A Honda car behind a gate, with its turn signals shown blinking as it's being unlocked by a portable device implementing the hack in question. Text under the car says "Rolling Pwned".

Unlock Any (Honda) Car

Honda cars have been found to be severely  vulnerable to a newly published Rolling PWN attack, letting you remotely open the car doors or even start the engine. So far it’s only been proven on Hondas, but ten out of ten models that [kevin2600] tested were vulnerable, leading him to conclude that all Honda vehicles on the market can probably be opened in this way. We simply don’t know yet if it affects other vendors, but in principle it could. This vulnerability has been assigned the CVE-2021-46145.

[kevin2600] goes in depth on the implications of the attack but doesn’t publish many details. [Wesley Li], who discovered the same flaw independently, goes into more technical detail. The hack appears to replay a series of previously valid codes that resets the internal PRNG counter to an older state, allowing the attacker to reuse the known prior keys. Thus, it requires some eavesdropping on previous keyfob-car communication, but this should be easy to set up with a cheap SDR and an SBC of your choice.

If you have one of the models affected, that’s bad news, because Honda probably won’t respond anyway. The researcher contacted Honda customer support weeks ago, and hasn’t received a reply yet. Why customer support? Because Honda doesn’t have a security department to submit such an issue to. And even if they did, just a few months ago, Honda has said they will not be doing any kind of mitigation for “car unlock” vulnerabilities.

As it stands, all these Honda cars affected might just be out there for the taking. This is not the first time Honda is found botching a rolling code implementation – in fact, it’s the second time this year. Perhaps, this string of vulnerabilities is just karma for Honda striking down all those replacement part 3D models, but one thing is for sure – they had better create a proper department for handling security issues.

Hackaday Links Column Banner

Hackaday Links: December 19, 2021

Key fobs as a service? Have we really gotten to that point? It would seem so, at least for Toyota, which is now requiring a subscription to use the company’s Remote Connect function. To be fair to Toyota, the Remote Connect system seems to do a bit more than the average key fob, with things like remote start and smartphone or smartwatch integration. It doesn’t appear that using the key fob for more mundane uses, like opening the doors, will be nerfed by this change. But if you want to warm up your car on a cold winter’s morn while you’re still in your jammies, then be prepared to cough up $8 a month or $80 a year on select 2018 and above models. Whether Toyota and other manufacturers get away with this nickel-and-dime stuff is up to the buyers, of course; if enough people opt out, maybe they’ll think of some other way to pad their bottom line. But since we’ve already seen heated seats as a service (last item), we suspect this is the shape of things to come, and that it will spread well beyond the car industry.

Speaking of cars, if you thought the chip shortage was over just because car dealer lots are filling back up, think again. Steve over at Big Mess o’ Wires reports that he’s having trouble sourcing chips for his vintage computer accessories. He includes a screenshot from Digi-Key showing zero stock on ATmega1284s. He also reports that the Lattice FPGA he uses for his Yellowstone universal disc controller is now unobtainium, where it had previously been easily sourced for about $5. He also has a pointed warning about some suppliers making it look like they have stock, only to send a “whoopsie” email after charging your credit card, or worse, telling you the price has increased over 400%. We suppose this was inevitable; there’s only so much fab capacity in the world, so eventually the fabs will switch over to producing whatever they can get paid the most for. And since car manufacturers have a lot more clout with suppliers than just about anyone else, it’s only natural for the shortages to shift down-market like this.

Do we finally have a “go” on James Webb? Maybe. The launch of the space telescope was originally scheduled for December 18 — well, OK, originally it was supposed to be in space in 2007, but let’s not go there — but a problem with a clamp caused unexpected vibrations in the $10 billion space observatory, resulting in inspections that pushed the launch back to the 22nd. That lasted for about a week, until the fueled and packaged spacecraft stopped sending data to launch controllers. The problem ended up being entirely relatable — a bad data cable — but resulted in the loss of two more days. JWST is now set to launch on Christmas Eve at 7:20 AM Eastern Standard Time, pending a readiness review on Tuesday morning. Fingers crossed that the long-awaited observatory has a safe 30-day trip to Lagrange point L2.

And finally, breathless tech journalists couldn’t wait to report this week that the world’s first warp bubble had been created. The paper was published by Dr. Harold “Sonny” White et al from the Limitless Space Institute, and claims to have discovered a “micro/nano-scale structure” that “predicts negative energy density distribution that closely matches requirements for the Alcubierre metric.” That last bit, the one about the Alcubierre metric, refers to the Alcubierre drive, which proposed a way to warp space-time and drive a ship at arbitrarily high speeds. But did this team actually create a warp bubble? It doesn’t seem so, at least according to one article we read. There’s also the problem of Dr. White’s previous claims of breaking the laws of physics with a reactionless EM drive. Scientific quibbling aside, there’s a sure-fire way of telling that no warp bubble was created — if there had been one, this would have happened.

Hacker Claims Honda And Acura Vehicles Vulnerable To Simple Replay Attack

Keyless entry has become a standard feature on virtually all cars, where once it was a luxury option. However, it’s also changed the way that thieves approach the process of breaking into a car. After recent research, [HackingIntoYourHeart] claims that many modern Honda and Acura vehicles can be accessed with a simple replay attack using cheap hardware. 

It’s a bold claim, and one that we’d love to see confirmed by a third party. The crux of the allegations are that simply recording signals from a Honda or Acura keyfob is enough to compromise the vehicle. Reportedly, no rolling code system is implemented and commands can easily be replayed.

