Replay-based attack in Honda

A significant vulnerability was discovered in the Honda HR-V 2017. Some unknown processing of the component radio frequency (RF) communication is impacted by this vulnerability. A weak authentication vulnerability results from modification as part of a Request, with a negative influence on confidentiality. The CWE definition for the vulnerability is CWE-294. With this replay attack, a hacker can gain complete and unlimited access to the target vehicle’s locking, unlocking, controlling the windows, opening the trunk, and starting the engine, with the only way to prevent the attack being to either never using fob or resetting the fob at a dealership after it has been compromised (which would be difficult to realize).

To obtain at least partial control of the vehicle, simply recording the signal broadcast from a fob is sufficient. If the target locks their car, all the attack has to do is receive it and save it in order for the attacker to be able to replay the instruction and have the vehicle respond accordingly. So, the vehicle can be opened by recording and replaying the “unlock” instruction from the target (this works on most, if not all, Honda-produced fobs). Aside from the ability to start the vehicle’s ENGINE, the attacker can demodulate the “remote start” by recording it (using Honda’s “Smart Key” which uses frequency-shift keying) to demodulate any command, edit it, and retransmit it to control the target vehicle [1].

Since 03/23/2020, this vulnerability has been designated as CVE-2019-20626. It is necessary to attack on a local level and any type of authentication isn’t required for the exploitation. The price of an exploit might be about USD $0-$5k (estimation computed on 03/24/2020). According to MITRE ATT&CK, the attack method used by this problem is T1040.

[1] HackingIntoYourHeart (2021), Unoriginal Rice Patty. Available at   https://github.com/HackingIntoYourHeart/Unoriginal-Rice-Patty

Written by Nishat Mowla