Honda is a renowned multinational automobile manufacturer known for affordability, safety, and reliability. Honda is the eighth largest automaker in the world and the largest producer of internal combustion engines. In Canada, Honda vehicles are extremely popular. The Honda Civic is a household name that everyone is familiar with. In fact, The Honda Civic is among the bestselling vehicles of last year. So, what exactly is Honda’s issue? One word: Security.
Recently a vulnerability was discovered by a small research team that demonstrated how an attacker could possess the ability to remotely unlock, lock, and start the engine of Honda vehicles. According to the researchers, this bug affects the immensely popular 2016-2020 Honda Civic vehicles. This however is not the first time a vulnerability like this has occurred for Honda. As recently as 2020, a similar bug was discovered in Acura TSX, Accords and the HR-V vehicle models. This vulnerability is not new and is seemingly widespread and as a Civic owner myself, I am quite concerned.
Why is there a security vulnerability? The culprit is remote key fobs. Remote key fobs have existed since 1982 when the French automaker Renault, implemented the first iteration of remote key fobs as a means of unlocking a vehicle without a traditional key. A decade later, the technology evolved when Mercedes-Benz implemented the first keyless remote system that allowed the user to start the engine without a traditional key. These technological advancements led to push-to-start vehicles becoming increasingly popular in modern times. Most remote key systems use radio waves to transmit information from the key fob and to the vehicle from a short distance. This allows the owner to unlock, lock, and start the engine of their vehicle remotely. Although this technology is convenient, it opens many possibilities for security vulnerabilities if not implemented properly.
The security issue is Honda’s neglect to encrypt or add any layer of security to the radio signals transmitted from a key to the vehicle. This makes the transmission extremely susceptible to simple ‘Replay’ attacks where an attacker intercepts the radio transmission and plays it again later. This simple attack can be carried out by anyone in the signal range of the key if they have the proper equipment to do so. Once an attacker has possession of the transmission it can continue to be used without limit. However, the attacker’s freedom is limited as they cannot drive away with the vehicle. To do so, the physical key fob must be inside the vehicle thanks to the ‘Immobilizer chip’ present in key fobs that ensures that only a key programmed into the car is able to enable it. Although your car cannot be stolen, the contents of it are easily available and your car’s engine can be left running undesirably which is especially detrimental with today’s gas prices.
To demonstrate, here is the “lock” command that is sent by the remote key fob that would be intercepted by an attacker:
653-656, 667-668, 677-680, 683-684, 823-826, 837-838, 847-850, 853-854
All an attacker needs to do to unlock the vehicle is flip the bits and send the transmission back.
A simple and effective solution would be for Honda to implement a ‘rolling code’ system that ensures that every radio transmission is encrypted and uses a unique code every time. Although Honda is aware of the issue, they refuse to provide a solution for their customers, dismissing the issue as inevitable and downplaying it as the work of sophisticated car thieves. Unfortunately, for the time being, the only way to ensure that your vehicle is safe from such an attack is to refrain from using your remote key fob.
Sources:
https://thehackernews.com/2022/03/hondas-keyless-access-bug-could-let.html
Interesting post! I had no idea that there were these waves that could easily be intercepted and hacked into so that they can get into your car. I heard from a friend that they’re removing the physical aspect of the car fob being in the car in order to drive it, so this is especially concerning too.
Wow! This is concerning! I think most new cars now use key fobs instead of actual keys, so this seems like a concern for everyone. I wonder if other types of vehicles could experience these security issues too. What I found particularly alarming is that you said the only way to protect yourself is to not use your key fob, which isn’t an easy change to make! There doesn’t seem to be a reasonable way to protect yourself.
Good Post! Most modern cars now come with key fobs and push start. This issue needs to be timely addressed. It is Honda’s carelessness to not encrypt the radio waves sent from the key fob to the vehicle. It is also very irresponsible of Honda to not work on the solution and rather dismiss the issue. Also, you have mentioned that the only way to protect yourself is to not use the key fob. I don’t think this is a reasonable solution. The company needs to step up and find a reasonable solution.
Wow, looks like Honda’s Formula 1 engines aren’t the only thing failing. Its crazy to think that Honda would not bother to encrypt or protect their key fobs in any way, especially considering how important information security is in our day and age. I feel like this wouldn’t even be a very hard fix so its disappointing to see that they would rather ignore the problem and put users at risk of getting robbed. I like how this post talks about physical objects being affected, unlike how most other posts just talk about software being hacked. Great job!
Interesting post! As more time passes, it seems everything is going to need protection from some form of cryptosecurity. It surprises me that Honda has not foreseen this increasing trend and even more so that they chose to neglect this encryption issue. And it’s a concerning thought to think about how many other companies choose to ignore the importance of encryption, especially in this day and age.
