[HN Gopher] Replay-based attack on Honda and Acura vehicles
___________________________________________________________________
Replay-based attack on Honda and Acura vehicles
Author : FridayoLeary
Score : 234 points
Date : 2021-08-30 13:13 UTC (9 hours ago)
(HTM) web link (github.com)
(TXT) w3m dump (github.com)
| rootsudo wrote:
| This has bene known in the automtive/security world forever, you
| can google replay attacks and people demonstrate this.
|
| German cars do have a rolling code, especially BMW with EWS2
| around 1996'and it's a nicely documented system to break.
|
| With that said, it would be fun to dump older car firmware to see
| how simple the security was, previous to 1996, most cars ECU
| firmware were litereally on eproms.
|
| There are also communities and such dedicated to bypassing this,
| not for theft but for engine swapping and car modification -
| having an annoying security system that can disable the starter
| or fuel pump sucks when you engine swapped your car.
| josefx wrote:
| As far as I understand even physical car keys tended to be on
| the low end. With a decent chance that you could find a
| different car by the same manufacturer that you could at least
| unlock with your key.
| mikestew wrote:
| When I was an auto mechanic back in the days before key fobs,
| I'd driven the wrong car into the bay...twice, that I recall.
| I even changed the oil on one of those cars, when it was in
| for a brake job. It was the _other_ blue '85 Chevy Malibu
| that needed the oil change.
| quercusa wrote:
| Someone once drove my car away from the SJ airport lot as a
| favor for his friend, who was quite surprised to be picked up
| in someone else's blue Camry.
| arno_v wrote:
| Yeah a friend of mine had that. Almost drove away in the
| wrong car, luckily he noticed "weird CDs" lying around.
| fisherjeff wrote:
| Old Subaru by any chance...?
| throwaway0a5e wrote:
| Literally any vehicle with a worn out ignition cylinder
| from 100k of keys hanging off of it.
| knodi123 wrote:
| Barely on topic, but I accidentally stole a bike due to this
| issue. Somebody parked their bike in the same rack, same
| model, same color, same brand of lock, and my key popped it
| right open. About half way home I finally realized why the
| seat felt funny. Drove back and swapped it with my own, I
| hope nobody noticed.
| moepstar wrote:
| Fun-fact: you can lock any Ford with a 6-sided key (not sure
| what those are called) of your Ford...
| jaywalk wrote:
| Funner-fact: you can lock any car that's unlocked by
| opening up the door and locking it.
| grimmdude wrote:
| Many older cars require you to hold the handle up while
| you close the door to prevent you from accidentally
| locking yourself out.
| rootusrootus wrote:
| Not my Bolt. Even if the key is nowhere on your person or
| in the car, it steadfastly refuses to let you lock the
| door that way. If you push the lock button while the door
| is open, it immediately unlocks it for you.
|
| It would make sense to do that if it detected the fob
| inside the car. But it does it no matter what.
| doubled112 wrote:
| If you lose your keys, you can't lock the car up and come
| back with the spare?
|
| That's not a feature.
| dharmab wrote:
| Your spare would be your cell phone app.
| rootusrootus wrote:
| I agree, it's not a feature. It's annoying.
| hunter2_ wrote:
| I agree, but realistically the car is already locked when
| you lose your keys, assuming you lock your car when you
| leave it. An exception would be, say, dropping your keys
| down a storm drain after getting out and before walking
| away, but even this is becoming unusual as more cars have
| push-to-start and capacitive exterior touch areas such
| that your key is _always_ in your pocket.
| serf wrote:
| most modern cars will not let you do this as to prevent
| accidental car-on-while-locked or locked-keys scenarios.
| mikestew wrote:
| My '82 Honda didn't work that way (it would pop the lock
| open again when the door was closed), I'd be surprised if
| anything modern still worked in such a manner (nothing I
| own does).
| btgeekboy wrote:
| Why bother with a key?
