A new proof-of-concept (PoC) code shows that attackers can remotely lock, unlock, and start Honda and Acura vehicles. This is possible due to a vulnerability in the remote keyless system, CVE-2022-27254, that impacts Honda Civic LX, EX, EX-L, Touring, Si, and Type R models manufactured between 2016 and 2020.
CVE-2022-27254 in the remote keyless system of Honda and Acura
According to NVD’s description of the security flaw, the remote keyless system on Honda Civic 2018 vehicles sends the same RF signal for each door-open request, allowing for the so-called replay attack.
The vulnerability disclosure has been attributed to Ayyappan Rajesh, a student at UMass Dartmouth, and Blake Berry, known as HackingIntoYourHeart.
According to their GitHub write-up, the attack based on CVE-2022-27254 seems to affect EVERY Honda/Acura vehicle with remote or wireless radio entry. “Honda does NOT ever institute a rolling code system and ONLY manufactures systems with static codes meaning there is NO layer of security,” the researchers said.
The attack makes it possible for a hacker to gain “complete and unlimited access to locking, unlocking, controlling the windows, opening the trunk, and starting the engine of the target vehicle.” The only way to prevent the attack is to either never use your fob or, after being compromised (which would be hard to establish), resetting your fob at a dealership.
How can an attack be triggered?
The only thing needed is capturing the signal sent from the so-called key fob. A key fob is a small remote control device for a remote keyless entry system.
“If the target locks their vehicle, all it takes is receiving it and saving it for me to gain the ability to replay the same command and have the vehicle respond accordingly,” the researchers said.
How did the vehicle manufacturers respond?
Reportedly, Honda ignored the vulnerability report, with zero security measures against this very simple “replay/replay and edit” attack. “This CVE interestingly only cites one vehicle and I only discovered this much later in my pursuit for research.” Moreover, Honda will not respond to the researchers, or seemingly anyone attempting to report this major security vulnerability, according to the GitHub post.