Is your Honda key fob vulnerable to hackers? Here's what you should know.
You have to give car thieves this much credit: They're always innovating.
By wirelessly stealing command codes from key fobs in a move called the "Rolling Pwn attack," hackers have been able to unlock and start Honda vehicles, report ITSecurityGuru.com and automotive site TheDrive.com.
Each time you press a button on your key fob, a pseudorandom number generator (PRNG) sends a semi-random code to the vehicle, giving it a command to, say, unlock the doors or open the lift gate. The car then checks that code against a list of valid codes; and if it's legit, it carries out the command. It is also supposed to invalidate previous codes to keep bad actors from reusing them.
Police warning: Rise in car thefts in Kias, Hyundais caused by possible design flaw
In the case of Hondas, Chris Naughton, a spokesman for the automaker, explained, "hackers who have successfully captured multiple sequential RF transmission (which is only possible when they are in close proximity) resynchronize the number generator, keeping the codes valid and enabling them to unlock the car at a later date."
TheDrive's Rob Stumpf, who successfully used the Rolling Pwn to hack his own 2021 Accord with a software-defined radio, reported, "Yes, it definitely works."
I was able to replicate the Rolling Pwn exploit using two different key captures from two different times.
So, yes, it definitely works. https://t.co/ZenCB3vX5z pic.twitter.com/RBAO7ZtlXZ— Rob Stumpf (@RobDrivesCars) July 10, 2022
Honda: Trick 'cannot be used to drive the vehicle away'
Honda has acknowledged the problem but disputes what a hacker can do with the codes.
"We can confirm researcher claims that it is possible to employ sophisticated tools and technical know-how to mimic Remote Keyless commands and gain access to certain vehicles of ours," Naughton said.
"However while it is technically possible, we want to reassure our customers that this particular kind of attack, which requires continuous close-proximity signal capture of multiple sequential RF transmissions, cannot be used to drive the vehicle away," he stressed.
Ford expands SUV recall: Carmaker asks owners to park affected vehicles outside
Which cars are vulnerable?
Out of the list of 11 vehicles reported as vulnerable by TheDrive, Naughton confirmed the following models are susceptible:
2012 Honda Civic
2020 Honda CR-V
2020 Honda Accord
2020 Honda Odyssey
2021 Honda Accord
Naughton confirmed that some Acuras are vulnerable as well but said that "all completely redesigned 2022 and 2023 model year vehicles have an improved keyless remote system."
The newer system, he said, "transmits codes that immediately expire, which would prevent this type of attack from being successful."
Models with the newer, more secure keyless entry system include the 2022 Civic, 2023 HR-V, 2022 Acura MDX and 2023 Acura Integra.
This article originally appeared on USA TODAY: Honda key fobs may be vulnerable to hackers: What you need to know