|
| > To lock all doors, with the driver door closed, press and
| hold 7*8 and 9*0 at the same time. You do not need to enter
| the keypad code first.
|
| https://www.ford.com/support/how-tos/keys-and-
| locks/securico...
| testplzignore wrote:
| I used to drive a Nissan whose doors would unlock when you
| closed a door - I'm not sure if it was intentional or not.
| But I found I could also trigger the unlocking mechanism by
| punching the outside of the door at just the right spot. Very
| useful for when ice would get in the locks.
| throwaway0a5e wrote:
| It was intentional. It's so you can't lock your keys
| inside.
| MisterTea wrote:
| The key from a 2001 GMC Savannah opened the doors of our 2002
| Chevy Express (same van model, different badges). Though the
| Express key could not open the Savannah. Either key did not
| work in each others ignition lock.
| cafard wrote:
| Long ago, I unlocked the wrong VW Rabbit, and was briefly
| surprised when I couldn't start it. More recently (last dozen
| or so years) the NY Times Sunday Magazine had a short piece,
| something like "Dude, Where's Your Car", about a woman
| actually driving off with the wrong car, and having to
| arrange its return to the owner.
| sandworm101 wrote:
| It also really sux when you have to repair those security
| systems. I honestly would forgo the entire encryption fob thing
| in favor of a decent mechanical key for starting the car. Sure,
| they can be bypassed, but if someone is under your hood
| crossing wires then you have bigger problems.
|
| Or better yet, an S&G digital safe lock. If it is good enough
| for missile launch codes it is good enough for my civic.
| Replacing an S&G lock body is far cheaper than any car
| immobilizer.
| numpad0 wrote:
| 00000000 was good enough to secure nukes for a long time[1]
|
| 1: https://arstechnica.com/tech-policy/2013/12/launch-code-
| for-...
| xur17 wrote:
| I stopped carrying my keyfob a few years ago, and just use
| the mechanical key - mainly because I hate how huge it is,
| but now I'm starting to think it was a good idea..
| Johnny555 wrote:
| I really like the convenience of keyless entry, I keep my key
| in my backpack and like being able to walk up to the car,
| have it automatically unlock when I grab the door handle,
| then I just get in and press "start", and it's ready to go.
| Then when I get to work, I just grab my backpack and walk
| away and I know the car will lock behind me. I don't _want_
| to move back to a physical key.
|
| That convenience shouldn't have to be traded for the huge
| vulnerability of allowing replay attacks.
| irq-1 wrote:
| A digital keypad and a phone based system would be best. Apps
| can be updated for security, and the cars firmware can be
| updated via the app too. The keypad means even if a purse is
| stolen with the phone and keys in it, you can still start
| your car.
| dharmab wrote:
| Ford has keypad entry on a number of models, for example.
| meowster wrote:
| If someone wants to get in via the keypad, there is a
| list [0] that was mentioned on HN [1]. The list is 3129
| numbers, which if pressed in sequence, will eventually
| open the door because all of the possible code
| permutations are contained in that sequence.
|
| [0] https://everything2.com/index.pl?node_id=1520430&disp
| laytype...
|
| [1] https://news.ycombinator.com/item?id=7622165
| Johnny555 wrote:
| If they can't secure their own keyfob, I'd be worried that
| a phone app will open a remote vunerability.
|
| My car has an optional subscription that would let me
| unlock it with my phone -- I didn't sign up for that
| subscription, but I bet that it's active on the car's side
| and if there's a remote vulnerability, it's exploitable
| whether I've signed up for it or not.
| matthewdgreen wrote:
| The news here _is the fact_ that this very old and well-known
| attack works on cars in the 2020 /2021 model years. This is
| pretty surprising, since the appropriate countermeasures have
| been widely-deployed even in inexpensive cars for well over a
| decade. Modern "keyless" vehicles have largely moved on to
| dealing with relay attacks, which is at least a more
| challenging class of attack than this one.
| formerly_proven wrote:
| Honestly keyless go is a clusterfuck. Cars are getting stolen
| all over the place. Police says to wrap keys in tinfoil.
