*Note to visitors. I was banned from presenting my research due to the fact that I defended myself against bullying and harrassment. I apologize for my behavior to anyone involved, though I want to be clear that I feel great heartbreak after hearing this news. This is the original discoverer and yet many others have claimed that they themselves discovered this issue first, or claimed that they worked with me. This was purely on my own. Any article you read about me working with others is lying. I was never interviewed by anyone. Anyone that requested to interview me didn't respond to my response email. Many people have treated me with kindness, though many others have treated me with disrespect. We are all equal in this community, in my eyes.
Unfortunately due to this incident, I will be pulling all of my present research from Github and scraping my cyber security presence from the web. I will no longer collaborate with others nor will I answer questions. I have been stolen from and harrassed to no end and on top of that I have lost many great opportunites because of the fact that I chose to defend my character in a group setting where I was being picked on.
Love to all supporters. This is the last remaining repository. Goodbye.*
demo.mp4
Unoriginal-Rice-Patty
"Can you believe that a low-quality garage door has better security than a Honda?"
"Unoriginal-Rice-Patty" is my personal title for the Replay-based attack on Honda and Acura vehicles "Honda" in Japanese translates to "Original Rice Patty". While a cute fact, this attack is not cute and not original, hence the name
This is for educational purposes only. I am in NO WAY liable for any actions executed by means of the contents within this repository. PLEASE use responsibly.
This attack seems to affect EVERY Honda/Acura vehicle with remote/wireless radio entry. Honda does NOT ever institue a rolling code system and ONLY manufactures systems with static codes meaning there is NO layer of security.
Summary:
A hacker can gain complete and unlimited access to locking, unlocking, controlling the windows, opening the trunk, and starting the engine of the target vehicle where the only way to prevent the attack is to either never use your fob or, after being compromised (which would be difficult to realize), resetting your fob at a dealership.
The Attack:
Simply capturing the signal sent from a FOB is enough to gain at least some control of the vehicle. If the target locks their vehicle, all it takes is receiving it and saving it for me to gain the ability to replay the same command and have the vehicle respond accordingly.
Recording the "unlock" command from the target and replaying (this works on most if not all of Honda's produced FOBs) will allow me to unlock the vehicle whenever I'd like to, and it doesn't stop there at all On top of being able to start the vehicle's ENGINE Whenever I wished through recording the "remote start", it seems possible to actually (through Honda's "Smart Key" which uses FSK) demodulate any command, edit it, and retransmit in order to make the target vehicle do whatever you wish.
For Example: Recording a "lock" command and flipping the following bits:
653-656, 667-668, 677-680, 683-684, 823-826, 837-838, 847-850, 853-854
will tell the vehicle to unlock (These numbers include the preamble)
I discovered this while analyzing the codes with my published Python script, "DiffBits" which is based on Samy Kamkars Perl script of the same name.
Here is the comparison of two "unlock" keys (no preamble):
Here is the comparison of two "lock" keys (no preamble):
Here is the comparison of one unlock, and one lock key (no preamble):
The red text indicates a change in bits. Some can be written off as simple errors in processing the codes, however some are very clearly indicating what action the vehicle must perform.
(Codes processed with URH and were provided by [REDACTED]. Thanks, [REDACTED]!)
CONFIRMED Vehicles (despite the fact that this likely affects them all):
• 2009 Acura TSX
• 2016 Honda Accord V6 Touring Sedan
• 2017 Honda HR-V (CVE-2019-20626)
• 2018 Honda Civic Hatchback
• 2020 Honda Civic LX
The Interesting Part
Honda seemingly ignored CVE-2019-20626 (cited above in the list of confirmed, affected vehicles). They continued to implement 0 security measures against this very simple "replay/replay and edit" attack. This CVE interestingly only cites one vehicle and I only discovered this much later in my pursuit for research. Honda will not respond to me, or seemingly anyone attempting to report this security MAJOR flaw.
How Honda Can Fix This
Honda must implement a "rolling code" system into their vehicles' list of security measures. Rolling code systems have been around since 1995 and work very well against hackers. Honda has seemingly never implemented this security measure, leaving them very far behind in the race toward a secure technological future. As far as I can tell, this isn't easily "patchable". Honda can begin to implement security measures in future vehicles, however it doesn't seem likely that they will go back and fix this security issue in older models.
Epilogue
I am very interested in community feedback! Feel free to contact me with more research, information, or questions!