If you own a recent Honda, you better get a locking steering wheel device. That’s because a recently published attack allows thieves to start engines and open doors of Honda vehicles using codes from remote keyless entry fobs. All of them. The Honda hack has a name, “Rolling PWN.” We’ll tell you what it is and how you can protect yourself from this form of car theft.

What does this Honda car theft hack do?

The National Vulnerability Database calls the hack a “Counter resynchronization attack” and has assigned it CVE-2021-46145. In its simplest form, the hack allows car thieves to view a previous valid code used from a keyfob. Then, the codes are resent back to the car. This resets the internal pseudo-random number generator or PRNG counter to before the valid code was used. 

In this way, the thieves can replay the series of previously valid sequential codes to open any Honda door. What the hackers need are those older valid keys. For this, they can attach a logging device to the car to collect valid codes. They can also place a logger in the proximity of the Honda. Either way, over the course of a few days, thieves can see the valid codes and replay them to hack the car. 

Who discovered this Honda car theft hack?

Blake Berry and Ayyappan Rajesh originally found the hack, according to BleepingComputer. Capturing codes to re-transmit to do different things was another discovery. By “flipping” and then resending the Lock code, the two researchers were able to unlock a Honda Civic. 

The researchers discovered a similar Honda vulnerability in 2019. It was assigned NVD number CVE-2019-20626. After informing Honda of America, they found that allegedly the company did not institute any security updates or fixes. And the researchers even offered a solution. 

By using “rolling codes,” fresh codes are necessary to fulfill authentication requests. Using older valid codes won’t work. But we understand that 2021 and up Hondas now use rolling codes. 

Can Honda owners stop the hack?

Honda, for its part, has no plan to address the issue. It told BleepingComputer, “Honda has no plan to update older vehicles at this time.” Honda also argues that thieves use other methods to steal cars and that this high-tech approach, which it has not verified, uses sophisticated equipment that most thieves don’t have access to. 

There are ways you can counter key fob vulnerabilities. You can store them in a Faraday pouch which functions as a signal blocker. If you’re buying a new car, you can opt for a Passive Keyless Entry System. With PKE or “smart key,” you are able to lock and unlock doors through close proximity, without having to push the door or keyfob buttons. A hacker would need to be close to the PKE source to record lock or unlock codes.