|
| It's not particularly obvious why insurers don't seem to
| care, though there have been some rulings where they didn't
| need to pay because stealing a car like this wasn't
| technically stealing under the insurance policy.
| throwaway0a5e wrote:
| Insurers don't care because vulnerability can be predicted
| by make/model/year so they a) can readily predict how much
| they'll pay out, are all saddled with the same cost
| increase (per vulnerable vehicle) and are free to pass that
| on to customers knowing that the competition has to do the
| same so they won't be undercut. Basically they don't care
| because the cost passes right through them with minimal
| friction in this case.
| avidiax wrote:
| That assumes a static level of exploitation. If criminal
| gangs decide that Honda/Acura is the low-hanging fruit
| and ramp up theft of these vehicles, the insurance
| companies will have to react with increased insurance
| costs, which will put pressure on the manufacturers since
| it raises TCOO.
| jdavis703 wrote:
| Insurance renews every 6 or 12 months. At least in the US
| criminal gangs are fairly decentralized, so it seems
| insurance companies are on somewhat even ground with any
| shift in crime patterns.
| kook_throwaway wrote:
| >though there have been some rulings where they didn't need
| to pay because stealing a car like this wasn't technically
| stealing under the insurance policy.
|
| Link? This seems so wild.
| hunter2_ wrote:
| I'm guessing it's because the key has to be present for a
| relay (not replay) attack, so it's analogous to the way
| "card present" shifts some of the liability in payment
| card fraud? Pretty wild that the authorized user should
| know to protect against key fob relays though.
|
| Fun fact: they usually go to sleep (i.e., way more
| battery life) based on an accelerometer detecting no
| motion, because legitimate use would always be hand-held.
| To take advantage, put it on a table or hook (but not too
| close to your front door, perhaps) instead of keeping it
| in your pocket while home.
| bane wrote:
| I took a class on SDRs one time and replay attack against a
| Honda was one of the toy examples they used as homework.
| RyJones wrote:
| I'm not shocked. I went spelunking [0] in my Honda's head unit
| and found only terrible things.
|
| [0]:
| https://gist.github.com/ryjones/73739f6a7e662b9ed9ba64d9141f...
| wallaBBB wrote:
| Honda (and any well established OEM) has rolling code on their
| newer models for sure. There are 2 scenarios possible here
| regarding this article.
|
| 1st - message is recorded while key is outside of the vehicle
| range. Rolling Code does not help here since the vehicle never
| received the original signal from the key. The point of rolling
| code is that same signal cannot be used twice to open the
| vehicle. There is no protection against this with unidirectional
| RF keys, but requires physical access to the key and your
| recorded message needs to be first one sent to the vehicle.
|
| 2nd - it's fake. This I say because the key gets out of the frame
| in the video when the signal is replayed...
| mkj wrote:
| With rolling codes, if you (or a toddler) press your remote
| button too many time while out of range of the car, will the
| remote and car get out of sync? More than 60 or 255 presses or
| something like that?
|
| I guess there must be a mechanism for the car to resync somehow?
| dharmab wrote:
| There's a sync procedure using the physical key.
| wallaBBB wrote:
| depending on the type of the key - those with passive functions
| do it usually every time you press the engine start button,
| while classical key - once you put the key (physical blade) in
| the lock to start the car.
| avidiax wrote:
| Presumably the keyfob transmits a generation number, so the car
| just needs to see that the keyfob code is e.g. 187 ahead of its
| number, and then do a trial roll forward. If it matches, it
| retains the new generation and secret state, and if not, it
| retains the old.
| xur17 wrote:
| Has anyone else verified this? I'm shocked to the point of
| disbelief that this would be a thing in a car manufactured in
| 2020.
| waterside81 wrote:
| Yup. A Land Rover was stolen right near my house in broad
| daylight and I live in a very good neighbourhood. Cops came by
| and asked me if I had home cameras, but they explained to me
| this is very common. High-end SUVs are targeted and this is run
| by organized crime. Cars are overseas within days to be re-
| sold.
