Honda, The Power of Dreams And Rolling Code Implementations

Hope You Don’t Have A Honda … Alternatively; What’s A Security Department?

10 out of 10 tested Honda models agree; anyone can remotely unlock or start them if they just keep trying and Honda doesn’t seem to plan to do anything about it.  The researcher that discovered this vulnerability tried to contact Honda’s security department before releasing their process but found that no such entity exists to be contacted.  They then tried regular customer support services, but after several weeks without a response they felt they needed to let the world know.

The problem lies in how Honda set up their remote access fobs, which are used to unlock and start their cars.  The signals sent can be eavesdropped with the use of software defined radio on an SBC like a Raspberry Pi and the codes captured.  In order to verify the authenticity of the fob sending the signal it also has a synchronization counter which needs to match the one on the receiver in the car.  Unfortunately after capturing enough pairing signals, and taking advantage of the way Honda ensures accidental keypresses do not unsync the fob from the car, an attacker is able to reset that sync counter.

At that point the attacker knows both the sync counters value for the receiver and at least one valid code which grants the ability to remotely unlock and start the car.  All they need to do is send the code they captured on a loop until the sync counter matches what it should be for the known unlock code to get access to the car.

The only good news is that the captured code will only work once; not much comfort to someone watching their car drive away without them.  There is also the fact you could simply repeat the process from scratch to regain access to that same vehicle.