A bug in Honda is indicative of the sprawling car-attack surface that could give cyberattackers easy access to victims, as global use of ‘smart car tech’ and EVs surges.
A pair of recent vulnerabilities found in the automaker ecosystem might not seem like a real danger taken separately. But experts warn a lack of attention on cybersecurity could plague “smart” car and electric vehicle systems — and users — in years to come, as the use of automotive technology continues to explode.
One bug was recently found in the communications between the remote keyless entry function on Honda and Acura cars.
Easily intercepted radio signals from the wireless entry key fob on almost any Honda and Acura vehicle could allow a threat actor to lock and unlock, and even start the car, according to a new disclosure from a pair of researchers.
“A hacker can gain complete and unlimited access to locking, unlocking, controlling the windows, opening the trunk, and starting the engine of the target vehicle where the only way to prevent the attack is to either never use your fob or, after being compromised (which would be difficult to realize), resetting your fob at a dealership,” the post said.
All the attacker needs to takeover the car is a recording of the unencrypted commands sent from the fob, the post added.
“Recording the ‘unlock’ command from the target and replaying (this works on most if not all of Honda’s produced FOBs) will allow me to unlock the vehicle whenever I’d like to, and it doesn’t stop there at all,” the GitHub post said. “On top of being able to start the vehicle’s engine whenever I wished through recording the ‘remote start’, it seems possible to actually (through Honda’s “Smart Key” which uses FSK) demodulate any command, edit it, and retransmit in order to make the target vehicle do whatever you wish.”
The pair of threat hunters were able to pull off the attack on several Honda and Acura cars, but they suspect the attack would work on any Honda or Acura model.
The models they confirmed were vulnerable include:
- 2009 Acura TSX
- 2016 Honda Accord V6 Touring Sedan
- 2017 Honda HR-V (CVE-2019-20626)
- 2018 Honda Civic Hatchback
- 2020 Honda Civic LX
Honda’s spokesman, Chris Martin told Threatpost this type of flaw is nothing new and added the company cannot confirm the flaw and has no plans to update older car models.
At this time, it appears that the devices only appear to work within close proximity or while physically attached to the target vehicle, requiring local reception of radio signals from the vehicle owner’s key fob when the vehicle is opened and started nearby,” Martin told Threatpost by email.
Honda is hardly alone. In late 2020, researchers were able to break into and steal a Tesla through its keyless entry fob, “within minutes.”
Martin also pointed out, if the intent of an attacker was to steal a car, they wouldn’t be able to get very far without the fob’s security chip.
“Also, for Acura and Honda vehicles, while certain models feature a remote start feature, a vehicle started remotely cannot be driven until a valid key fob with a separate immobilizer chip is present in the vehicle, reducing the likelihood of a vehicle theft,” Martin explained. “There is no indication that the reported vulnerability to door locks has resulted in an ability to actually drive an Acura or Honda vehicle.
Even so, this, and other recent cybersecurity threats, highlights that as “smart” technology and features are increasingly deployed in modern vehicles, the attack surface continues to grow.
Mike Parkin, senior technical engineer at Vulcan Cyber, explained to Threatpost that just because vulnerabilities like this one aren’t especially catastrophic, doesn’t mean they should be dismissed by the automotive and cybersecurity communities.
“The evolution of smart vehicles has expanded our threat surface in unexpected ways,” Parkin said. “While there have only been a few serious remote attacks that affect vehicles, the potential is there and is growing.”
He added the possibility of crippling an entire fleet of vehicles is something that, “keeps vehicle manufacturers product security teams up at night.”
A new vulnerability in the Combined Charging System (CCS) for electric vehicles could potentially do just that.
Combined Charging System Flaw
Another recent disclosure from a team at Oxford University found security flaws in the Combined Charging System that allows rapid DC charging for electric vehicles. Researchers were able to cut off charging from as far as 10 meters away in a lab with nothing more than off-the-shelf technology, according to their report.
The attack was dubbed “Brokenwire” by the team, and it has the potential to impact not just the more than 12 million electric vehicles currently on the roads, but also electric planes, ships and heavy-duty vehicles, they warned.
“The attack interrupts necessary control communication between the vehicle and charger, causing charging sessions to abort,” the team found. “The attack can be conducted wirelessly from a distance using electromagnetic interference, allowing individual vehicles or entire fleets to be disrupted simultaneously.”
This and other bugs in automotive technology shows more needs to be done to protect its security, John Bambenek, principal threat hunter at Netenrich explained to Threatpost.
“The problem does indicate that manufacturers of EV technology did not fully think through the ways people can tamper with their technology,” he said. “While the end result of this vulnerability is inconvenience, eventually someone will find something more nefarious that can be done.”
Bugcrowd’s founder and CTO Casey Ellis agreed that a shift in priorities for automakers toward cybersecurity is overdue.
“While this vulnerability seems to be more inconvenient than dangerous, it is yet another reminder of the importance of a feedback loop between those who are building and those with a ‘breaker’ mindset, especially when systems as safety critical as automotive vehicles are involved,” Ellis advised.
Moving to the cloud? Discover emerging cloud-security threats along with solid advice for how to defend your assets with our FREE downloadable eBook, “Cloud Security: The Forecast for 2022.” We explore organizations’ top risks and challenges, best practices for defense, and advice for security success in such a dynamic computing environment, including handy checklists.