|
| The thief just hangs around the target, waits for the fob to be
| used, clones the signal and can steal the car within 3 minutes.
|
| The problem is so pervasive that Land Rover offers discounts to
| previous customers who are victims of theft:
|
| https://www.landrover.ca/en/ownership/protection-program/veh...
| kjkjadksj wrote:
| In the US it seems like theft of parts is a lot more popular.
| Things like wheels, light housings, and catalytic converters
| are especially popular. Getting a car out of the country is a
| lot harder when you don't share land borders with eastern
| europe. When people steal cars they usually only use it for
| as long as it takes to commit another crime. A lot of the car
| chases are with stolen cars so police have no clue who is
| inside since running plates returns the owner.
| 29083011397778 wrote:
| GP's link is to landrover.ca, implying Canadian origin - a
| country which does not share land borders with Eastern
| Europe. By the time a group is big enough to be fencing
| cars overseas, I wouldn't be so quick to discount their
| ability to move through a seaport.
| oauea wrote:
| Don't even need to hang around. Just plant a small official
| looking box near a car or hide it in the bushes or something.
| Easy.
| xur17 wrote:
| The wifi pineapple equivalent of this would be a device
| that records all signals sent, filters it for unlock and
| start car commands, and then allows you to just bulk replay
| each set back until cars start.
|
| You could effectively leave it in the bushes at a work
| parking lot, come back the next day, and unlock + start all
| of the cars with keyfobs that were present the day before.
| quadyeast wrote:
| Does this attack work if you do not push any of the key fob
| buttons i.e. if you unlock the car by touching the front door
| handle with the key in your pocket; starting the car by pushing
| the engine start button with the key in your pocket?
| baking wrote:
| This is my question. I've been keeping my key fob in a faraday
| box for almost a year because I heard that keyless entry and
| keyless start can be pinged during a night-time drive-by when
| the owner is likely to be home.
|
| Obviously not a replay attack, but still seems to be a huge
| vulnerability.
| aaronbeekay wrote:
| I work at a major American automotive OEM on entry and
| starting systems. Yes, many passive-entry/passive-start
| systems (like those that use door handle sensors to trigger
| an unlock) are vulnerable to relay attacks. Relay attacks are
| separate from re_p_lay attacks, as you note.
|
| Relay attacks on keyfobs seem to be much more common in the
| UK than in the US. Some manufacturers now include
| accelerometers in their keyfobs to mitigate the risk, as one
| of the most common attacks is stealing a vehicle out of a
| driveway when somebody has left their keys on a hook inside
| the house. With an accelerometer in the keyfob, it will
| refuse to authorize starting if it hasn't been jostled
| recently.
| aidenn0 wrote:
| In the US, I've seen relay attacks used to steal items from
| cars rather than the cars themselves. Either because police
| follow up much more vigorously on theft of cars vs petty
| theft of things in cars, or because it's harder to convert
| a stolen car to cash than it is to convert the stuff in it
| (which might even _be_ cash) to cash.
| dharmab wrote:
| > "Honda" in Japanese translates to "Original Rice Patty"
|
| This should be "paddy" rather than "patty". Note that Honda is a
| family name (after founder Soichiro Honda).
| Clewza313 wrote:
| "Rice Paddy" is also redundant, since the English paddy comes
| from the Malay _padi_ , "rice plants".
|
| And while "original rice paddy" is a correct if painfully
| literal translation, something like "Mainfield" probably
| captures the essence better. In Japanese, a field defaults to
| rice and there's a separate word (Tian _hatake_ ) for non-rice
| fields, with a little fire radical Huo added to the rice field
| Tian to show that this is a burned (dry) field instead of a
| wet one.
