Researchers recently discovered a vulnerability in Honda and Acura’s keyless entry and start systems that could allow hackers to remotely unlock and start some of their vehicles.

About the findings

According to the study, certain cars utilize keyless systems that operate by transmitting “unencrypted radio frequency signal[s] to the car.” Because of this, hackers can potentially “intercept [the signal requests] and replay the request at a later time.” The vulnerable system can be found in a variety of models, including the Honda Civic LX, EX, EX-L, Touring, Si, and Type R models made from 2016 and 2020, and the 2009 Acura TSX.

The computer scientist who worked on the project, Blake Berry, further explained:

“A hacker can gain complete and unlimited access to locking, unlocking, controlling the windows, opening the trunk, and starting the engine of the target vehicle where the only way to prevent the attack is to either never use your fob or, after being compromised (which would be difficult to realize), resetting your fob at a dealership.”

Ayyappan Rajesh, a student at the University of Massachusetts Dartmouth and member of the research team, recommends that the car manufacturers replace the system with a new coding system, known as “Rolling Codes.” Instead of sending the keyless entry or start requests using the same radio frequency every time, Rolling Codes would “provide a fresh code for each authentication of a remote keyless entry (RKE) or passive keyless entry (PKE) system.” 

However, Honda does not currently have any plans to implement such an update. Christ Martin, a spokesman from Honda, recently stated:

 “At this time, it appears that the devices only appear to work within close proximity or while physically attached to the target vehicle, requiring local reception of radio signals from the vehicle owner’s key fob when the vehicle is opened and started nearby…

Access to a vehicle without other means to drive the vehicle, while hi-tech in nature, does not provide thieves an advantage much greater than more traditional and certainly easier ways to gain entry to a vehicle. And there is no indication that the type of device in question is widely used…

Also, for Acura and Honda vehicles, while certain models feature a remote start feature, a vehicle started remotely cannot be driven until a valid key fob with a separate immobilizer chip is present in the vehicle, reducing the likelihood of a vehicle theft. There is no indication that the reported vulnerability to door locks has resulted in an ability to actually drive an Acura or Honda vehicle.”

While this particular vulnerability is unlikely to have significant effects on Honda or Acura owners, cybersecurity experts warn that manufacturers need to be increasingly aware of the dangers of creating smart vehicles. As Mike Parkin, senior technical engineer at Vulcan Cyber, recently commented:

“The evolution of smart vehicles has expanded our threat surface in unexpected ways. While there have only been a few serious remote attacks that affect vehicles, the potential is there and is growing.”