A Rolling-PWN Attack Vulnerability Leads to Unlock or Start Vehicles Remotely — CVE-2022–27254

Introduction

Modern vehicles are often equipped with a remote keyless entry system. These RKE systems allow unlocking or starting the vehicle remotely. The goal of our research was to evaluate the resistance of a modern-day RKE system. Our research disclosed a Rolling-PWN attack vulnerability affecting all Honda vehicles currently existing on the market (From the Year 2012 up to the Year 2022). This weakness allows anyone to permanently open the car door or even start the car engine from a long distance.

The Rolling-PWN bug is a serious vulnerability. We found it in a vulnerable version of the mechanism of the rolling code, which is implemented in huge amounts of Honda vehicles. A rolling code system in keyless entry systems is to prevent replay attacks. After each keyfob button is pressed the rolling codes synchronizing counter is increased. However, the vehicle receiver will accept a sliding window of codes, to avoid accidental key pressed by design. By sending the commands in a consecutive sequence to the Honda vehicles, it will be resynchronizing the counter. Once counter resynced, commands from the previous cycle of the counter worked again. Therefore, those commands can be used later to unlock the car at will.

Please show me Rolling-PWN in action?

We have successfully tested the 10 most popular models of Honda vehicles from the Year 2012 up to the Year 2022 from the attacker’s perspective. Therefore, we strongly believe the vulnerability affects all Honda vehicles currently on the market.

  • Honda Civic 2012
  • Honda X-RV 2018
  • Honda C-RV 2020
  • Honda Accord 2020
  • Honda Odyssey 2020
  • Honda Inspire 2021
  • Honda Fit 2022
  • Honda Civic 2022
  • Honda VE-1 2022
  • Honda Breeze 2022

Please see the demo videos down below. Note that, even if the keyfob is pressed multiple times, we can still open the door repeatedly. Meaning the rolling code mechanism has been pwned.

Why it is called the Rolling-PWN, not a Honda-PWN?

Because this bug may exist in other brands of vehicles too ;)

Who found the Rolling-PWN Bug?

A team of security Researchers Kevin2600 and Wesley Li from Star-V Lab independently discovered this bug.

Am I affected by the bug?

As long as the vulnerable version of Honda vehicles is in use, it can be abused.

Is there an assigned CVE for Rolling-PWN?

CVE-2021–46145 is the official reference to this bug. CVE is the Standard for Information Security Vulnerability Names maintained by MITRE.

Can I detect if someone has exploited this against me?

Probably not. The exploitation does not leave any traces in traditional log files. But considering the ease of exploitation and attacks leaving no trace, this threat should take seriously.

Is this a Honda vehicle only Bug?

No. Although the main target for the research is Honda Automobiles. But we have leads to show the impact of this vulnerability also applies to other car manufacturers. We will release more details in the future.

Is the risk real?

We have successfully tested the latest models of Honda vehicles. And we strongly believe the vulnerability affects all Honda vehicles currently existing on the market. Please see the field test video down below.

What makes this Bug unique or what’s the Difference between CVE-2022–27254 and CVE-2019–20626?

During the research, we noticed that other researchers have found similar vulnerabilities in Honda vehicles. Based on the description “The remote keyless system on Honda HR-V 2017 vehicles sends the same RF signal for each door-open request, which might allow a replay attack”. What they found is a FIXED CODE vulnerability, meaning that an attacker can record the transmission in advance and replays it later to cause the car door to lock or unlock.

However, most modern vehicles, including Honda Automobiles, implemented the proprietary rolling codes mechanism, which prevents fixed code replay attacks like CVE-2022–27254. The bug we discovered regards the design flaw of the mechanism of the rolling code from Honda Motors. Which need to take very seriously.

Github Link:- https://github.com/nonamecoder/CVE-2022-27254

Is there more technical information about Rolling-PWN?

You can follow the author on Twitter [@kevin2600]. However, we will not be releasing any tools required to go out and steal the affected vehicles. At a later stage, we will release technical information in order to encourage more researchers to get involved in car security research.

How to patch the modern automobile for a Rolling-PWN bug like this?

The common solution requires us to bring the vehicle back to a local dealership as a recall. But the recommended mitigation strategy is to upgrade the vulnerable BCM firmware through Over-the-Air (OTA) Updates if feasible. However, some old vehicles may not support OTA.

What does Honda think about this Rolling-PWN Bug?

We have searched through the Honda official website, but we can not find any contact info for reporting Vulnerability. Seems Honda motor DOES NOT have a department to deal with the security-related issues for their products. And a person who works at HONDA has told us “The best way to report the Honda vulnerability is to contact customer service”. Therefore, we filed a report to Honda Customer service, but we have not gotten any reply yet.

In addition, we found an article from Bleeping-Computer, which Seems that Honda does not care about security issues anyway :(

Source:- This article is not related to our blog we are just posting content related to pentesting, IoT Hacking, Web Application Pentesting, and IOS pentesting, So all the credits go to respective owners.

https://rollingpwn.github.io/rolling-pwn/

Originally published at https://tutorialboy24.blogspot.com

--

--

Our mission is to get you into information security. We'll introduce you to penetration testing and Red Teaming. We cover network testing, Active Directory.

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
TutorialBoy

TutorialBoy

Our mission is to get you into information security. We'll introduce you to penetration testing and Red Teaming. We cover network testing, Active Directory.