| hunter2_ wrote:
| Unrelated: https://paddynotpatty.com/
| arein3 wrote:
| Very hard to believe that this was not fixed 20 years ago
| tersers wrote:
| For years Honda has known the door lock mechanism is trivial to
| bypass and they haven't fixed it, so I'm not surprised.
| tyingq wrote:
| This sucks, of course, but the alternative has downsides as well.
| Volvo, for example, has rolling codes. But, if you lose your
| keys/fob the car has to be present to make new ones. At $500+
| each.
| zelon88 wrote:
| Which is desirable because that's how keys do their job.
|
| How is Volvo's system functioning properly considered a
| downside? You're saying that having a security system that
| downright does not work is comparable to a security system that
| actually works and prevents unauthorized entry to the vehicle
| because the former is more convenient to circumvent than the
| latter?
| tyingq wrote:
| It doesn't need to cost $500+ per key. The monopoly it
| creates on key replacement is what enables that. It doesn't
| cost Volvo that much...the markup is crazy. It's especially
| pronounced for used cars, where it's common to only get 1 key
| with the car.
|
| (Though it's funny that you decided the security was the part
| I felt was a downside.)
| ggerganov wrote:
| Here is a similar attack using HackRF:
|
| https://www.youtube.com/watch?v=JomewN_1OdE
| wallaBBB wrote:
| This one is significantly different, here fob is pressed
| outside the vehicle range, and then signal is replayed at
| vehicle range.
|
| Rolling Code does not help here since the vehicle never
| received the original signal from the key. Thus it is for the
| first time played to the vehicle, and no rolling code increment
| is expected compared to the key's initial rolling code value.
|
| The point of rolling code is that same signal cannot be used
| twice to open the vehicle.
| shadilay wrote:
| What is the handheld SDR and where can I buy one?
| [deleted]
| yborg wrote:
| And how much does it cost... if this is cheap, it seems that
| insurance rates on Honda/Acura vehicles are about to increase.
| freeplay wrote:
| Looks like a HackRF. About $350 + knowledge of how to use it
| and leverage the attack.
| meatmanek wrote:
| The HackRF or similar SDR is useful for creating a
| prototype, because they work across many frequencies and
| can modulate and demodulate essentially any modulation
| scheme in software.
|
| Once you know that it's, say, 9600 baud FSK at 433MHz, you
| can buy a transceiver IC for a few dollars that can send
| and receive that frequency and modulation, and drive it
| with a microcontroller.
|
| I wouldn't be surprised if we start seeing such devices on
| AliExpress for $10 within a year or so.
| caterama wrote:
| Can you comment or recommend any resources on the legality
| of owning a PortaPack H2 in the US? (eg. is an Amateur
| Radio License required?)
| j_walter wrote:
| New PortaPack H2 And HackRF One SDR Software Defined Radio
| (check Banggood)
|
| Looks like maybe a custom case, but 99% sure it's this hardware
| that has been customized.
|
| edit: Actually you can find the exact model they are using on
| eBay...just google the first line of text in this comment.
|
| edit: ok, direct link
| https://www.ebay.com/itm/224339096828?chn=ps&mkevt=1&mkcid=2...
| post_break wrote:
| Ford has a key cloning issue too. Focus and Fiesta STs are prime
| targets in the UK to the point where you'd be crazy not to remove
| or lock the ODBII port on those vehicles. Luckily it's not as bad
| in the states. Criminals can clone a key in about 30 seconds with
| special tools.
| h2odragon wrote:
| "Vehicle ignition" should be a physical switch with 3 wires, and
| thats it. _I_ don 't want anything more complicated... perhaps
| put a relay inline if some other system _really_ needs a kill
| switch.
|
| Is a keyfob / "remote start" / "added security" _really_ worth
| the trouble? How many people buy these things when its an option
| they have to wait for vs something already there to bulk up the
| price?
| jen20 wrote:
| Remote start is very useful in climates which require either
| the heater or AC to run before a car is comfortable to sit
| inside.
| cestith wrote:
| Remote start is a safety issue, not just a security one. It
| doesn't take much to imagine replaying the start command while a
| vehicle is in an attached garage.
