Keyless entry has become a standard feature on virtually all cars, where once it was a luxury option. However, it’s also changed the way that thieves approach the process of breaking into a car. After recent research, [HackingIntoYourHeart] claims that many modern Honda and Acura vehicles can be accessed with a simple replay attack using cheap hardware.
It’s a bold claim, and one that we’d love to see confirmed by a third party. The crux of the allegations are that simply recording signals from a Honda or Acura keyfob is enough to compromise the vehicle. Reportedly, no rolling code system is implemented and commands can easily be replayed.
Given these commands control features like unlocking the doors, opening the trunk, and even remote starting the vehicle, it’s a concerning situation. However, it’s also somewhat surprising. Rolling code technology has been around for decades, and makes basic replay attacks more difficult. Range extender attacks that target keyfobs sitting inside homes or gas stations are more common these days.
Whether Honda has made a security faux pas, or if there’s something more at play here, remains to be seen. If you’ve got more information, or have been able to recreate the same hack on your own Honda, be sure to let us know.
You read about well-publicised security exploits, but they always seem to involve somebody with a deity’s grasp of whatever technology is being employed, as well as a pile of impossibly exotic equipment. Surely a mere mortal could never do that!
Happily, that’s not always the case, and to prove it [Gonçalo Nespral] replicated an attack against RF devices such as some garage doors and motor vehicle locks that use a rolling code. His inspiration came from a device from2015, that encouraged the owner of a key to keep transmitting fresh codes. It did this by swamping the receiver of the car, garage door, or whatever with a strong slightly off frequency signal. This would cause the lock to not work, so the user would try again and again. The attacker listens with a very narrow bandwidth receiver on-frequency that is good enough to reject the jamming signal, and can harvest a sequence of the rolling codes enough to compromise it.
[Gonçalo]’s set-up uses a YARD stick One transceiver dongle as its transmitter, and an RTL-SDR for receive. A GNU Radio setup is used to retrieve the key data, and some custom Python code does the remaining work. We wouldn’t advocate using this in the wild and it could conceivably also gain you access to another car with a flashing light on top, but it’s an interesting exposé of the techniques involved.
Rolling code keyfob attacks are something we covered a few years ago, back when these attacks were all shiny and new.