1 | 1 | | # CVE-2022-27254 |
2 | 2 | | PoC for vulnerability in Honda's Remote Keyless System(CVE-2022-27254) |
3 | 3 | | |
| 4 | + | |
| 5 | + | # Disclaimer: |
| 6 | + | *For educational purposes only.* |
| 7 | + | |
| 8 | + | ## Summary: |
| 9 | + | |
| 10 | + | This is a proof of concept for [CVE-2022-27254](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27254), wherein the remote keyless system on various Honda vehicles send the same, unencrypted RF signal for each door-open, door-close, boot-open and remote start(if applicable). This allows for an attacker to eavesdrop on the request and conduct a replay attack. |
| 11 | + | |
| 12 | + | ## POC videos: |
| 13 | + | [Remote Start](https://user-images.githubusercontent.com/5160055/159138537-2904b448-af1c-4a89-af08-b53a4d77a277.mp4) |
| 14 | + | |
| 15 | + | [Door Unlock](https://user-images.githubusercontent.com/5160055/159138551-e9ab24fa-a05c-4fc8-ad1c-f1dcda698bcc.mp4) |
| 16 | + | |
| 17 | + | [Door Lock](https://user-images.githubusercontent.com/5160055/159138581-eb844936-9999-4234-a5c0-fa7412df193b.mp4) |
| 18 | + | |
| 19 | + | |
| 20 | + | |
| 21 | + | ## Vehicles Affected: |
| 22 | + | |
| 23 | + | • 2016-2020 Honda Civic(LX, EX, EX-L, Touring, Si, Type R) |
| 24 | + | |
| 25 | + | ## Important Notes: |
| 26 | + | |
| 27 | + | •Key fob FCC ID: KR5V2X |
| 28 | + | |
| 29 | + | •Key fob frequency: 433.215MHz |
| 30 | + | |
| 31 | + | •Key fob modulation: FSK |
| 32 | + | |
| 33 | + | |
| 34 | + | ## Tools used: |
| 35 | + | |
| 36 | + | •FCCID.io |
| 37 | + | •HackRF One |
| 38 | + | •Gqrx |
| 39 | + | •GNURadio |
| 40 | + | |
| 41 | + | |
| 42 | + | |
| 43 | + | ## Prevention: |
| 44 | + | - Manufacturers: |
| 45 | + | 1. Manufacturers must implement Rolling Codes, otherwise known as hopping code. It is a security technology commonly used to provide a fresh code for each authentication of a remote keyless entry (RKE) or passive keyless entry (PKE) system. |
| 46 | + | |
| 47 | + | |
| 48 | + | - Consumers: |
| 49 | + | 1. Utilize a Faraday Pouch for the key fob. |
| 50 | + | 1. Use the PKE as opposed to the RKE, this would make it significantly harder for an attacker to clone/read the signal due to the proximity they would need to be at to do so. |
| 51 | + | |
| 52 | + | ⚠️ The precautions mentioned above ARE NOT foolproof ⚠️ |
| 53 | + | |
| 54 | + | If you believe that you are a victim of this attack, the only current mitigation is to reset your key fob at the dealership. |
| 55 | + | |
| 56 | + | |
| 57 | + | ## Credits: |
| 58 | + | |
| 59 | + | •[HackingIntoYourHeart](https://github.com/HackingIntoYourHeart/) |
| 60 | + | •[Prof. Hong Liu](https://www.umassd.edu/directory/hliu/) |
| 61 | + | •[Sam Curry](https://www.linkedin.com/in/currysam) |
| 62 | + | •[Prof. Ruolin Zhou](https://www.umassd.edu/directory/rzhou1/) |
| 63 | + | |
| 64 | + | |
| 65 | + | ## References: |
| 66 | + | •https://www.youtube.com/watch?v=1RipwqJG50c |
| 67 | + | |
| 68 | + | •https://attack.mitre.org/techniques/T1040/ |
| 69 | + | |