It has been reported that researchers have disclosed a ‘replay attack’ vulnerability affecting select Honda and Acura car models, that allows a nearby hacker to unlock your car and even start its engine from a short distance. The attack consists of a threat actor capturing the RF signals sent from your key fob to the car and resending these signals to take control of your car’s remote keyless entry system. The vulnerability, according to researchers, remains largely unfixed in older models. But Honda owners may be able to take some action to protect themselves against this attack. The vulnerability, tracked as CVE-2022-27254, is a Man-in-the-Middle (MitM) attack or more specifically a replay attack in which an attacker intercepts the RF signals normally sent from a remote key fob to the car, manipulates these signals, and re-sends these at a later time to unlock the car at will.
Vehicle vulnerabilities remain a huge problem and people often don’t think about what hackers can achieve. This relatively simple hack could have very costly consequences as insurance companies may not pay out for the loss of a car. Often technology can add more problems than it’s worth and removing the old fashioned key may not always be the most secure idea. If vehicles are equipped with this technology, however, it is extremely important to keep key fobs out of reach from close proximity attacks and hidden in faraday boxes if possible, regardless of what make or model.
It is unfortunate that Honda appears to be unwilling to resolve this issue, instead it chooses to cop an attitude of \”if we fix it, the bad guys are just going to break it again.\” Instead of defending their reluctance to fix a broken system, seemingly denying the existence of such a flaw in its system, the carmaker should take steps to fix the problem. All car makers should take steps to ensure the security of keyless entry and remote starting systems. They could possibly increase the level of encryption for the signal from the keyfob to the car, or take other steps to increase the protection for remote keys and starters.
While owners of Honda vehicles impacted by CVE-2022-27254 might be understandably concerned over the ability for an attacker to record and replay signals sent from a key fob to their vehicle, such attacks by definition require the attacker to be in close proximity of the vehicle while the key fob is being used, and to remain in close proximity to the vehicle to replay the attack. This makes such an attack a crime of opportunity, but one requiring significant investment in time to wait for a vulnerable vehicle to arrive and for the owner to use their key fob. That investment in time exposes the criminal to detection by authorities and citizens who might question their actions.