Several Honda vehicles have been unlocked and remotely started by security researchers and The Drive, despite the company's insistence that the cars have security protections meant to stop attackers from doing that. The researchers claim that the hack is possible because of a vulnerability in the Honda keyless entry system. The vulnerability is called Rolling-PWN.
The basic concept for Rolling-PWN is similar to attacks we've seen before used against VWs and other devices, as well as other devices, using radio equipment, and broadcasts it back to the car. If you think that it should be possible to defend against this kind of attack with some sort of cryptography, you are correct. Modern cars use a rolling key system that makes it so that each signal will only work once, and that the exact signal shouldn't ever be unlocked again.
Jalopnik points out that not all recent Hondas have that level of protection. Recent Hondas use an unencrypted signal that doesn't change, which has been found to be a vulnerability. The 2020 CR-V, Accord, and Odyssey may be vulnerable to the recently-uncovered attack. There are videos on Rolling-PWN's website of the hack being used to unlocked rolling code vehicles, and Stumpf was able to pwn a 2021 Accord with the exploit.
Honda told The Drive that the security systems it puts in its cars wouldn't allow a vulnerability to be exploited. The company says the attack shouldn't be possible. The company didn't reply immediately after we asked about The Drive's demonstration.
The system is built to have some tolerances so that it can accept old codes, which is why the attack works. The site says that it affects all Honda vehicles currently on the market, but admits that it has only been tested on a few model years.
The site suggests that other brands of cars are also affected, but it's not clear on the details. If the security researchers are following responsible disclosure procedures, they should reach out to the automakers and give them a chance to address the issue before details are made public. The researchers were told to file a report with customer service after reaching out to Honda.