Handling the Rolling-PWN Attack Vulnerability (aka the Honda Key Fob Hack)

by Gilad Bandel, CYMOTIVE | July 12, 2022

What is the story behind the Rolling-PWN attack?

The Rolling-PWN attack scenario was published by Kevin2600 and Wesley Li from the Star-V Lab. It describes an attack on various Honda vehicle models from 2012 and onwards. However, it is not necessarily limited to Honda and more likely, applies to many other vehicle makes and models in Asia and elsewhere.  The Rolling-PWN attack performs a “replay at a distance” using the RKE (Remote Key Entry). It allows opening car doors and possibly even starting the engine, although no evidence has been provided to date.

A replay attack is one in which the attacker records the legitimate key commands communication sequence and plays it again later against the targeted car.

Old key fobs used to have a vulnerable, easy to hack, fixed key to open car doors. This is documented in CVE-2019-20626 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20626) which applies to the Honda HR-V 2017 model. It’s also shown in CVE-2022-27254 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27254) which applies to the Honda Civic 2018 model. Since then, Honda changed the security to a rolling key method in which the key fob and the car synchronize on the key commands sequence, so a simple replay attack is rendered futile.

However, the algorithm employed in the Honda BCM (Body Control Module) has some built-in “flexibility” to cope with cases of multiple key fobs, missed transmissions, accidental key presses, and others. To do this, the vehicle receiver has a sliding window of allowed key commands. While this solves these problems above, the solution opens an opportunity for hackers. A hacker can record the key commands and replay them to the victimized car. Documentation of this CVE (Common Vulnerability and Exposure) CVE-2021-46145 can be found here (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46145). The Rolling-PWN vulnerability still exists, affecting a high percentage of Honda vehicles in use today, for example:

Honda Civic 2012
Honda X-RV 2018
Honda C-RV 2020
Honda Accord 2020
Honda Odyssey 2020
Honda Inspire 2021
Honda Fit 2022
Honda Civic 2022
Honda VE-1 2022
Honda Breeze 2022

We could not find any mention of the Rolling-PWN vulnerability or solution on the official Honda website. It should be noted that unless there is physical evidence that your car has been vandalized or stolen, there is no way to detect if anyone exploited this attack vector on your car.

How can Honda and other OEMs cope with the Rolling-PWN threat?

Mitigating this Rolling-PWN vulnerability is quite complex since it involves both the key fobs and the vehicle. It is not practical to replace, or at least update, the software of all key fobs held by the vehicle owners, and simultaneously, update the software of the vehicle’s BCM. One cannot expect people to discard fobs that weren’t used for a while. There should be a mechanism to allow them to “catch up” with the rolling window.

Car owners could be instructed to frequently use all key fobs to allow synchronization. This poses a huge usability challenge such as when car rental companies keep spare keys in a safe for long periods while the main key fob is passed from renter to renter.

Forcing a driver to use only one key fob while disabling the window rollback mechanism solves the problem. However, this solution is not practical as the very purpose of a spare key fob is to replace the first key fob.

In any case, Honda should update the BCM software to remove the window shift option as soon as possible. Perhaps there is an alternative safer option. This can be done in several fashions:

– Over-the-air (OTA) updates – dispatch the software update through a wireless network to vehicles and BCMs that support OTA

– Software updates at a service center – this can be done either by a massive (and expensive) recall or during a scheduled upcoming regular service maintenance. This can apply to BCMs that support software updates over the OBD-II (On Board Diagnostics) port.

– BCM replacement – this can be done by a massive (and expensive) recall or at the scheduled upcoming regular service maintenance. This applies to BCMs that do not support software updates.

– Another option (particularly for future models) is the addition of a random challenge and response protocol between the car and the key fob that ensures that authenticity of the key fob and the freshness of message. In addition, different hardware options exist such as using other RF communication methods.

In general, OEMs and Tier 1s should employ a continuous automated vulnerability management system such as Cymotive Car Alert. Such a system is used for monitoring and mitigating vulnerabilities as they are discovered. Once a vulnerability such as the Rolling-PWN is detected, the system would analyze the risks posed by the new discovered vulnerability. The system would then present the impact, potential damage to the vehicle and the emerging risks. Finally, a proposed plan for risk mitigation would be presented. It would be up to the OEM to choose the correct course of action and execute on it for example install a corrected software version on the vehicles using OTA or OBD-II interface.

To reduce the chance of such a mishap in the future, proper development and cyber security procedure must be employed by the OEM and the entire supply chain. They need to have a CSMS (Cyber Security Management System) in place for the whole vehicle lifecycle. This is a regulatory requirement of OEMs as of July 2024 as per UNR 155. This includes:

– Follow the V-model, meticulously implement and improve in a continuous fashion

– Employing secure design practices with a multilayer defense mechanism

– Review the architecture by security experts and for validation

– Follow SecSDLC (Secured Software Development Life Cycle) at the highest level. For example, including but not limited to, A-SPICE (Automotive Software Performance Improvement and Capability dEtermination)

– Perform security and penetration testing to ensure the protection of the system

For post-production, a VSOC (Vehicle Security Operations Center) should monitor events from the vehicle fleet such telematics or IDS (Intrusion Detection System) qualified cyber events to identify anomalies and respond if necessary.

More News

Show More