New generation Honda cars can be stolen by wirelessly copying the access key

All a well-informed car thief has to do is stalk the desired car, copying the digital signature transmitted by the owner’s key.

The method is by no means new and works very well especially with older generation cars. The scheme is simple to put into practice: a car thief “armed” with the right device chooses the car he wants to steal and parks within the wireless connection radius (less than 30 metres), then waits for the owner’s return. Once the digital signature transmitted by the key in his possession has been retrieved, all that remains is to follow the desired vehicle until it is parked in a convenient location, then use the cloned “key” to gain access.

But with newer generation cars, one would expect that this type of attack would no longer work, with car manufacturers introducing new cryptographic technologies to make interception and duplication of the access code unnecessary.

At least in the case of the Honda manufacturer, the technical solution used appears to have been completely compromised, with hackers exploiting a vulnerability that again allows digital passkey duplication.

While vehicles vulnerable to this type of attack used static access codes, which once intercepted can be reused over and over again to gain access to the vehicle, newer car models use a system based on one-time use codes, which are constantly changing according to a predefined algorithm. But it is precisely this algorithm that is the new vulnerability, as anyone who manages to deconstruct the ‘cipher’ used can then extrapolate the unique code expected by the car.

Less sophisticated access systems do not even resort to algorithms, implementing only a predefined list of codes that are accepted in a certain order. Thus, all one has to do is obtain that list of codes and determine the last code transmitted by the owner’s key, then use the next code expected by the car’s computer. In fact, the system is even more vulnerable than that, as it is actually a “window of opportunity” covering several successive codes, to be used in the event that reception is hampered by radio connection problems and needs to be repeated.

Apparently, most recent-generation Honda cars use this vulnerable system, with disclosure of the code list in hacker circles making “work” easier for those in the trade. Basically, it only takes a single code from the owner’s key, and the opportunistic thief can even come back months later to try successive codes, starting from the initial code and ending with the sequence that unlocks the car.

Meanwhile, the attack method is demonstrated without much room for interpretation, using a 2021 Honda Accord and a programmable radio transmitter:

I was able to replicate the Rolling Pwn exploit using two different key captures from two different times.

So, yes, it definitely works. https://t.co/ZenCB3vX5z pic.twitter.com/RBAO7ZtlXZ

– Rob Stumpf (@RobDrivesCars) July 10, 2022

The bad news is that Honda officials are still “trying” to determine if the reported problems are real. The even worse news is that the system comes tightly tied to the car’s hardware and can’t simply be upgraded, with the eventual mass recall of vulnerable cars involving complex interventions to safety systems that aren’t necessarily designed to be upgraded later.