This is a fantastic article! Most new cars now come with key fobs and push-button start. This issue must be resolved as quickly as feasible. The fact that the radio waves sent from the key fob to the vehicle are not encrypted is due to Honda’s irresponsibility. Honda is also acting irresponsibly by refusing to collaborate on a solution and instead disregarding the issue. You also stated that the only method to protect oneself is to not use the key fob. This does not appear to be a feasible alternative to me. The company needs to take action and come up with a viable answer.
It’s really surprising that such a big company like Honda is refusing to look into such a glaring setback. If other companies have a solution, even implementing your suggested solution shouldn’t be such a big thing. Maybe they’re just waiting for these attacks to become a more common occurrence I guess. Interesting read!
Hey, great post. I just read a latest post by another student suggesting the rise of attacks on electronic vehicles. I think this is a very inconsiderate move by Honda which shows that they are clearly not doing their research. I think the idea that their cars can be hacked is a cause for concern because as more tools develop on electronic vehicle, the worse it is going to get for the industry as it will lead to an arms race between the companies and hackers. I think if Honda does not acknowledge this problem, it will only lead to more trouble downstream. And it could potential hurt their shareholders as well as customers trust.
Interesting post. I had no idea that a vulnerability like this existed in cars, especially in such a well-used brand of cars, Honda. My family and pretty much all of my friends have a honda civic so hearing about this vulnerability is pretty scary. The fact that thieves can now hack into your car and unlock it with ease or even start your car is very shocking. What’s even more shocking is that Honda is not doing anything about this and is instead just letting it happen, claiming it’s inevitable. Even though they have a point, it is inevitable they should still try their hardest to provide security for their customers.
It seems like some companies still don’t understand the level to which cybersecurity is important. By ignoring and deflecting from software issues like this, the purpose of locks in the first place is thrown out the window. This kind of negligence should be discouraged heavily and people need to be made aware that these kinds of issues exist and that they NEED fixing.
A lot of companies seem to be acting in bad faith nowadays as many companies will analyze the cost vs benefits and deliberately ignore security flaws or issues with their products, and if they believe that a recall or something similar to it is not worth it they won’t fix it even if its at a consumers detriment. I like how you mentioned how the attack occurs and it seems to me that the relay attack is similar to a man in the middle attack. Security flaws like this is why I personally don’t like remote started cars as they could lead to potentially my car being stolen.
Very interesting post! I honestly did not know regular cars could be compromised this easily as we only mostly hear about electric cars being vulnerable when it comes to security. The remote key fob technology should have been made much more secure by this time. Honda should and must face scrutiny for not bothering with adding more encryption to their technology. It’s one of the most trusted vehicle manufacturers there are.
The fact that Honda refuses to give its customers a solution for this is horrendous. They are a multi-billion dollar company that could easily implement the proper fixes required to resolve this but I don’t think they will do anything unless they face some mass scale boycott of some sort. This isn’t likely but I assume there must be better cars out there where the automaker has cared enough to provide better features to tackle this.
It comes as a shock to me that such a weakness existed in automobiles, let alone in a well-known brand like Honda. It appears that some businesses are still unconcerned about the threat of cybercrime. When locks are ignored and redirected from software concerns like this, their purpose is thrown out the window. Honda should also adopt a “rolling code” system, which ensures that each radio broadcast is encrypted and utilises a different code each time. However, it appears that they are continuing to downplay the problem.
Thanks for sharing such an interesting blog post! It’s shocking that a big automobile company like Toyota, has such a care-free attitude towards security. As someone who never uses the remote start control, I think people need to be careful using it. People should be more aware of the security features that each car possesses before making a purchase.
Thanks for the heads up! It’s always disheartening to see that major companies make irresponsible mistakes like this. I suspect in the future if there were to be a lawsuit related to this security flaw Honda will eat the fine and not recall their vehicles because the cost-analysis will determine it will cost more to fix rather than paying the fine for the few times it occurs. I definitely will be looking at the car’s security system when purchasing in the future!
Honda’s advertising and training materials extol the security features of their automobiles. Honda, on the other hand, neglects to explain that these “always on” devices are readily hacked. Thieves can collect key fob signals to unlock and start automobiles using inexpensive’relay attack’ radio signal devices. For some years, Honda has been aware of a system problem. Despite this, there is no warning label on the key fob from Honda. There’s no mention of a Faraday cage in the Honda handbook to keep the fob signals from being stolen.
