Light Dark
October 10, 2022 By Sue Poremba 3 min read
Risk Management

As a cybersecurity writer, I’m more aware than the average person of the security risks with any connected device. So when I sat in my new car for the first time and saw all the different ways it linked to my phone or my home WiFi, more than a few red flags went up. I know that as cars get smarter, they become more susceptible to hackers who are searching for any potential vulnerability. One of the most recently announced attack vectors is the key fob for recent model Honda vehicles.

Vehicle vulnerabilities

Most IoT or smart devices were never designed with cybersecurity in mind, but vehicles take that lack of security to a higher level, with piecemeal technologies developed by third-party companies. The same risks found in any connected device are found in a smart car. Threat actors have the opportunity to do almost anything, from stealing personal data to manipulating any of the different systems and sensors in the vehicle. But the most popular attack vector, at least for now, is the wireless key fob.

Tesla cars have made news recently due to several different key-fob-related exploits. For example, a teenager found a vulnerability in an app that controls some basic functions like unlocking the vehicles or flashing the headlights. Meanwhile, a European researcher discovered Tesla’s near field communication (NFC) card that’s used like a key fob can easily be exploited by hackers, all because Tesla provides a 130-second window between unlocking the car and starting the engine.

While Tesla vulnerabilities may get high-profile attention, key fob vulnerabilities are found in vehicles more commonly found in public parking lots, in neighborhood driveways and as part of corporate vehicle fleets.

Rolling-PWN

The key fob attack impacting Honda vehicles is known as the Rolling-PWN. Rolling codes are used to avoid replay attacks, which are man-in-the-middle attacks that are intercepted and re-transmitted as if they are authentic codes. The attack exploits a vulnerability in authentication code transmitted wirelessly between the fob and the vehicle. Whenever the fob button is pressed, there is an increase in rolling codes that are synchronizing. Honda vehicles don’t need the exact codes — instead, the rolling codes fall into a window of codes.

“By sending the commands in a consecutive sequence to the Honda vehicles, it will be resynchronizing the counter. Once [the] counter resynced, commands from the previous cycle of the counter worked again. Therefore, those commands can be used later to unlock the car at will,” according to GitHub.

Even though this vulnerability became news over the summer of 2022, the vulnerability was found in 2012 Honda cars and should be assumed to affect every Honda on the market today.  Whoever has access to these codes has permanent access to unlock the car doors and possibly start the vehicle.
Today, Rolling-PWN appears to only target Honda vehicles, but, like any type of cyberattack, expect any system that uses this type of rolling code technology to be at risk.

Problem of encryption

Key fobs have evolved over the past two decades beyond when their primary purpose was to unlock doors. Depending on the brand and model of the vehicle, the fob offers controls for almost everything – opening windows, remotely starting the engine and defrosting the windshield, just for starters. Many fobs are connected with a smartphone app.

Although the fobs are encrypted, they tend to use symmetric encryption or a single key used by both the device sending the message and the device receiving it. The problem with symmetric encryption is that it can be easily intercepted.

Asymmetric encryption, which uses both a public and a private key, is a much more secure method of code transmission. But as Alan Grau explained in an Electronic Design article, “it can easily use 100X more CPU cycles than symmetric encryption.” It’s too much for systems to handle in a timely manner, so manufacturers default to symmetric encryption and take the risk of the codes being intercepted.

Keeping vehicles safe

Company-owned vehicles aren’t usually under the oversight of CIOs and CISOs, but as more smart vehicles enter the corporate fleet, the cyber risks need to be addressed. While a CISO can’t change the type of encryption used on a key fob, they can take steps to protect the vehicles from cyberattacks.

Specifically for Rolling-PWN, GitHub stated, “the recommended mitigation strategy is to upgrade the vulnerable BCM firmware through Over-the-Air (OTA) Updates if feasible.” Currently, Honda is not conducting a recall on their cars or key fobs to remediate the vulnerability.

Beyond that, smart cars need to be addressed just as any other connected computer system. That includes following basic security practices, such as regular software updates on both the vehicle and any devices connected to the vehicle. That includes WiFi. And because cars need regular maintenance and repairs, only trusted third parties should be allowed access to the vehicle and its hardware. Including – and maybe especially – the key fobs.

 |  |  |  |  |  |  | 
Sue Poremba

More from Risk Management
January 28, 2025

4 trends in software supply chain security

4 min read - Some of the biggest and most infamous cyberattacks of the past decade were caused by a security breakdown in the software supply chain. SolarWinds was probably the most well-known, but it was not alone. Incidents against companies like Equifax and tools like MOVEit also wreaked havoc for organizations and customers whose sensitive information was compromised.Expect to see more software supply chain attacks moving forward. According to ReversingLabs' The State of Software Supply Chain Security 2024 study, attacks against the software…

January 24, 2025

How cyberattacks on grocery stores could threaten food security

4 min read - Grocery store shoppers at many chains recently ran into an unwelcome surprise: empty shelves and delayed prescriptions. In early November, Ahold Delhaize USA was the victim of a cyberattack that significantly disrupted operations at more than 2,000 stores, including Hannaford, Food Lion and Stop and Shop. Specific details of the nature of the attack have not yet been publicly released.Because the attack affected many digital systems, some stores were not able to accept credit/debit cards, while others had to shut…

January 23, 2025

Taking the fight to the enemy: Cyber persistence strategy gains momentum

4 min read - The nature of cyber warfare has evolved rapidly over the last decade, forcing the world’s governments and industries to reimagine their cybersecurity strategies. While deterrence and reactive defenses once dominated the conversation, the emergence of cyber persistence — actively hunting down threats before they materialize — has become the new frontier. This shift, spearheaded by the United States and rapidly adopted by its allies, highlights the realization that defense alone is no longer enough to secure cyberspace.The momentum behind this…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2025 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature