Security researchers Kevin2600 and Wesley Li from Star-V Lab posted videos earlier this week that exposed a vulnerability in several Honda vehicle models. The problem is that hackers not only open car doors, but also remotely start the engine.
Call Rolling-PWN Attack (CVE-2021-46145), The vulnerability accepts replay attacks, in which a threat actor manages to obtain car key fob codes and uses them to circumvent security systems. For this, the researchers used a remote keyless entry (RKE) system.
To prove that the issue affects all Honda vehicles released from 2012 to 2022, experts successfully tested the attack against ten of the brand’s most popular models: the 2012 Civic; X-RV 2018; C-RV 2020; Agreement 2020; Odyssey 2020; Inspiration 2021; suitable for 2022; Civil 2022; VE-1 2022 and Breeze 2022.
How researchers unlocked Honda cars
According to the Rolling-PWN statement published on the GitHub platform, the vulnerability appears in a version of the rolling code engine. The solution has been implemented on many Honda models to avoid it outright. “man in the middle” replay attacksthat the attacker is able to intercept communication between the user and the security system.
“After each key fob button press, the rolling code sync counter is incremented. However, by design, the car’s receiver will accept a floating code window to prevent accidental keypresses,” say experts in the new system. sent sequentially, the counter is resynced, which allows same commands from previous loop can be reused.
The researchers suggest that updating the vulnerable BCN firmware via over-the-air (OTA) update would be a viable solution to fix the issue without the need for a recall. which would leave out some old tools. consulted by the magazine clampHonda said the report was unreliable.
Source: Tec Mundo
