code and counter resync. This isn’t just a Honda problem either. In 2016, The Register reported on an experiment in which researchers cloned a Volkswagen key fob and were able to use it to potentially unlock 100 million vehicles.
The researchers involved in this latest discovery said that vehicle owners don’t have a lot of protection options as long as manufacturers continue using static codes. Rolling codes that change at each press of the button are “a security technology commonly used to provide a fresh code for each authentication of a remote keyless entry (RKE) or passive keyless entry (PKE) system,” the researchers said.
Speaking of PKE systems, the researchers say that those are a significant improvement over RKE systems. Instead of relying on the fob to broadcast, the vehicle itself continually searches for a passive RF fob, like a door keycard, and once close enough the vehicle automatically unlocks. The close proximity required makes this attack far trickier.
Ultimately, the researchers say the only way to mitigate the problem if you’re a victim is to head to the dealership and have them reset the key fob. As for prevention, the researchers go back to basics on this one: put your keys in a Faraday pouch.
We have asked Honda to comment. ®