Hacker Claims Honda And Acura Vehicles Vulnerable To Simple Replay Attack

Keyless entry has become a standard feature on virtually all cars, where once it was a luxury option. However, it’s also changed the way that thieves approach the process of breaking into a car. After recent research, [HackingIntoYourHeart] claims that many modern Honda and Acura vehicles can be accessed with a simple replay attack using cheap hardware. 

It’s a bold claim, and one that we’d love to see confirmed by a third party. The crux of the allegations are that simply recording signals from a Honda or Acura keyfob is enough to compromise the vehicle. Reportedly, no rolling code system is implemented and commands can easily be replayed.

Given these commands control features like unlocking the doors, opening the trunk, and even remote starting the vehicle, it’s a concerning situation. However, it’s also somewhat surprising. Rolling code technology has been around for decades, and makes basic replay attacks more difficult. Range extender attacks that target keyfobs sitting inside homes or gas stations are more common these days.

Whether Honda has made a security faux pas, or if there’s something more at play here, remains to be seen. If you’ve got more information, or have been able to recreate the same hack on your own Honda, be sure to let us know. 

25 thoughts on “Hacker Claims Honda And Acura Vehicles Vulnerable To Simple Replay Attack

  1. Regarding the ‘traditional’ keyless entry attacks with range extenders, how hard would it be to implement a check on the RTT of the comms between car and (relay) key?

    Timing would be tight and likely minimal compared to processing time of the key to generate the response, but could a simple encrypted ping be employed to check the range, say the car sends a message to the key to set up for the ping, key gets ready to respond with its generated ping response when the second request from the car comes in. RF RTT is about 6ns / m, so a response under 10ns would be OK, over 10 suspicious.

      1. Have you ever worked in automotive projects? I did. It’s the worst of usual corporate IT bureaucracy (or should I say bullshit?) wrapped in yet another layer of bureaucracy, stupidity and… hard to exactly decribe… a mix of engineering fascism and not-give-a-damn apprach at the same time.

  2. Really? Even this guy figured it out
    Nvm he or youtube deleted his video.
    But from what i remember is he had an sdr, software defined radio, with transmit, he recorded the signal from the key fob and played it back.
    It wasnt that complicated

  3. I am doubly-shocked here, to the point of faint skepticism.

    Shock #1: That Honda would have done this in 2009 models, much less 2020 models
    Shock #2: That with all the SDR enthusiasts out there, it’s taken this long for someone to discover it.

    I’m trying to think if I know anyone with a Honda that I can try this with…

    1. I’m gonna give it a shot. I have a honda that fits the bill and I just started (as in just received the parts) CAN hacking because i wanted long distance remote control of the windows because my work situation dictates I leave my phone in my car, tinted windows are illegal where I am, it gets over 130* F on a sunny summer day inside of it, and there are frequent unexpected and heavy rainstoms here. There is a keyfob procedure to roll them down, but not up, but it might be a fun little detour on this project and I already have a fair bit of SDR kit

      1. I’ve never heard of anywhere that tinted windows are illegal – I use them and a silver shade over the drivers window when I park on a hot day. I’ve still had my internal car temp gauge go over 70C on a hot day. if I leave the windows closed…
        – And I have to use the silver thing over the front window, or the direct sun can make the drivers wheel too hot to touch – literally..

  4. Push to Start and tap to unlock on most new cars used to be only on the bigger luxury cars. For example, the Toyota Corolla didn’t offer push to start until it was redesigned for the 2014 model year and it Toyota had only offered it as an option, not standard equipment. While cars like the Toyota Avalon and Lexus sedans offered it many years earlier

  5. In the past, some Hondas were in the “most stolen automobiles” lists generated by auto insurers.
    IIRC, the reason was that they were very common models/years and therefore highly valued by “chop shops”.
    Co-incidence?
    (Insert your own conspiracy theory here)
    B^)

      1. I own a 2010 Accord and a 2011 Civic, and I recently acquired an RTL-SDR. First off, both vehicles have fobs that transmit on 313.8-313.9 just like the FCC filing states that they should (FCC ID: OUCG8D-380H-A). The author states they are working with 433mhz transmissions. Second, each transmission I’ve recorded into Universal Radio Hacker has had similar structure, same preamble, etc, BUT, the data has definitely not been the same between transmissions from the same fob. Even if you assume a 10% error rate, each press was FAR too different to be a static code.

        I’m completely open to the possibility that I’m looking at something wrong, but I was skeptical when I first heard about this, and I’m more skeptical now that I have an SDR to do some light investigation myself.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.