Rolling-Pwn: Wireless rolling code security completely defeated on all Honda vehicles since 2012
Back in May we posted about CVE-2022-27254 where university student researchers discovered that the wireless locking system on several Honda vehicles was vulnerable to simple RF replay attacks. A replay attack is when a wireless signal such as a door unlock signal is recorded, and then played back at a later time with a device like a HackRF SDR. This vulnerability only affected 2016-2020 Honda Civic vehicles which came without rolling code security.
Recently a new vulnerability discovered by @kevin2600 that affects ALL Honda vehicles currently on the market (2012-2022) has been disclosed. The vulnerability is dubbed 'Rolling-PWN' (CVE-2022-27254) and as the name suggests, details a method for defeating the rolling code security that exists on most Honda vehicles. Rolling code security is designed to prevent simple replay attacks, and is implemented on most modern vehicles with wireless keyfobs. However @kevin2600 notes the following vulnerability that has been discovered:
A rolling code system in keyless entry systems is to prevent replay attack. After each keyfob button pressed the rolling codes synchronizing counter is increased. However, the vehicle receiver will accept a sliding window of codes, to avoid accidental key pressed by design. By sending the commands in a consecutive sequence to the Honda vehicles, it will be resynchronizing the counter. Once counter resynced, commands from the previous cycle of the counter worked again. Therefore, those commands can be used later to unlock the car at will.
The vulnerability has been tested on various Honda vehicles with HackRF SDRs, and this seems to indicate that all Honda vehicles since 2012 are vulnerable.
Although no tools have been released, the vulnerability is simple enough and we've already seen people replicate results.
I was able to replicate the Rolling Pwn exploit using two different key captures from two different times.
— Rob Stumpf (@RobDrivesCars) July 10, 2022
So, yes, it definitely works. https://t.co/ZenCB3vX5z pic.twitter.com/RBAO7ZtlXZ
The story of Rolling-Pwn has already been covered by magazines and news organizations such as TheDrive, Vice, NYPost, and FoxLA.
It should be noted that when the previous replay attack vulnerability was highlighted, Honda released a statement noting that it has no plans to update its older vehicles. It is likely that Honda will not issue updates for this vulnerability either. It is possible that this vulnerability extends beyond just Honda vehicles too.
I just contacted Honda about this issue and they have no plans to resolve this. I conatcted just about every news outlet i could. Hopehullt this will rattle enough of these people to actually get something done
I have some friends at Honda. Sounds like it is not possible to correct the problem in software. Therefore, the only solution would be recalling entire modules and fobs and replacing them. The cost of this would be astronomical, and the NHSTA in the USA would not force a recall due to this not being a highway safety issue. Not sure if it would be handled any differently in other markets. Therefore, they have zero incentive to correct the issue and believe that the impact on sales will be minimal. The argument for vehicles older than 5-7 years is that they are already past their expected lifespan and there is no reason to address those vehicles. Very interesting.
Looks like this kevin guy is taking credit for someone else’s work. This exploit was documented long before he was talking about it, and the apparent original creator has pulled his code from github in protest. Looks like the originator of the exploit was “HackingIntoYourHeart” @ github, with code created more than a year ago. This kevin guy then took this work, made it public, and used it to get professional clout, which is pretty disgusting. Admin, I’d take this kevin guy out of the writeup completely, or at least mention that the exploit came from someone else. Those who take credit for others work deserve nothing more than a rope with a noose at the end.
This is a different exploit and as far as I’m aware Kevin is the one who discovered this new one.
HackingIntoYourHeart’s one showed a simple replay attack that works with some specific Honda models that don’t use rolling code security.
But Kevin’s one shows a more slightly more sophisticated method that works on all models including those with rolling code security.
