Hackers remotely start, unlock Honda Civics with $300 tech

If you’re driving a Honda Civic manufactured between 2016 and 2020, this newly reported key fob hijack should start your worry engine.

Keyless entry exploits are nothing new. Anyone armed with the right equipment can sniff out a lock or unlock code and retransmit it. This particular issue with some Honda vehicles is just the latest demonstration that auto manufacturers haven’t adapted their technology to keep up with known threats.

This security weakness, tagged CVE-2022-27254, was discovered by Ayyappan Rajesh, a student at University of Massachusetts Dartmouth, and someone with the handle HackingIntoYourHeart. Their research indicated that Honda Civic LX, EX, EX-L, Touring, Si, and Type R vehicles manufactured between 2016 and 2020 all have this vulnerability.

According to the duo, who thanked professors Hong Liu and Ruolin Zhou and mentor Sam Curry, “various Honda vehicles send the same, unencrypted RF signal for each door-open, door-close, boot-open and remote start. This allows for an attacker to eavesdrop on the request and conduct a replay attack.”

The GitHub page created for the vulnerability hosts three separate proof-of-concept videos showcasing their results. Essentially, it’s shown that you can wait nearby for an owner to wirelessly open or start their vehicle, record that signal over the air, and later on you transmit that data again to perform the same action for yourself.

Attackers only needed a few easily sourced components to execute their attack: a laptop, the GNURadio development toolkit, Gqrx software-defined radio (SDR) receiver software, access to the FCCID.io website, and a HackRF One SDR. The only cost associated with the attack (besides owning a laptop) is purchasing the HackRF One, which retails in the mid-$300 range. All software used in the attack is free and open source.

A common problem

The CVE page for this vulnerability makes mention of another, CVE-2019-20626, the same vulnerability found in 2017 Honda HR-V vehicles, which Paraguayan security researcher Victor Casares demonstrated in a 2019 Medium post.

An unrelated but similar problem in 2012 Honda Civics allows for a similar attack, but with a different cause: a non-expiring rolling code and counter resync. This isn’t just a Honda problem either. In 2016, The Register reported on an experiment in which researchers cloned a Volkswagen key fob and were able to use it to potentially unlock 100 million vehicles.

The researchers involved in this latest discovery said that vehicle owners don’t have a lot of protection options as long as manufacturers continue using static codes. Rolling codes that change at each press of the button are “a security technology commonly used to provide a fresh code for each authentication of a remote keyless entry (RKE) or passive keyless entry (PKE) system,” the researchers said.

Speaking of PKE systems, the researchers say that those are a significant improvement over RKE systems. Instead of relying on the fob to broadcast, the vehicle itself continually searches for a passive RF fob, like a door keycard, and once close enough the vehicle automatically unlocks. The close proximity required makes this attack far trickier.

Ultimately, the researchers say the only way to mitigate the problem if you’re a victim is to head to the dealership and have them reset the key fob. As for prevention, the researchers go back to basics on this one: put your keys in a Faraday pouch.

We have asked Honda to comment. ®

Read More