Honda Bug gives access to your Vehicles
March 28th, 2022 - Written By CyberLabs
Can hackers access your vehicle?
Selected Honda and Acura car models have been affected with a recent vulnerability that was discovered by researchers. According to what they’ve what the threat does is known as a “replay attack” where it lets hackers unlock your vehicle and even start the engine from a short distance. The advancement of technology is as such that this attack gets cybercriminals capturing the RF signals sent from the key fob to the vehicle and resending the signals to take control of the vehicle’s remote keyless entry system. According to the research, the vulnerability remains largely unfixed in older models and versions. However, Honda owners may have a way out of this to protect themselves. This replay attack or tracked as CVE-2022-27254, is a Man-in-the-Middle (MitM) attack. The researchers recognized, with discovering the vulnerability are computer scientist Blake Berry, and researcher Ayyappan Rajesh.
This is not the 1st time that such a flaw has been reported in vehicles either. In 2020, Berry reported a similar flaw (CVE-2019-20626) affecting the below Honda and Acura models but alleged that Honda ignored his report and “continued to implement security measures against this very simple ‘replay/replay and edit’ attack.”
- 2009 Acura TSX
- 2016 Honda Accord V6 Touring Sedan
- 2017 Honda HR-V (CVE-2019-20626)
- 2018 Honda Civic Hatchback
- 2020 Honda Civic LX
Honda stated that multiple automakers use legacy technology for implementing remote lock-unlock functionality, and as such may be vulnerable to “determined and very technologically sophisticated thieves.” “At this time, it appears that the devices only appear to work within close proximity or while physically attached to the target vehicle, requiring local reception of radio signals from the vehicle owner’s key fob when the vehicle is opened and started nearby.” With that being said Honda has also stated that they don’t have any plans of updating older vehicles at the moment.
A suggestion made by the researchers is for you to opt for Passive Keyless Entry (PKE) as opposed to Remote Keyless Entry (RKE), which would make it “significantly harder for a threat actor to clone/read the signal due to the proximity they would need to be at to do so.” “If you believe that you are a victim of this attack, the only current mitigation is to reset your key fob at the dealership,” said the researchers.
