Diverse Honda vehicles ship the identical, unencrypted RF signal for every door-launch

PoC for vulnerability in Honda’s A long way-off Keyless Plan(CVE-2022-27254)

For instructional functions handiest.

Summary:

Right here is a proof of thought for CVE-2022-27254, wherein the some distance off keyless system on diverse Honda vehicles ship the identical, unencrypted RF signal for every door-launch, door-shut, boot-launch and some distance off launch(if acceptable). This lets in for an attacker to snoop on the quiz and behavior a replay assault.

POC videos:

Autos Affected:

• 2016-2020 Honda Civic(LX, EX, EX-L, Touring, Si, Model R)

Notable Notes:

 •Key fob FCC ID: KR5V2X

 •Key fob frequency: 433.215MHz

 •Key fob modulation: FSK

Instruments feeble:

       •FCCID.io
       •HackRF One
       •Gqrx
       •GNURadio

Prevention:

• Producers:

  1. Producers need to put in force Rolling Codes, in another case identified as hopping code. It’s some distance a security know-how customarily feeble to make a unusual code for every authentication of a some distance off keyless entry (RKE) or passive keyless entry (PKE) system.

• Patrons:

  1. Acquire doubtlessly the most of a Faraday Pouch for the key fob.
  2. Consume the PKE slightly than the RKE, this would maybe beget it vastly more strong for an attacker to clone/read the signal ensuing from the proximity they would must be at to total so.

⚠️ The precautions talked about above ARE NOT foolproof ⚠️

Whilst you deem that you just are a sufferer of this assault, the finest fresh mitigation is to reset your key fob on the dealership.

Credits:

•HackingIntoYourHeart
•Prof. Hong Liu
•Sam Curry
•Prof. Ruolin Zhou

References:

•https://www.youtube.com/leer?v=1RipwqJG50c

•https://assault.mitre.org/ideas/T1040/