Honda car dealership showing replay attack on keyless entry systems

Keyless Entry Systems of Several Honda Models Are Vulnerable to Replay Attacks Allowing Unlocking and Ignition

Two security researchers discovered a replay attack vulnerability in select Honda and Acura cars that allows a nearby hacker to unlock the vehicle and start the engine. Replay attacks require a hacker in close proximity to capture and resend RF signals to fool the remote keyless entry system.

The man-in-the-middle (MiM) attack variant, tracked as CVE-2022-27254, allows an attacker to intercept and edit the RF signals sent from a remote key fob to the car and retransmit them later to unlock the vehicle at will.

Security researchers Blake Berry and Ayyappan Rajesh are credited with discovering the flaw but have yet to release the proof-of-concept (POC) code or the technical details.

What is a remote keyless entry system?

A remote keyless entry system allows the owner to unlock the car without relying on a physical button, panel, or key. It automatically unlocks the car at the touch of the door handle when a remote keyless key fob is nearby.

The system relies on short-range radio signals but can also be hooked on mobile networks to allow owners to lock/unlock the car many miles away. Similarly, range extenders could allow remote unlocking or starting cars parked at home.

Which vehicles are vulnerable to keyless entry replay attacks?

The researchers noted that the bug affects cars in the Honda Civic family manufactured between 2016 and 2020. These include Honda Civic LX, EX, EX-L, Touring, Si, and Type R.

In 2020, Berry listed the following vehicle models as vulnerable to keyless entry replay attacks tracked as CVE-2019-20626.

  • 2009 Acura TSX
  • 2016 Honda Accord V6 Touring Sedan
  • 2017 Honda HR-V
  • 2018 Honda Civic Hatchback
  • 2020 Honda Civic LX

Another security researcher had reported that the Honda Civic 2012 was vulnerable to replay attacks tracked as CVE-2021-46145.

“This attack is even worse than the ‘rolljam’ security flaw that Samy Kamkar famously demonstrated in 2015,” Chris Clements, VP of Solutions Architecture at Cerberus Sentinel, said.

“At least with that attack, the car, and remotes implemented ‘rolling codes’ that change with every transmission to prevent simply intercepting and replaying the same code over and over.

“With this new attack on the Honda vehicles, once an attacker captures the codes, it effectively gives them indefinite access to control a specific car’s lock, unlock, and in some cases remote engine start functionality.”

Is Honda planning to fix vehicles vulnerable to replay attacks?

Honda downplayed the threats posed by replay attacks on its remote keyless entry system, arguing that the exploit requires an attacker to be nearby or physically connected to the vehicle.

Additionally, Honda said that sophisticated attackers are relentless to overcome newer security features, while others rely on more crude methods to steal vehicles.

“It’s important to note, while Honda regularly improves security features as new models are introduced, determined and technologically sophisticated thieves are also working to overcome those features,” BleepingComputer reported.

The technology website quoted Honda’s employee saying that “Honda has no plan to update older vehicles at this time.”

“Honda’s comments that exploiting this vulnerability would take ‘determined and very technologically sophisticated thieves’ seems to be minimizing the issue,” Clements said. “It’s similar to yelling your password across a room and hoping no one happens to be listening. Yes, someone has to be close enough to hear and then know what to do with it, but after that, it’s very simple to exploit.”

Clements predicts that replay attacks on remote keyless entry systems could “become massive over time.” Consequently, car owners must decide whether to proceed with the risk or trash the devices.

How to protect against replay attacks

The researchers advised vehicle manufacturers to implement rolling codes to prevent attackers from replaying unlock signals. This method ensures that a new code is used during each authentication request.

They also advised car owners to store their key fobs in signal-blocking Faraday pouches when not in use. However, a hacker could still capture the signals whenever the fob is used, and replay the commands to the car’s keyless entry system later.

Similarly, the researchers advised car manufacturers to implement Passive Keyless Entry (PKE) instead of Remote Keyless Entry (RKE) systems.