Great post! It is very shocking to see how multinational auto manufacturer like Honda refuse to provide a solution for their customers even though they are aware of the issue. As you mentioned, Honda can implement a solution like ‘rolling a code’ system. I don’t see why they are just ignoring the issue completely, even though there is simple and effective solution that can be implemented. Also, It is a careless mistake that Honda didn’t encrypt the radio waves sent from the key fob to vehicle.
The company needs to provide effective solutions for their customers. Also, they need to spend more resources on security to avoid such issues.
Once again this is another instance of a large company choosing reactivity over proactivity. Who knows what it will take for them to actually respond to this. One thing I have hope for though is private vulnerability researchers at least making these issues aware, now it is up to consumers to make their choice and vote with with their dollars. I tend to be a bit of a late adopter myself by nature, since I am usually skeptical of things that have not existed on the market for a while.
This is quite concerning for a Honda owner for sure. The most interesting part is that it’s 2016-2020 cars being targeted. This shows how cars are getting intricately advanced in their systems but still don’t pay enough attention to security. While there are solutions out there, they need to be strictly implemented as it’s unacceptable for big companies to ignore these issues. I had my wallet and other belongings stolen from my car in downtown Vancouver while everything was locked and I had the key. I still don’t know how they got inside the car.
Interesting post! I wonder if it would be expensive to fix every car, and that is the reason why they have chosen to ignore it. But with the way everything is being connected to the internet nowadays, I wonder if it will be easier to fix issues like this in the future.
Thanks for sharing blog post! Remote control is a system that various car manufacturers are trying to improve, because it brings the best experience and convenience to car owners, but safety must also be considered by car manufacturers.
Very interesting, well-written article! On the one hand I can understand Honda’s argument that it is not a serious issue as the car cannot be stolen, on the other hand it seems unbelievable that such a big manufacturer just does not want to change a well-known problem with a solution that seems fairly easy to implement. For Honda drivers it must be a bad feeling to always have the possibility of somebody unlocking their vehicle, therefore they cannot leave any items of value in their vehicle.
You indicated that it was mostly 2016-2020 model years that are affected, do you know if Honda did change their implementation to make it more secure for newer model years or is simply different technology needed to intercept the new waves and therefore it is not as widespread (yet)?
Very interesting, well-written article! On the one hand I can understand Honda’s argument that it is not a serious issue as the car cannot be stolen, on the other hand it seems unbelievable that such a big manufacturer just does not want to change a well-known problem with a solution that seems fairly easy to implement. For Honda drivers it must be a bad feeling to always have the possibility of somebody unlocking their vehicle, therefore they cannot leave any items of value in their vehicle.
You indicated that it was mostly 2016-2020 model years that are affected, do you know if Honda did change their implementation to make it more secure for newer model years or is simply different technology needed to intercept the new waves and therefore it is not as widespread (yet)?
Great job ! Cars nowadays are in risks of cyber attacks , the companies should work on to keep their cars secure so the customers get the best of it . Failure to do so is going to harm the customers and give them a bad experience .
Great article, like so many other people have already said I find it absolutely unbelievable that Honda has not done anything about this issue. I guess the only thing for me to do is avoid using my key fob on my Honda… I’m glad that my vehicle was not made between 2016-2020, but really I’m a bit peeved that Honda isn’t doing anything about this.
So as a result of my reading this article I made an effort to avoid using my key fob, and now I’m even more annoyed at Honda, as using my key fob as I walk to or from my car has become instinctual. I constantly forget to manually lock the car and have to walk back to lock the door, and its getting old hahaha.
Great Post! To protect against such vulnerabilities, the researchers recommend that car manufacturers use so-called “rolling codes”: this technology creates fresh codes for each authentication request, so an attacker cannot reproduce the codes later.
Thank you for posting this informative article and spreading awareness about the issue. I always thought that interceptions could only occur over physical connections or by tapping into a network, but I suppose radio waves serve the same purpose as anything else, only with a different communication mechanism. That’s similarly security vulnerabilities are present in these systems. It’s scary to think that Honda would downplay the significance of security in their vehicles, especially in new ones. Granted, a fix may be hard to implement due to the inability to install a software update, but if that’s the case there shouldn’t be any excuse to not have this functionality in Cars equipped with new technology. Overall, Honda should be more accountable for its lack of security because many of its customers may face the dangers of targeted attacks., especially when it’s easy to spot a Honda civic today.
This is a cool post!!
Very interesting to hear that Honda is going through security flaws, because I think they won number #1 in security in the past years. I am a honda owner as well, and it is indeed concerning that these attacks seem so effortless for hackers to get control of our cars. It is nice to hear that Honda is well aware of this issue, but I am curious to know why they won’t provide a solution for their customers.
Nice post. It seems Honda do not care if they loose buyers, because knowing that the car can be intercepted at any time, and doing nothing about is like allowing death to occur. They should fix the problem right away so as to ensure safetiness of everyone that uses their cars.