|
| Remote unlock is a safety issue for assaults.
|
| Thankfully according to https://owners.honda.com/Linked-
| Content/PDF/RemoteEnginestar... the remote engine stop doesn't
| work if the engine was started with the ignition key rather than
| the remote.
| ashtonkem wrote:
| I agree about the remote start, but I'm dubious about the
| remote unlock being an issue for assaults in practice. I think
| if someone is planning to violently attack someone, going
| through the window is going to be the most common path taken.
|
| It's like home invasions. Perhaps someone might pick your weak
| lock or hack your smart lock, but in practice they usually just
| break a window or kick the door in.
| oauea wrote:
| Imagine being able to come up to anyone, open their car door,
| shove them over into the passenger seat while threatening
| them with a gun, start the car and drive away. Could probably
| do this in a busy street without anyone noticing.
| sudhirj wrote:
| You'd have to stalk them first when they opened and started
| the car earlier. This is a replay attack, you need to be
| around to record the original.
| [deleted]
| oauea wrote:
| Should be easy enough to do in a shopping mall. Maybe
| plant a few recording devices around the parking lot and
| replay all of them, if you want to get extreme.
| ashtonkem wrote:
| It's possible, but not likely. You're describing a very
| sophisticated attack for a violent crime, especially
| since the typical attack involves nothing more
| complicated than a sawed off shotgun pointed at the
| driver.
|
| It should still be fixed, but this strikes me as
| something that's more likely to be used by a state or
| quasi-state level actor to take out a high value target
| more than something that'll be used to randomly assault
| people at the mall.
| sudhirj wrote:
| Yeah, it seems more like a mission impossible or heist
| movie plot device than a common crime.
| kjkjadksj wrote:
| You can do that right now with any car on the road. Guns
| break windows easily and people aren't going to risk their
| lives for a set of keys, they will let you have the car and
| whatever else.
| markbnj wrote:
| Fwiw, on current Hondas the engine will only run for a set
| period, I believe 10 mins, unless the fob is used to reset the
| timer or the driver enters the cabin with the fob and presses
| the brake and start button.
| serjester wrote:
| I own a 2020 Honda and I wish this was true. I have left the
| car on for 8+ hours before while being miles away. I'm in
| shock this wasn't addressed and it's my biggest gripe in the
| car.
| markbnj wrote:
| I own a 2021 Honda and it definitely shuts off after 10
| mins for me.
| 29083011397778 wrote:
| For remote start, my 2018 Civic shut off after ~10 minutes.
| According to the sibling comment, their 2021 was similar.
| Did you have an aftermarket remote start, or was it started
| using the actual ignition switch in the car in your case?
| vdqtp3 wrote:
| > Remote unlock is a safety issue for assaults.
|
| Remote unlock actually doesn't work on [most?] Honda vehicles
| if the engine is running.
| csharptwdec19 wrote:
| The issue with remote unlock is that someone can enter the
| vehicle while it is off and wait inside.
| nomel wrote:
| > while a vehicle is in an attached garage.
|
| Carbon monoxide being present is an _assumption_ in the
| perspective of the building codes. This is why attached garages
| must have ventilation to outside, doors with gaskets, etc.
| There's some danger, but the codes were made for the case where
| people forget and leave their car running, which isn't all that
| uncommon.
| aidenn0 wrote:
| Lots of houses aren't up to code. I bought a house with an
| in-wall AC venting from a bedroom into the garage, no gaskets
| on the door to the house, and a workbench built over the
| venting to the outside. I fixed those; contractor said that
| all 3 was somewhat uncommon, but any one of those isn't that
| uncommon.
| nomel wrote:
| I agree that this can be a problem. I disagree that it
| would be a problem of any significance.
| wallaBBB wrote:
| Both Lock and Remote Engine Start are considered as safety
| relevant in automotive.
___________________________________________________________________
(page generated 2021-08-30 23:02 UTC)