Honda downplays vulnerability allowing hackers to lock, unlock and start Civics

Honda said it has no plans to update its older vehicles after researchers released a proof-of-concept for CVE-2022-27254 – a replay vulnerability affecting the Remote Keyless System in Honda Civics made between 2016 and 2020.

Researchers released a detailed breakdown of the issue on GitHub, sharing multiple videos showing that the remote keyless system on various Honda vehicles sends the same, unencrypted radio frequency signal for each door-open, door-close, boot-open and remote start command. Cybersecurity researcher Ayyappan Rajesh discovered the vulnerability and worked with developer Blake Berry, his mentor and Cybereason chief security officer Sam Curry as well as his professors Ruolin Zhou and Hong Liu from the University of Massachusetts Dartmouth.

“This vulnerability allows for an attacker to eavesdrop on the request and conduct a replay attack. The researchers said Honda Civic models LX, EX, EX-L, Touring, Si and Type R are affected by the issue”.

All a hacker would need to do is be nearby when a car owner uses their key fob and record the signal it transmits. Once recorded, it could be used to open the car or start it.

Researchers have long warned of these kinds of attacks and other similar vulnerabilities have been highlighted in the past. The NIST page for CVE-2022-27254 ties the issue to CVE-2019-20626, a similar vulnerability affecting Honda HR-V 2017 vehicles.

They noted that the precautions are not foolproof and that if anyone has already been a victim of the attack, the only mitigation is to have your key fob reset at the dealership.

Not a new discovery
When contacted about this issue, Honda spokesperson Chris Martin claimed it “is not a new discovery” and “doesn’t merit any further reporting.”

Martin confirmed that “legacy technology utilized by multiple automakers” may be vulnerable to “determined and very technologically sophisticated thieves.”

“Honda has not verified the information reported by researchers and cannot confirm if its vehicles are vulnerable to this type of attack. Honda has no plan to update older vehicles at this time,” Martin said.

“The surprise is that any major manufacturer would implement an insecure remote opening system. There are several theoretical attacks against current remote controls, some of which have been shown in proof-of-concept form,” Parkin said.

“This is on top of existing attacks against older remotes. The challenge is how Honda will deal with this issue, as there is no simple software fix for physical key fobs, and cars, that were never designed for this kind of firmware upgrade – if it is even software correctable.

This latest vulnerability gives hackers indefinite access to control a specific car’s functionality.
As more and more devices add ‘smart’ functions, it’s inevitable that there will be vulnerabilities discovered that put those devices or data at risk. If there’s no patch available or worse not even a mechanism to patch, users will have to choose whether to go at risk of exploitation or trash the vulnerable device, neither of which is an ideal situation.

Honda Sales:
Driven by the popularity of the all-new 11th-generation Civic, recently named the 2022 North American Car of the Year, the Honda Civic is the best-selling retail passenger car in the U.S. for the sixth year in a row1. Civic has dominated the compact car segment for 12 consecutive years and in 2021, captured one in four retail sales in the category2.

Since 2013, the Honda Civic is the No. 1 vehicle among Millennial buyers.

It also has captured the most Gen Z buyers, first-time buyers, and multicultural buyers in the industry for the past six years.

Honda has sold nearly 2 million Civics in the U.S. since 2016 and the Civic is the No. 1 selling certified pre-owned car in America in each of the past three years.

For the full story concerning this security vulnerability visit TheRecord.media link below:
https://therecord.media/honda-downplays-vulnerability-allowing-hackers-to-lock-unlock-and-start-civics/?utm_campaign=cyber-daily&utm_medium=email&_hsmi=208171460&_hsenc=p2ANqtz-9nconGuNhhrPTeYIr_iL0nFJ2uP1gqUQNotzKQI6YocPLj4x6QoICXg7hYE_oKVVE8heeQw2XvnZUHaviaDKYPaeAaQg&utm_content=208171460&utm_source=hs_email#58163aa4baf3bb6569bd7f5683186c1f0f3ec524eebd8cfa49718cf0bdd3676f