Honda cars have been found to be severely vulnerable to a newly published Rolling PWN attack, letting you remotely open the car doors or even start the engine. So far it’s only been proven on Hondas, but ten out of ten models that [kevin2600] tested were vulnerable, leading him to conclude that all Honda vehicles on the market can probably be opened in this way. We simply don’t know yet if it affects other vendors, but in principle it could. This vulnerability has been assigned the CVE-2021-46145.
[kevin2600] goes in depth on the implications of the attack but doesn’t publish many details. [Wesley Li], who discovered the same flaw independently, goes into more technical detail. The hack appears to replay a series of previously valid codes that resets the internal PRNG counter to an older state, allowing the attacker to reuse the known prior keys. Thus, it requires some eavesdropping on previous keyfob-car communication, but this should be easy to set up with a cheap SDR and an SBC of your choice.
If you have one of the models affected, that’s bad news, because Honda probably won’t respond anyway. The researcher contacted Honda customer support weeks ago, and hasn’t received a reply yet. Why customer support? Because Honda doesn’t have a security department to submit such an issue to. And even if they did, just a few months ago, Honda has said they will not be doing any kind of mitigation for “car unlock” vulnerabilities.
As it stands, all these Honda cars affected might just be out there for the taking. This is not the first time Honda is found botching a rolling code implementation – in fact, it’s the second time this year. Perhaps, this string of vulnerabilities is just karma for Honda striking down all those replacement part 3D models, but one thing is for sure – they had better create a proper department for handling security issues.
I wonder how practical this attack is. The sliding window of codes means that an attacker needs to gather multiple sequential codes, not just unrelated ones over a long period.
If the attacker say lives next door, or works at the same place, they might have a chance. For thieves just randomly prowling the neighbourhood at night, not likely.
Well, heaving not read all the details, I could imagine, that you could easily get the PRNG in the car out of sync.
This means, the FOB would need to do the re-sync itself.
So it would be as easy as waiting for somebody to arrive at home, torture the PRNG with old garbage to unsync it, wait someone to open with a FOB, and sniff all the necessary data to get everything in sync again.
With this, you could just replay the un-sync and re-sync sequence over and over again…
Regards
Could leave a small logging device next to someone’s house? Particularly if you’re targeting high value cars.
Or even attach the logger to the car.
So that rules out Hondas
Acura?
That’s still a honda
Or attached to the vehicle.
While I think Johann is correct and that isn’t going to be really needed to sniff long term, even if that is your method why leave it near a house – battery, SDR and SBC make for a pretty dang small package that can probably be magnetically attached to the target car invisible without an inspection mirror or pit.
Then you all you need to do is get in range or hit the button you fitted to it to inform it to do the attack and open the car.
Looks like cars usually use 315 or 433 depending on the country. You can buy receivers for those frequencies dirt cheap and they are more power efficient then an SDR.
Great post some more things for criminal minds to help them do ish they’ve no business doing…we certainly dont have enough car prowling, jacking, etc going on 🤦🏼♂️ go ahead and post more links to show how it works. Its not like criminal minds wont find this fascinating enough for them to try.
The problem has always been there and will already be known by criminals. Ever wonder how brand new vehicles with the latest anti-theft technology are able to be stolen? It’s because they already know all of this.
Making this public knowledge doesn’t change that fact and instead puts pressure on Honda to actually fix the problem. Maybe they’ll even be forced to conduct a recall.
Anyone who owns an affected Honda should be thankful that this researcher made it public knowledge instead of selling it off to the highest bidder.
This is such a ridiculous argument, especially to make on this particular site.
Security by obscurity has long ago and endlessly been debunked.
>high value
>Honda
Pick one.
high value Honda parts
time to equip the procurement team at the chop shop with these tools
Seriously though, I would be installing a hidden battery cutoff switch, or SOMETHING on my Honda until a fix is found
Couldn’t you just not use the remote fob? If you’re concerned by these interception attacks simply don’t emit the RF that’s being intercepted, much simpler than a battery cutoff and you don’t lose all your radio settings.
Pull fuel pump relay or make an esp32 webpage or ble app with relay to do same. No fuel pump, no roll… But we should be outraged that our HRV is at risk and Honda has no security department…
Acura is Honda.
That is accurate!