I’m going to dig into this a little more and verify but it appears there is no rolling code and this new group may be calling it a rolling code to try and disguise the fact that they are doing the same thing as “HackingIntoYourHeart”. The original hacker also calls it a rolling code, but you are correct that the replay attack is just that – A replay – It appears that you can simply re-sync the car using the captured portion of the rolling code and replace with bytes modified for other functions. It looks extremely likely that this is what the new guys are doing as well; Even if they weren’t, it would be rather disgusting if they were aware of the originators work and decided not to mention him. I’ll let you know what I find out.
Kevin explains the difference on the rolling-pwn website, and does reference the previously found vulnerability. It’s a bit confusing because HackingIntoYourHeart seems to imply that no Honda vehicles have rolling codes, but from Kevin it seems like a large amount actually do have rolling code security. Maybe keyfob implementation differences in country specific models?
I’m not sure what drama happened on the Unoriginal-Rice-Patty GitHub, but I don’t think it’s related to Kevins work. Guessing something to do with https://github.com/nonamecoder/CVE-2022-27254 vs https://github.com/HackingIntoYourHeart/Unoriginal-Rice-Patty
He clarified in a different post, they all use a form of rolling code security, but it is still vulnerable to replay attacks which makes it the worst rolling code algorithm I’ve ever heard of? The very point behind rolling code algorithms was to prevent this. I’m super interested now and going to start tearing into my Honda just out of curiosity.
Anyway, this kevin guy is confirmed out of china, so that pretty much guarantees he stole the idea anyway. A damn shame, but that’s the way things are nowadays. I fully understand it’s a cultural issue and chinese culture encourages theft of ideas and property, but that doesn’t make it any less wrong in the rest of the world. I also realize this means that there is no way you could convince someone from this culture that they should give credit where credit is due. It is what it is, as they say.
Where is the other discussion?
Unoriginal-Rice-Patty states “Honda does NOT ever institue a rolling code system and ONLY manufactures systems with static codes meaning there is NO layer of security.”. So whatever cars HackingIntoYourHeart was testing on clearly has only static codes, and no rolling code.
I think Kevin deserves credit for his finding.
Admin please remove these comments as DoctorStrange has clearly outed themselves as a racist and bigot.
His comments attack the author and then later after he has to put his tail between his legs, double down on his baseless statements of playgerism.
He should get a ban hammer.
Agreed. “this kevin guy is confirmed out of china, so that pretty much guarantees he stole the idea anyway” – That’s a nasty generalisation Man!
Guys, I don’t have time to summarize my findings right now, but accusing me of being a “racist and a bigot” for saying what I said pretty much outs you as a paid chinese communist party troll. The comment about china is not racist nor “bigoted”, it is simple fact and anyone who has worked as an engineer over the past 2 decades is painfully aware of that fact. I work with engineers of all nationalities and we are all friends and all respect each other. I’m sorry that you haven’t gotten out into the real world yet and started creating things, but give it time and you will learn the same lesson about piracy from the country of china. On many projects, the amount of time spent on protecting a design and thwarting chinese piracy approaches the amount of time spent doing the base design itself. It has gotten quite ridiculous, and has gotten worse as time goes on, not better, because the chinese firms/companies/etc who do the copying have gotten better at cracking their way into every single uC. Now maybe you paid trolls should go back to commenting on youtube videos and stalking and harassing chinese expats who have fled to the USA.
Definition of a Bigot: “a person who is obstinately or unreasonably attached to a belief, opinion, or faction, especially one who is prejudiced against or antagonistic toward a person or people on the basis of their membership of a particular group.” -Oxford English Dictionary. Literally what you are saying. You feel that because he’s Chinese he stole the work! Let’s break this down for you with the definition of Bigot:
– “a person” :: I will make the assumption that you are, in-fact, a person.
– “who is obstinately” :: You’ve stated multiple time that you are correct without regard for other’s opinions.
– “or unreasonably” :: We can Ignore this as you’ve qualified for “obstinately”.
– “attached to a belief” :: you are attached as per your statement, “it is simple fact and anyone who has worked as an engineer over the past 2 decades …” to this belief despite its broad and general nature.
