The Rolling Pwn Attack attack, which two researchers have described in detail, allowed them to remotely unlock and start select Honda automobiles from the 2012 through 2022 model years. The vulnerability affects Honda’s keyless entry technology, which uses rolling codes to guard against illegal entry into the car. Every time the driver touches the key fob, a fresh code is generated by the rolling code system, making it impossible for a potential burglar to enter the car using an old code. This implies that even if hackers used a replay device to intercept a signal from the key fob, they wouldn’t be able to use it.
However, according to the research, Honda’s technology is set up in a way that makes it possible for someone to intercept rolling codes from remote keyless entry fobs from a distance of over 100 feet away and then use those intercepted rolling codes to access the vehicle. Once the rolling codes have been synced, the hackers can replay them to unlock the vehicle and start the engine. Additionally, it is claimed that the recycled rolling codes can be used repeatedly without losing validity over time.
Although the researchers claim to have successfully utilized the replay attack on 10 distinct Honda vehicles, they assert that the issue likely affects all Honda cars from 2012 to 2022. The Drive further validated the vulnerability by starting and unlocking a 2021 Honda Accord without a key fob using an SDR (software-defined radio) device.