The value of a car is pretty high when you don’t have to pay for it…
Fully loaded accord touring MSRP is $40K, with market adjustment your lucky to pay $45k pre taxes, doc fees, destination charges, paperwork fees, and any interest if you financed. Your looking at 50-52K on an accord by the time your done
Wouldn’t take long at all if the car is prevented from hearing the unlock request and it doesn’t unlock the car. In this case what would 99.99% of people would do? Simply by using a SDR tranmitter to send a powerful CW signal positioned right next to the frequency the car listens for the keys. The AGC (automatic gain control) in the car’s fob receiver will drop the gain and won’t be able to hear the customers,. it’s quite likely the victim-to-be will list just press unlock again and again till it opens,, aka till enough (still futre btw) codes are gathehred, the jamming stopped, and replaying the firist code received to the car, Victim woud proboably just think they have a weak keyfob battery and move on with their day.
How do you receive the signals you’re jamming while you’re jamming them?
The jammer sits near the car. The scanner is either closer to the fob, simply farther from the jammer then the car, or using a directional antenna. It could also help if you have a receiver with a good front end that has high selectivity. I bet the receiver in the car is basically garbage since it’s meant for close communication.
I’d be more worried about if I lived in an apartment building with a parking garage. Most of the ones I’ve seen would be easy enough to set things up with no one noticing. If you ran the attack correctly you could come back a week or two later with a crew and steal all the Hondas at once.
That was the most realistic scenario I could come up with. Mostly because a lot of the car thieves that have the technical know how to do this Target much more expensive brands. So it might be worth it to them if they can hit a bunch of cars all at once.
As with a lot of the key fob attacks their targeted and generally not crimes of opportunity. However these do happen in the wild. I’ve seen CCTV footage that shows people successfully pulling off the relay attacks.(houses and parking garages) This is why not keeping your keys by the front door is now a recommendation if you have keyless entry. The more expensive and or sought at your vehicle is the more you have to worry about these types of attacks. But you’re far more likely just have your window smashed in.
They could just attach a device underneath the car to collect codes. They could also just get ahold of the keys. Common places would be valet parking, mechanic, or a dealership. I’m sure a little creativity would result in other great places to snatch a key for a few minutes.
Years ago when commuting into the city via commuter rail, I parked in a local parking garage to catch the train. One day I noticed that my car didn’t beep when I hit my lock button the first time, but did beep the second time I hit the button. This is a key indicator of a key code capture device. I looked around and found this generic looking box taped to a wall. I pulled it down, opened it up, saw an on-off switch and stuck it in my car. Later found that someone used some sort of Arduino kit to build the thing. Bonus for me because I got an Arduino to play with now!
My Honda security feature is to drive a 20+ year old car with 260,000 miles on it that is all rusted out. No one wants anything to do with it. Best security ever.
My Honda security feature is that I drive a Chevy.
Honda – runs about the same forever, rusts if you look at it
Chevy – runs forever but eventually transitions from running on gasoline to running on motor oil plus a lot more gasoline
Ford – looks pretty, doesn’t run
Kia – looks pretty, leaves money in your wallet, also leaves parts behind as you drive down the road
Tesla – does not leave money in your wallet, probably returns to Elon’s control when he broadcasts the master code. Might be made of recycled decepticons. Radio tunes itself to crazy right-wing talk stations randomly.
BMW – Same replacement battery cost as Tesla. But it’s not an EV!
Kia – easily stolen with small screwdriver
Hyundai – easily stolen with small screwdriver
Tesla – Activate Order 66!
If you want a Tesla roadster, I know where there’s one just abandoned.
@RW please do tell!
It’s in a bit of a remote area, plus side though, no bears or venemous snakes..
https://www.whereisroadster.com/
Anyone older than 12 remembers when being anti-establishment and pro free speech were Left wing traits.
Pretty bad for job security when it breaks down.
My 2019 Civic Hatch Sport still requires a key to start, and better yet, a 6MT which is a deterrent by itself. 8-)
That may explain the huge wave of Honda car theft around my area. I keep hearing if CR-V getting stollen and I saw people go back to using club on their wheel.
Use the club on the thief, if caught.
Maybe we shopun d turn our vehicles into car-sized glibber bombs, or at least hide a can of fart spray under the dash somewhere (activated in parallel with automatic door locks)
I once lived on the edge of a rough area, shooty bangbang gangland rough. My car was getting petty breakins about monthly… lost a few cassette tapes… but the final time I found the area around the ignition switch all scratched up… okaythen.. bought a club type device… started using it… all crime against my car stopped by magic, weird.
