Hackers say that they’ve found a new vulnerability on Honda vehicles that allows them to be unlocked and started. The list of vehicles affected includes models from 2012 until 2022 and it seems that the new hack is a way of getting around a previous security patch too.
If you’ve heard of the technology that allows a person to record a key fob signal and then replay it, this is different. In fact, it’s that vulnerability that led to a new type of fob code that’s always rolling to a new one. In theory, that should prevent someone from simply recording a code and replaying it, since each time it’s used, a new code rolls over the old one.
Now a group of hackers working for Star-V Lab says they have a workaround. They say that Honda vehicles made after 2012 allow for a new vulnerability allowing them to go back to one of those previously used codes and access the vehicle just the same. They can even start the engine and drive away.
Read More: Hackers Access GM Online Accounts, Some Personal Information Exposed
I was able to replicate the Rolling Pwn exploit using two different key captures from two different times.
So, yes, it definitely works. https://t.co/ZenCB3vX5z pic.twitter.com/RBAO7ZtlXZ
— Rob Stumpf (@RobDrivesCars) July 10, 2022
After seeing the research released by one of the hackers who goes by the screen name Kevin2600 on Twitter, another user, RobDrivesCars, found that he could also recreate the vulnerability independently. Due to the way the vulnerability functions, it’s been dubbed Rolling PWN by its finders.
In the extensive report posted on Github, Kevin2600 details how this hack is different from the fixed-code hack and talks about how it might also apply to other brands. He suggests an update to the code to close the loophole but it seems as though Honda may believe that there’s nothing to worry about.
In a response to the folks over at Motherboard, a spokesperson wrote: “We’ve looked into past similar allegations and found them to lack substance. While we don’t yet have enough information to determine if this report is credible, the key fobs in the referenced vehicles are equipped with rolling code technology that would not allow the vulnerability as represented in the report. In addition, the videos offered as evidence of the absence of rolling code do not include sufficient evidence to support the claims.”
We’ll update this story as we learn more.
[embedded content]
Image Credit: Pierluigi Paganini on YouTube
