Rolling Pwn Attack

A new security vulnerability has been discovered in Honda vehicles, which allows hackers to remotely open the car doors or even start the engine. The security hole, called Rolling-PWN, was discovered independently by two experts, Kevin2600 (Twitter user) and Wesley Li from Star-V Lab.

The Rolling-PWN attack (codenamed CVE-2021-46145) is a serious vulnerability, which takes advantage of a remote keyless entry system (RKE), which allows remote access to unlock the car door or start a vehicle from a long distance. According to the experts, the issue affects all Honda vehicles currently existing on the market, from the Year 2012 up to the Year 2022.

The Rolling-PWN issue exists in a vulnerable version of the mechanism of the rolling code, which is implemented in huge amounts of Honda vehicles.

“We found it in a vulnerable version of the rolling codes mechanism, which is implemented in huge amounts of Honda vehicles. A rolling code system in keyless entry systems is to prevent replay attack. After each keyfob button is pressed the rolling codes synchronizing counter is increased. However, the vehicle receiver will accept a sliding window of codes, to avoid accidental key pressed by design,” reads the description of the Rolling Pwn Attack published on GitHub.

“By sending the commands in a consecutive sequence to the Honda vehicles, it will be resynchronizing the counter. Once counter resynced, commands from the previous cycle of the counter worked again. Therefore, those commands can be used later to unlock the car at will.”

Security researchers successfully tested the 10 most popular models of Honda vehicles with repeated codes from the Year 2012 up to the Year 2022 and found that the vulnerability specifically affects the below Honda models on the market.

  • Honda Civic 2012
  • Honda X-RV 2018
  • Honda C-RV 2020
  • Honda Accord 2020
  • Honda Odyssey 2020
  • Honda Inspire 2021
  • Honda Fit 2022
  • Honda Civic 2022
  • Honda VE-1 2022
  • Honda Breeze 2022

The researchers also published a set of PoC videos, which shows how the rolling code mechanism was pwned. The videos also show that the experts were able to open the door repeatedly even after the keyfob was pressed multiple times.

Users who tested the Rolling-PWN bug posted their videos of opening several Hondas:

According to Kevin2600 and Wesley Li, since the exploitation does not leave any traces in traditional log files, it is not possible to determine if someone has exploited the flaw against a model.

What Is The Fix For The Rolling-PWN Bug?

Experts recommended that the common solution is for the automobile manufacturer to recall the affected cars and upgrade the vulnerable BCM firmware through Over-the-Air (OTA) Updates. However, some old vehicles may not support OTA.

The researchers tried to notify Honda of the vulnerability but could not find any contact info to report security-related issues for their products. Therefore, they filed a report to Honda Customer service, but we have not received any reply yet.

Reacting to the Rolling-PWN report, a spokesperson for Honda told Vice in a statement that “While we don’t yet have enough information to determine if this report is credible, the key fobs in the referenced vehicles are equipped with rolling code technology that would not allow the vulnerability as represented in the report. In addition, the videos offered as evidence of the absence of rolling code do not include sufficient evidence to support the claims.”

This is not the first time that Honda’s line of vehicles was found with access vulnerabilities. In March this year, researchers discovered a vulnerability (CVE-2022-27254) in its remote keyless system where RF signals could be interrupted and manipulated for later use.