– “option, or faction” :: you must understand this is not fact but an opinion. Red is red but liking the color red is an opinion. Kevin being Chinese is a fact, not thinking he can do his own work because he’s Chinese is an opinion.
– “especially one who is prejudiced against” :: You are clearly prejudiced since you’ve been an engineer over the past 2 decades.
– “or antagonistic” :: This thread is antagonistic…
– “towards a person” :: Kevin is also a person.
– “or people” :: Chinese are people
– “on the basis of their membership of a particular group” :: In this case Kevin’s membership in the Chinese group.
I hope this helps you understand where the term Bigot applies in your situation. Event if I was a paid comrade of the Great Chinese Communist party, this doesn’t negate that you are in-fact a MASSIVE BIGOT.
Robert,
It’s really sad that you go right to identity politics like this. The kevin guy is not part of the “chinese group”, he is in china. Even in the USA, we are seeing news articles on a weekly to monthly basis about theft of intellectual property by chinese nationals residing in our country. The problem is well known. It is a cultural issue that will take a very long time to correct as chinese culture encourages this behavior, it does not discourage it. There is nothing “bigoted” about pointing this out; It is a simple fact, and I say it without malice or hate – If I had a chinese friend in the USA who thought this way, I would take the approach of a caring friend and help him see why it is wrong, and that alone is proof that I am not a “bigot”. Most of us engineers who have to deal with the chinese problem have no malice towards chinese people (even the ones in china!) even after decades of dealing with this – we simply sigh and hope that in time, their culture changes for the better. They are people just like us. Try to imagine what it is like to grow up in a culture that encourages this type of behavior! You would see nothing wrong with it. That does not excuse your behavior if you steal someone’s idea, but it definitely should afford you some patience from people who know better. The only way to address the problem is to be frank and to the point, and address the problem “head on”. You and your “you’re a bigot!” thought process does nothing to help the problem – In fact, your way of approaching this only makes it worse, and that is disrespectful towards chinese people in general. You should never be afraid to point out problems and faults of others in a pragmatic way, in a way that serves to make them aware of the problem and what they are doing wrong. It sounds like you may be a subscriber to this new “woke” culture, and I think you need to take a step back, become introspective, and look at how ridiculous you sound when you jump to these wild accusations. I would posit that the only bigot in this entire conversation, including all the other commenters, is you.
This bigot comment is so funny, especially the “obstinately or unreasonably attached to a belief, opinion, or faction” part – This means that all these people still wearing masks are bigots, since they obstinately and unreasonably believe that masks can prevent the transmission of covid? LOL
I have a Honda and I am not overly concerned about this.
All they could do is open the door or start the car (but not drive off with it) and a brick will do pretty much the same thing and works on all brands.
I just can’t see roving bands of ‘youts’ carrying transmitter capable SDRs.
However, If I had a Kia or Hyundai, which can be started and driven away with a USB-A cable, I would be much more concerned.
What if you have full trunk of stuff and stop by for quick shop or restroom and come back to see all your stuff is gone (laptop, camera, personal/work stuff)??
If you are in many of the large (i.e. “blue”) city in the USA, you have a near 100% chance of getting your car broken into if it looks like a rental, or you look like a businessman. I am absolutely sick to death of it. If you want to see what I am talking about, go to SF bay area, look like you work in the area, and park your car in the middle of a restaurant or plaza parking lot and give it an hour or so. The security guards you see in the parking lot are a decoration, don’t expect them to affect the outcome. Leave an empty backpack on the floor of the car and it will be gone in minutes sometimes. In these cases, the only thing I know of that works really well is having one of these hardened storage cases in your trunk. Looks sort of like those tool boxes that guys put on the back of pickups, uses a stout lock, bolted to the unibody. However, if the car is a Kia (as mentioned above), or other easily stolen vehicle, then securing something inside the car is a moot point.