Keyless entry has become a standard feature on virtually all cars, where once it was a luxury option. However, it’s also changed the way that thieves approach the process of breaking into a car. After recent research, [HackingIntoYourHeart] claims that many modern Honda and Acura vehicles can be accessed with a simple replay attack using cheap hardware.
It’s a bold claim, and one that we’d love to see confirmed by a third party. The crux of the allegations are that simply recording signals from a Honda or Acura keyfob is enough to compromise the vehicle. Reportedly, no rolling code system is implemented and commands can easily be replayed.
Given these commands control features like unlocking the doors, opening the trunk, and even remote starting the vehicle, it’s a concerning situation. However, it’s also somewhat surprising. Rolling code technology has been around for decades, and makes basic replay attacks more difficult. Range extender attacks that target keyfobs sitting inside homes or gas stations are more common these days.
Whether Honda has made a security faux pas, or if there’s something more at play here, remains to be seen. If you’ve got more information, or have been able to recreate the same hack on your own Honda, be sure to let us know.
Regarding the ‘traditional’ keyless entry attacks with range extenders, how hard would it be to implement a check on the RTT of the comms between car and (relay) key?
Timing would be tight and likely minimal compared to processing time of the key to generate the response, but could a simple encrypted ping be employed to check the range, say the car sends a message to the key to set up for the ping, key gets ready to respond with its generated ping response when the second request from the car comes in. RF RTT is about 6ns / m, so a response under 10ns would be OK, over 10 suspicious.
That’s what UWB and BLE 5 localization features are doing.
None of these are already mainstream (UWB may be out of the door soon, if not already done).
It’s not terribly hard and they were even warned before they rolled out keyfobs everywhere that they needed ensure the timing was correct. However, car companies don’t seem to give a damn, even if a simple 57 cent switch could save lives.
Have you ever worked in automotive projects? I did. It’s the worst of usual corporate IT bureaucracy (or should I say bullshit?) wrapped in yet another layer of bureaucracy, stupidity and… hard to exactly decribe… a mix of engineering fascism and not-give-a-damn apprach at the same time.
Really? Even this guy figured it out
Nvm he or youtube deleted his video.
But from what i remember is he had an sdr, software defined radio, with transmit, he recorded the signal from the key fob and played it back.
It wasnt that complicated
Are you talking about Samy Kamkar? His YouTube channel is still up.
Its this guy
https://youtube.com/c/KalleHallden
His channel is still up but his of this hack is not
But he claims hes programmer/hacker but hes not hes a youtuber. Hence my “really?” Cuz he was able to figure it out.
I am doubly-shocked here, to the point of faint skepticism.
Shock #1: That Honda would have done this in 2009 models, much less 2020 models
Shock #2: That with all the SDR enthusiasts out there, it’s taken this long for someone to discover it.
I’m trying to think if I know anyone with a Honda that I can try this with…
I’m gonna give it a shot. I have a honda that fits the bill and I just started (as in just received the parts) CAN hacking because i wanted long distance remote control of the windows because my work situation dictates I leave my phone in my car, tinted windows are illegal where I am, it gets over 130* F on a sunny summer day inside of it, and there are frequent unexpected and heavy rainstoms here. There is a keyfob procedure to roll them down, but not up, but it might be a fun little detour on this project and I already have a fair bit of SDR kit
I’ve never heard of anywhere that tinted windows are illegal – I use them and a silver shade over the drivers window when I park on a hot day. I’ve still had my internal car temp gauge go over 70C on a hot day. if I leave the windows closed…
– And I have to use the silver thing over the front window, or the direct sun can make the drivers wheel too hot to touch – literally..
Here’s an example for the USA
https://instamotor.com/blog/window-tinting-laws-50-states
I share your same sentiment. I’m hoping this article will crowd source a community effort to verify on more model/year combinations.
Push to Start and tap to unlock on most new cars used to be only on the bigger luxury cars. For example, the Toyota Corolla didn’t offer push to start until it was redesigned for the 2014 model year and it Toyota had only offered it as an option, not standard equipment. While cars like the Toyota Avalon and Lexus sedans offered it many years earlier
I remember this from a few years ago. Seems similar and further validates.
https://calebmadrigal.com/hackrf-replay-attack-jeep/
One of my unfinished projects is an attempt to defeat rolljam through timestamping.
https://hackaday.io/project/170261-secure-wireless-remote
This kind of system already exists, no? Essentially it’s the same method used by authenticator apps as part of 2FA.
Will this attack work on my ’95 civic?
I lost my Honda fob years ago.
A “replacement” I bought on eBay or Amazon would not program to my car.
(I even asked the local dealer to try, and they couldn’t.)
In the past, some Hondas were in the “most stolen automobiles” lists generated by auto insurers.
IIRC, the reason was that they were very common models/years and therefore highly valued by “chop shops”.
Co-incidence?
(Insert your own conspiracy theory here)
B^)
This seems a little click baitey for hackaday. Any verification?
I thought the article (and indeed the title) convey a fair level of skepticism.
Anyone with a Honda check this out yet?
Yes, me. The guy that discovered it. Any questions? Want me to send some videos and research? I’ll even send you recorded signals for study. https://github.com/HackingIntoYourHeart/Unoriginal-Rice-Patty
I own a 2010 Accord and a 2011 Civic, and I recently acquired an RTL-SDR. First off, both vehicles have fobs that transmit on 313.8-313.9 just like the FCC filing states that they should (FCC ID: OUCG8D-380H-A). The author states they are working with 433mhz transmissions. Second, each transmission I’ve recorded into Universal Radio Hacker has had similar structure, same preamble, etc, BUT, the data has definitely not been the same between transmissions from the same fob. Even if you assume a 10% error rate, each press was FAR too different to be a static code.
I’m completely open to the possibility that I’m looking at something wrong, but I was skeptical when I first heard about this, and I’m more skeptical now that I have an SDR to do some light investigation myself.
Hello, I am the discoverer of this attack. Any questions/comments can be directed at me!
I’m very intrigued by this