Honda cars have a vulnerability that enables hacking using the Rolling-PWN attack.
This news might be a bad one for some Honda owners who have the vulnerability of their car models.
This circumstance was discovered by a team of security researchers from Star-V Lab. Researchers Wesly Li and Kevin2600 independently discovered this vulnerability.
The Rolling-PWN vulnerability attack can cause some Honda vehicles to be unlocked by threat actores. This attack is currently tracked as CVE-2021-46145.
The vulnerability, which has been given the name Rolling-PWN, makes it possible for threat actors to launch replay attacks by stealing the codes transmitted from the key fob to the vehicle and utilizing those codes to either unlock or start the vehicle.
Honda Car Vulnerability
Honda's detected vulnerability is reported not just to have the ability to unlock the vehicle, but also to start one.
To guarantee that different strings are used each time the keyfob button is pressed, modern cars use rolling codes generated by a pseudorandom number generator (PRNG) algorithm.
The Honda vehicles employ a moving code process that selects different codes each time the key fob is used.
Each time a button is pressed on the key fob, a new code is transmitted to the vehicle. In theory, this should render any previously used codes useless.
However, BleepingComputer reports, "researchers Kevin2600 and Wesley Li found that the counter in Honda vehicles is resynchronized when the car vehicle gets lock/unlock commands in a consecutive sequence."
Because of this, the vehicle will take codes from a prior session even though they ought to have been rendered invalid.
An actor who was armed with software-defined radio (SDR) technology could record a string of codes, store them, and then use them at a later date to unlock the car and start the engine.
They discovered the bug directly impacts ten of the most popular Honda model types in the market, leading them to assume it impacts nearly all Honda vehicles manufactured after 2012.
According to the researchers, these Honda vehicles are from the year 2012 up to this year's 2022 cars. These are:
Honda Civic 2012
Honda X-RV 2018
Honda C-RV 2020
Honda Accord 2020
Honda Odyssey 2020
Honda Inspire 2021
Honda Fit 2022
Honda Civic 2022
Honda VE-1 2022
Honda Breeze 2022
The researchers presented information and demonstration videos on the Rolling-PWN vulnerability, which demonstrated how it could be exploited to unlock a variety of Honda vehicles.
Honda Denies the Vulnerability
The researchers looked for a way to warn Honda of the vulnerability, but they were unable to locate a contact for reporting problems with the company's security. In the end, they decided to report the incident to Honda Customer Service, but they have not received a response as of yet.
A spokeswoman for Honda issued a statement to Vice in which they denied the veracity of the article and maintained that the allegations are not supported by any evidence.
According to Vice, Honda, after conducting research into previous complaints of a similar nature, have determined that those charges lacked any basis in fact.
The spokesperson stated, "While we don't yet have enough information to determine if this report is credible, the key fobs in the referenced vehicles are equipped with rolling code technology that would not allow the vulnerability as represented in the report."
Honda added, "In addition, the videos offered as evidence of the absence of rolling code do not include sufficient evidence to support the claims,"