Juveniles playing “wat u got”
Grownup thieves laugh at the club
http://www.clubbuster.com/
That’s cute. I like it.
Alternatively: Steering wheels are very easy to cut. A hacksaw blade — even without a handle — is sufficient to make quick work of the job, and is easy to conceal.
And then the club just slips off.
Either way: If someone wants it badly enough, then the car is simply gone. The club is a deterrent, but it fails to actually-protect.
Sounds like random neighborhood prowl might not be practical, but a targeted attack would be quite easy if the attacker is willing to leave hardware behind. Combining an SDR+SBC into a small battery-run package you could leave near the car (or even attach magnetically to the car itself) would be pretty simple. Attach, wait a few days, come back and run a remote test to see if the car will unlock …
$6 SDR + $4 ESP?
ROI?
Please let us know where you can find a $6 SDR !
Not $6 but a standard RTLSDR is $15.
Wow, that’s crazy. I really loved my Del Sol S, which was reliable, well built, and easy to work on– But also luckily not so advanced as to have such possible issues.
Hondas of that era would all open to any key once they were about 10 years old.
The only Del Sol worth owning was the one with the B engine (the first year). Which will get stolen today if left unguarded.
This is why cars have keyring transponders too, on a different frequency.
When car thieves aren’t dealt with like horse thieves used to be….. the theft continues.
Just takes the right punishment to stop the crime permanently.
Take hackers for example…. If every Saturday night they had “Hang the Hacker” live reality show…..
Would be truly amazing how fast hacking became not the thing to do.
This old mindset is build upon specious logic. They did what you suggested and despite executing people, crimes persist. Why? It comes down to why people commit crimes to start with.
I hope you wise up because people like you are taking a toll on society at large.
While I don’t agree with a ‘reality show’ they do have a point that punishments being meaningful helps – yes folks get into crimes for all manner of social pressures, which really do need addressing, but its alot easier to convince yourself or somebody else to commit a crime if the punishments are nill, or amount to a slap on the wrist.
When you can get something for nothing illegally and the risks of making your life any worse, even if you get caught doing it seem low or even non-existent the only reason not to is if you give a crap about the effect it has on the victim of your crime, and out of sight out of mind can easily apply there…
As a hacker, (the true meaning and spirit of the word not the news/general meaning) hanging hackers would do no good. Humans are always a curious lot, From the very beginnings of the electronics age when radio was first getting started to the latest digital formats of today, people are curious as to how the technology works. As technology advances, people will be curious about it and try to figure out how it works. The true spirit of hacking is to learn about technology. What amazes me is people who have the skills to do these things will work as hard as they can to steal instead of working hard at an honest job..
Many of them do work honestly, but while the risk to reward is so heavily weighted in favour of being a scumbag you are always going to get folks taking those tiny risks.
Not to mention all the grey areas where it may or may not really be legal – like jailbreaking and ROM dumping, at what point does doing/demonstrating that go beyond the legal for personal use type arguments into outright piracy or at least encouraging criminality? With the added complication that you may be in nation x, hosting this content with a provider in y, while the rights holders are different in many jurisdictions to make figuring out if such things are being done in a entirely consistent with the laws that apply to you way…
The reason capital punishment was done away with in most countries was because the criminals tended to not want to be caught alive. It took a terrible mental toll on the police on the ground. there’s also simple physics to think of. every action creates an equal and opposite reaction, so culling the genepool creates a more cunning criminal, as well as pushing them into other areas where they would cause more societal damage.
Not really.
The reason was that if your going to get hung for theft, you might as well kill the witnesses. Killing people for relatively minor crimes escalates the crimes.
The best reason to not have capital punishment? You can’t trust them (the government) with that much power. Same reason you _should_ cheat on your taxes. Starve the beast.
Starve the beast and watch it be replaced by corporations. I’ll take the one I can vote for unless you’ve gone and done something as stupid as declaring corporations ‘humans’ and deserving of human rights.
Super harsh penalties stop crime? Huh? Got any stats to go with that?
That would just make those things get more expensive to do (and the profits from doing it would go to the clouds).