Given these commands control features like unlocking the doors, opening the trunk, and even remote starting the vehicle, it’s a concerning situation. However, it’s also somewhat surprising. Rolling code technology has been around for decades, and makes basic replay attacks more difficult. Range extender attacks that target keyfobs sitting inside homes or gas stations are more common these days.

Whether Honda has made a security faux pas, or if there’s something more at play here, remains to be seen. If you’ve got more information, or have been able to recreate the same hack on your own Honda, be sure to let us know. 

Automating Your Car With A Spare Fob And An ESP8266

Despite the name, home automation doesn’t have to be limited to only the devices within your home. Bringing your car into the mix can open up some very interesting possibilities, such as automatically getting it warmed up in the morning if the outside air temperature drops below a certain point. The only problem is, not everyone is willing to start hacking their ride’s wiring to do it.

Which is exactly why [Matt Frost] went the non-invasive route. By wiring up an ESP8266 to a cheap aftermarket key fob for his Chevrolet Suburban, he’s now able to wirelessly control the door locks and start the engine without having to make any modifications to the vehicle. He was lucky that the Chevy allowed him to program his own fob, but even if you have to spend the money on getting a new remote from the dealer, it’s sure to be cheaper than the repair bill should you cook something under the dash with an errant splice or a misplaced line of code.

The hardware for this project is about as simple as it gets. The fob is powered by the 3.3 V pin on the Wemos D1 Mini, and the traces for the buttons have been hooked up to the GPIO pins. By putting both boards into a custom 3D printed enclosure, [Matt] came up with a tidy little box that he could mount in his garage and run off of a standard USB power supply.

On the software side of things [Matt] has the device emulating a smart light so it can easily be controlled by his Alexa, with a few helpful routines sprinkled in that allow him to avoid the awkward phraseology that would be required otherwise. There’s also a minimal web server running on the microcontroller that lets him trigger various actions just by hitting the appropriate URLs, which made connecting it to Home Assistant a snap. One downside of this approach is that there’s no acknowledgement from the vehicle that the command was actually received, but you can always send a command multiple times to be sure.

This isn’t the first time we’ve seen an ESP8266 used to “push” buttons on a remote. If you’ve got a spare fob for your device, or can get one, it’s an excellent way to automate it on the cheap.

Honda Key Fob Turned CNC Work Of Art

Now that nearly every car on the road comes with an electronic key fob, people are desperate to find ways to repair these indispensable little gadgets without coughing up potentially hundreds of dollars at the dealership. There’s a whole market for replacement shells which you can transplant your (hopefully) still functional electronics into, but if you’re going to go through the trouble of putting the electronics into a new case, why not make it special?

That’s what [Michicanery] was thinking when he decided to build his own custom key fob. The end result is an utterly magnificent feat of engineering that’s sure to be a conversation for the life of the vehicle, if not beyond. Made of wood and aluminum cut on his OpenBuilds Lead CNC 1010, this build just might inspire you to “accidentally” drop your existing fob from a great height. Oh no, what a shame.

[Michicanery] starts by disassembling his original fob, which is the type that has a key integrated directly into the device. This meant his replacement would need a bit more thought put into it than a separate stand-alone fob, but at least it wasn’t one of the ones where you have to stick the whole thing into the dashboard. To make sure the build was strong enough to survive a lifetime of being turned in the ignition and generally fiddled with, he cut the central frame and buttons out of 1/4″ thick aluminum.

The top and bottom of the fob were then cut from Chechen wood and then chamfered on a table router so it felt a bit better in the hand. He applied oil to the pieces to bring out the natural color and grain of the wood, but not before engraving his own logo onto the back of the case for that extra touch of personalization. Not that we think [Michicanery] is going to have trouble identifying his keys from this point on.

Like the incredible watch cases we’ve seen recently, this is a perfect example of an everyday object getting a new lease on life as a bespoke creation thanks to a custom built enclosure. Granted we’re not sure Honda key fobs have quite the heirloom potential of a good watch, but we’d still prefer it over the black plastic original.

[via /r/DIY]

Researcher uses antenna to clone Tesla key fob

Tesla Opens With Precomputed Key Fob Attack

This clever precomputation attack was developed by a group of researchers at KU Leuven in Belgium. Unlike previous key fob attacks that we’ve covered in the past which have been essentially relay attacks, this hack precomputes a ton of data, looks for a collision in the dataset, and opens the door. Here’s how it works.

Continue reading “Tesla Opens With Precomputed Key Fob Attack”

Samy Kamkar: Reverse Engineering For A Secure Future

Show of hands: how many of you have parked your car in the driveway, walked up to your house, and pressed your car’s key fob button thinking it would open the front door? We’ve probably all done it and felt a little dopey as a result, but when you think about it, it would be tremendously convenient, especially with grocery bags dangling off each arm and the mail clenched between your teeth. After all, we’re living in the future —  shouldn’t your house be smart enough to know when you’re home?

Reverse engineer par excellence Samy Kamkar might think so, but given his recent experiences with cars smart enough to know when you’re standing outside them, he’d probably have some reservations. Samy dropped by the 2017 Hackaday Superconference in November to discuss the finer points of exploiting security flaws in passive car entry systems, and also sat down with our own Elliot Williams after his talk for a one-on-one interview. Samy has some interesting insights on vehicle cybersecurity, but the practical knowledge he’s gained while exploring the limits of these systems teach some powerful lessons about being a real-world reverse engineer.

Continue reading “Samy Kamkar: Reverse Engineering For A Secure Future”