A bug in Honda is typical of the car-attack surface that could give cyber-attackers easy access to victims, as global use of ‘smart car tech’ & EVs grows.
Several recent vulnerabilities found in the automaker systems might not seem like a major danger taken separately. Experts warn a lack of attention on cyber-security could affect “smart” car & electric vehicle systems & users in years to come, as the use of automotive technology continues to grow.
Honda & Acura Cars
One bug was recently found in the communications between the remote keyless entry function on Honda & Acura cars.
Easily intercepted radio signals from the wireless entry key fob on almost any Honda & Acura vehicle could allow a threat player to lock & unlock, & even start the car, according to a new disclosure from researchers.
Ayyappan Rajesh, who is a student at UMass Dartmouth, US & Blake Berry (HackingIntoYourHeart) reported the defect (CVE-2022-27254) & provided additional details of the vulnerability in a GitHub post.
Unlimited Access
“A hacker can gain complete & unlimited access to locking, unlocking, controlling the windows, opening the trunk, & starting the engine of the target vehicle where the only way to prevent the attack is to either never use your fob or, after being compromised (which would be difficult to realise), resetting your fob at a dealership,” the post mentioned.
All the attacker needs to take-over the car is a recording of the unencrypted commands sent from the fob, the post added.
“Recording the ‘unlock’ command from the target and replaying (this works on most if not all of Honda’s produced FOBs) will allow me to unlock the vehicle whenever I’d like to, and it doesn’t stop there at all,” the GitHub post outlined.
Remote Start
“On top of being able to start the vehicle’s engine whenever I wished through recording the ‘remote start,’ it seems possible to actually (through Honda’s “Smart Key” which uses FSK) demodulate any command, edit it, & retransmit in order to make the target vehicle do whatever you wish.”
The threat hunters were able to accomplish the attack on several Honda & Acura cars, but they think the attack would work on any Honda or Acura model.
Vulnerable
The models they confirmed were vulnerable include:
- 2009 Acura TSX
- 2016 Honda Accord V6 Touring Saloon
- 2017 Honda HR-V (CVE-2019-20626)
- 2018 Honda Civic Hatchback
- 2020 Honda Civic LX
Honda’s spokesperson, Chris Martin revealed that this type of flaw is not new & added the company cannot confirm the flaw & has no plans to update older car models.
It seems that the devices only appear to work within close proximity or while physically attached to the target vehicle, requiring local reception of radio signals from the vehicle owner’s key fob when the vehicle is opened & started nearby,” Martin outlined.
Tesla
Honda is not alone. In late 2020, researchers were able to break into and steal a Tesla through its keyless entry fob, “within minutes.”
Martin also pointed out, if the intent of an attacker were to steal a car, they would not be able to get very far without the fob’s security chip.
“Also, for Acura & Honda vehicles, while certain models feature a remote start feature, a vehicle started remotely cannot be driven until a valid key fob with a separate immobiliser chip is present in the vehicle, reducing the likelihood of a vehicle theft,” Martin explained.
“There is no indication that the reported vulnerability to door locks has resulted in an ability to actually drive an Acura or Honda vehicle.
Smart Technology
This, & other recent cyber-security threats, highlights that as “smart” technology & features are increasingly deployed in modern vehicles, the attack areas continues to grow.
Mike Parkin, Senior Technical Engineer at Vulcan Cyber, explained that just because vulnerabilities like this one are not especially catastrophic, does not mean they should be dismissed by the automotive & cyber-security communities.
Threat Surface
“The evolution of smart vehicles has expanded our threat surface in unexpected ways,” Parkin stated. “While there have only been a few serious remote attacks that affect vehicles, the potential is there & is growing.”
He added the possibility of crippling an entire fleet of vehicles is something that, “keeps vehicle manufacturers product security teams up at night.”
A new vulnerability in the Combined Charging System (CCS) for electric vehicles could potentially do just that.
Combined Charging System
Another recent disclosure from a team at Oxford University found security flaws in the Combined Charging System that allows rapid DC charging for electric vehicles. Researchers were able to cut off charging from as distant as 10 meters away in a lab with little more than off-the-shelf technology, states the report.
The attack was named “Brokenwire” by the team, & it has the potential to affect not just the more than 12m electric vehicles currently on the roads, but also electric planes, ships & heavy-duty vehicles, they warned.
Control Communication
“The attack interrupts necessary control communication between the vehicle & charger, causing charging sessions to abort,” the team discovered.
“The attack can be conducted wirelessly from a distance using electromagnetic interference, allowing individual vehicles or entire fleets to be disrupted simultaneously.”
This, & other bugs in automotive technology shows more needs to be done to protect its security, John Bambenek, Principal Threat Hunter at Netenrich explained.
“The problem does indicate that manufacturers of EV technology did not fully think through the ways people can tamper with their technology,” he surmised. “While the end result of this vulnerability is inconvenience, eventually someone will find something more nefarious that can be done.”
Change in Priorities
Bugcrowd’s founder & CTO Casey Ellis agreed that a change in priorities for automakers toward cyber-security is now overdue.
“While this vulnerability seems to be more inconvenient than dangerous, it is yet another reminder of the importance of a ‘feedback loop’ between those who are building & those with a ‘breaker’ mindset, especially when systems as safety critical as automotive vehicles are involved,” Ellis concluded.