And thanks god we got to know how insecure is our stuff! If you forbid people of exposing security flaws, just the bad actors will know it, while the people innocently falls in their hands without a chance.
Open your mind, that’s the seed of a better world.
Capital punishment for nonviolent crimes is too ignorant to be seriously considered by anyone reputable.
If you really want to go back to the lawless wild west building a time machine is your best choice. Trying to degrade our justice system by a few hundred years over simple vehicle theft isn’t a smart or sane option.
Until then I recommend you go to a ren faire to fulfill your feudalistic fantasies.
Not exactly karma, if there is something related, it’s more in the field of vendetta from the community (and it’s adorable).
I’ve a feeling that owners will need to apply the Mr. Bean’s lock in their vehicles, if they are counting on Honda…
Too bad there isn’t an alternative, like say a metallic object with a specially cut pattern that is required to open the doors and start the car. Of course, something like that wouldn’t be perfect, but at least they’re not vulnerable to electronic attack from a discrete distance.
No, even simpler attacks are possible in that case… there have been people with zoom lenses who showed that you can photograph a key from more than 100 metres away and fabricate a facsimile from that ;)
That’s not going to do a whole lot, when manufacturers don’t care about mechanical lock security: https://www.vice.com/en/article/nejpbd/your-car-key-could-unlock-somebody-elses-car https://www.lockpicks.com/honda-ho01-hond-31-hon66-lishi-pick-decoder.html
Yeah this kind of remote attack will not be used by any car thieves, possibly by security agencies.
For a car thief it is much easier to use a Turbodecoder or KatanaDecoder. It opens the lock on most cars in 30 seconds.
this is bad. everyone is talking about putting stuff outside the targets’s house and stuff, think malls and large garages. solar powered device on each level with the thief in a car on a level that gets notified when the same car appears.
This hack only works if you assume that
1) The Earth Dreams engine remote start button has not yet failed. “Keyless Start Problem”
2) The Earth Dreams engine starter has not yet failed.
I have never, ever had so many problems with a new car as with recent Hondas. JUST. AWFUL.
This is why my cars have a complex system of toggle switches hidden under the dash which must be flipped in a secret order like in Mad Max. Otherwise a disturbing capacitor-whine sound effect is played followed by an extremely loud bang and police sirens
There you go… Two factor authentication needed to activate the vehicle. One to get into the car, and two to bring the car to life…. Like it.
Singapore has some of the most extreme sentences for just about any crime you can think of. Despite the fact of having an insanely low crime-rate, it still happens there.
In the US you have over zealous groups who are never satisfied with the amount of punishment handed down for a particular crime, lets say a DUI. And so they continue lobbying for even stricter laws believing this will finally stamp out drunk driving. With a punishment involving a 2 page list of requirements that need to be fulfilled, along with having to shell out close to $20K when all said and done, also possible jail/prison time, DUI’s are still alive and flourishing throughout the country.
The concept simply does not work, and society really needs to accept that reality, also maybe learning to embrace the idea that life comes with risk, and that we cant protects ourselves by means of hyper-regulating and punishing with an iron fist.
The right approach is usually an appeal to laziness.
That is what streaming services are to piracy. It’s easier to pay a small monthly fee and do all you can eat. Then most people will just go with the streaming service. Piracy is not knocked out, but it is significantly reduced from what it would otherwise be if streaming was not available or was expensive.
Not sure how that might play out for DUI. Maybe govt subsidized drunk bus / Uber. If the goal is to have you not drive, that would do it. While I do believe that you get what you subsidize, having no / fewer DUI drivers seems like a safe bet.
Or walk from the bar into a pizzeria and order a pizza to your house, pay extra for the ride home. Now you get a ride home and a pizza and no one got hurt.
Great another thing to worry about and I really can’t fix it because of course my car is locked down by Honda. They don’t even have key locks on the car except for the driver door so you can’t even disable it. Now I really regret buying a new car.
Does this go back to 2015 models? My 2015 Civic has keyless entry, but requires a hard key to start, and as far as I know, there is a transponder in the key fob that the car’s computer must read to allow the car to start, and there is no factory remote start feature. So it would seem to me that the thief might be able to enter the car, but would not be able to start it without the transponder in the key fob.
Hmm. I worked on a BCU 20 years ago for a generic keyfob system and this seems the same code is still being used as this was the design we were given. Honda was one of the customers…
good look