| 1 | 1 | | # CVE-2022-27254 |
| 2 | 2 | | PoC for vulnerability in Honda's Remote Keyless System(CVE-2022-27254) |
| 3 | 3 | | |
| | 4 | + | |
| | 5 | + | # Disclaimer: |
| | 6 | + | *For educational purposes only.* |
| | 7 | + | |
| | 8 | + | ## Summary: |
| | 9 | + | |
| | 10 | + | This is a proof of concept for [CVE-2022-27254](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27254), wherein the remote keyless system on various Honda vehicles send the same, unencrypted RF signal for each door-open, door-close, boot-open and remote start(if applicable). This allows for an attacker to eavesdrop on the request and conduct a replay attack. |
| | 11 | + | |
| | 12 | + | ## POC videos: |
| | 13 | + | [Remote Start](https://user-images.githubusercontent.com/5160055/159138537-2904b448-af1c-4a89-af08-b53a4d77a277.mp4) |
| | 14 | + | |
| | 15 | + | [Door Unlock](https://user-images.githubusercontent.com/5160055/159138551-e9ab24fa-a05c-4fc8-ad1c-f1dcda698bcc.mp4) |
| | 16 | + | |
| | 17 | + | [Door Lock](https://user-images.githubusercontent.com/5160055/159138581-eb844936-9999-4234-a5c0-fa7412df193b.mp4) |
| | 18 | + | |
| | 19 | + | |
| | 20 | + | |
| | 21 | + | ## Vehicles Affected: |
| | 22 | + | |
| | 23 | + | • 2016-2020 Honda Civic(LX, EX, EX-L, Touring, Si, Type R) |
| | 24 | + | |
| | 25 | + | ## Important Notes: |
| | 26 | + | |
| | 27 | + | •Key fob FCC ID: KR5V2X |
| | 28 | + | |
| | 29 | + | •Key fob frequency: 433.215MHz |
| | 30 | + | |
| | 31 | + | •Key fob modulation: FSK |
| | 32 | + | |
| | 33 | + | |
| | 34 | + | ## Tools used: |
| | 35 | + | |
| | 36 | + | •FCCID.io |
| | 37 | + | •HackRF One |
| | 38 | + | •Gqrx |
| | 39 | + | •GNURadio |
| | 40 | + | |
| | 41 | + | |
| | 42 | + | |
| | 43 | + | ## Prevention: |
| | 44 | + | - Manufacturers: |
| | 45 | + | 1. Manufacturers must implement Rolling Codes, otherwise known as hopping code. It is a security technology commonly used to provide a fresh code for each authentication of a remote keyless entry (RKE) or passive keyless entry (PKE) system. |
| | 46 | + | |
| | 47 | + | |
| | 48 | + | - Consumers: |
| | 49 | + | 1. Utilize a Faraday Pouch for the key fob. |
| | 50 | + | 1. Use the PKE as opposed to the RKE, this would make it significantly harder for an attacker to clone/read the signal due to the proximity they would need to be at to do so. |
| | 51 | + | |
| | 52 | + | ⚠️ The precautions mentioned above ARE NOT foolproof ⚠️ |
| | 53 | + | |
| | 54 | + | If you believe that you are a victim of this attack, the only current mitigation is to reset your key fob at the dealership. |
| | 55 | + | |
| | 56 | + | |
| | 57 | + | ## Credits: |
| | 58 | + | |
| | 59 | + | •[HackingIntoYourHeart](https://github.com/HackingIntoYourHeart/) |
| | 60 | + | •[Prof. Hong Liu](https://www.umassd.edu/directory/hliu/) |
| | 61 | + | •[Sam Curry](https://www.linkedin.com/in/currysam) |
| | 62 | + | •[Prof. Ruolin Zhou](https://www.umassd.edu/directory/rzhou1/) |
| | 63 | + | |
| | 64 | + | |
| | 65 | + | ## References: |
| | 66 | + | •https://www.youtube.com/watch?v=1RipwqJG50c |
| | 67 | + | |
| | 68 | + | •https://attack.mitre.org/techniques/T1040/ |
| | 69 | + | |
