A “replay attack” vulnerability affecting certain Honda and Acura models has been disclosed.
In the CVE-2022-27254 proof-of-concept, the remote keyless systems in various Honda vehicles were designed so that door open, door close, boot open and remote start (where applicable) each had the same encrypted An RF signal is sent that is not encrypted. This allows an attacker to eavesdrop on the request and launch a replay attack.
This vulnerability allows an attacker in the vicinity to unlock the car and start the engine from a short distance away.
This attack involves the threat actor capturing the RF signal sent from the key fob to the car and retransmitting that signal to control the car’s remote keyless entry system.
From Wireless Unlock to Keyless Engine Start
A nearby attacker has disclosed a vulnerability that could allow an attacker to unlock some Honda and Acura models and start the engine wirelessly.
This vulnerability, tracked as CVE-2022-27254, is a man-in-the-middle (MitM) attack, a replay attack in which an attacker intercepts the RF signal normally sent from a remote key fob to the car, manipulates that signal, and resends the signal to later unlock the car at will.
A video released by the researchers also shows the remote engine start aspect of the flaw, but no technical details or proof-of-concept (PoC) exploit code is available at this time.
Vehicles affected by the bug include primarily 2016-2020 Honda Civic (LX, EX, EX-L, Touring, Si, and Type R) vehicles.
I shared on the GitHub repository that it is possible to manipulate and resubmit a captured command and get a completely different result.