Good Post! This post has a decently large amount of comments already so apologies if some of my observations here have already been said. It is interesting and rather scary that car thieves can get into your car simply by hijacking a signal from your key fob. To have the skill, ingenuity, and knowledge to find out about this vulnerability, engineer a way to exploit it, and then profit from it is rather disappointing, one would think that if someone has the skills and knowledge to build a device that can intercept and replay these types of signals and then use it simply to rob others vehicles seems to me like a waste of ability and possibly talent.
I am devastated to see how ignorant people are towards security. Just a while ago I read a blog where online retail shops did not update their security and was using a faulty algorithm which lead to numerous personal information of customers being stolen. Now , Honda does not care about strengthening their security. If this is that easy to control the starting and shutting down of a vehicle, just think how dangerous it would be if terrorist organizations start using it to cause terror and havoc. Thousands of Honda vehicles getting shut down suddenly while driving , could lead to some serious accidents and damages. Honda authorities should take a look into it before something really concerning happens and they do not have to regret.
Great post! Many, if not most, vehicles rely on key fobs, and thus, this issue shouldn’t only be concerning for Honda drivers, but rather, anyone who owns a vehicle. I can’t even begin to understand why such large companies; companies that are leaders in their fields, actively choose to ignore and neglect flaws, even they are preemptively identified. Evidently, there is a lack of understanding regarding the potentially serious, if not fatal consequences, some of these flaws may inherently lead to. Clearly, Honda should consider the safety of their customer base, but, if they haven’t already done so, despite the seriousness of the situation, can they be trusted to be weary of similar mishaps in the future?
It’s quite sad to see Honda fail to address such a simple security issue, almost at the level as garage door openers, on something so expensive as a car. I’m honestly surprised that they don’t enforce rolling codes, or at least done a mass recall to implement them after the exploit has gotten revealed especially since people can steal things from the car if they can easily unlock them. Overall a very informative read!
This post surprised me. I found that using the remote key also has risks. The post showed that Honda did not encrypt the radio signal transmitted by the key, which gave the attacker the opportunity to intercept the radio transmission and carry out an attack called “replay”. This vulnerability makes Honda users have security problems. Honda clearly has a solution, but it doesn’t use it. The irresponsibility of the company will make customers lose confidence in the company’s products. They should provide security to customers and solve loopholes as soon as possible. Now it is very common to use the remote key, so it is very inconvenient not to use it. I hope the company can take action and use the “rolling code” system to solve the problem.
The way Honda is handling this situation is intolerable as
instead of adding just one layer of security they are just accepting the fact that “sophisticated thieves” can easily unlock their consumers private cars which can have important accessories in it.
Another reason it is so dangerous is that majority of the users do not know that their key fob makes their car so vulnerable and hence might leave their expensive devices in the car considering it’s safe.
This is a very interesting post. However, I feel this is kind of similar to another post I read who may have taken ideas from your post.
The important thing about cars is that there is always the vulnerability to bigger outcomes like accidents. It is definitely a very informative blog. Good Job!
Thank you for sharing this insightful article and bringing attention to this important subject. I used to believe that receptions could only happen through access points or by hacking into a system, but I suppose radio signals serve the same role as everything else, although through a different communication channel. Security flaws are present in these systems in a similar way.
The fact that Honda is aware of a security flaw in their product and is actively refusing to fix said problem is obscene. That sort of blatant disregard for the safety of their customers is a prime example of how the profit motive has distorted basic values. Polemics aside, I think that the only way forward is to modernize the legislation that backs safety standards for vehicle sales and manufacturing. As it is, our exiting legal frameworks are not up to the standard necessary to ensure the safety of smart vehicles. As time goes on and these technologies become more prevalent, smart vehicles will increasingly become a target for cyber criminals. If there isn’t a legal basis for customers affected by security vulnerabilities to pursue class action against auto makers, they will remain disincentivized to fix security issues and stories like these will only become more common.
Great Post. I had no clue ordinary automobiles could be that easily infiltrated, since we typically learn about electric vehicles being susceptible in terms of security. It’s disheartening to contemplate how many more firms blatantly disregard the need of encryption, particularly in today’s technological era. I believe that automobile manufacturers should actively attempt to include more complex technologies into modern vehicles while also guaranteeing that they sustain and perhaps improve their security and dependability.
Amazing post! I actually had no idea that cars could be infiltrated in this way. Just thinking about the purposed future of self driving this poses a very big risk. These types of attacks or faults could lead to potentially live threatening injuries. Im shocked that Honda would ignore the vulnerabilities as it could seriously affect their costumer relations I hope they come around and address all the issues.