Honda hack can unlock and start your car — what you need to know

A person unlocking a Honda car using a key fob
(Image credit: emirhankaramuk/Shutterstock)

Security researchers have found a new way to remotely unlock and even start many Honda car models by stealing codes from an owner’s key fob.

The newly discovered bug, dubbed “Rolling-PWN”, has been detailed in a new blog post from Star-V Lab. In order to exploit it, though, an attacker would first need to wirelessly steal the codes from a Honda owner’s key fob. However, this can be done from almost 100 feet away.

Once these codes are saved, they can be reused later to unlock older vehicles or to remotely start newer ones without an owner’s knowledge. Rolling-PWN has also been tested by Rob Stumpf from The Drive who used the bug to unlock and start his Honda.

Fortunately, the bug can’t be used by an attacker to drive off with your Honda as they would need the actual key fob in hand to do so.

Static codes vs rolling codes

Regardless of which make or model of car you have, your key fob is actually a tiny radio that sends codes to your vehicle to unlock/lock it or even to start newer car models. 

While older vehicles use static codes that don’t change, newer cars use rolling codes that change each time the key fob is pressed. Rolling-PWN works by capturing static codes and then replaying them to gain access to a vulnerable car. 

This isn’t the first time that Honda’s key fobs have been used in this way. In fact, a vulnerability in Honda Civic 2012 vehicles (tracked as CVE-2021-46145) allows codes to be replayed to unlock them and this also the case with a separate vulnerability (tracked as CVE-2022-27254) in Honda Civic 2018 vehicles.  

A Honda spokesperson provided further details in an email to Tom’s Guide, saying:

“We can confirm researcher claims that it is possible to employ sophisticated tools and technical know-how to mimic Remote Keyless commands and gain access to certain vehicles or ours. However, while it is technically possible, we want to reassure our customers that this particular kind of attack, which requires continuous close-proximity signal capture of multiple sequential RF transmissions, cannot be used to drive the vehicle away. Furthermore, Honda regularly improves security features as new models are introduced that would thwart this and similar approaches.”

Not just Hondas 

In their initial report on the matter, security researchers Kevin2600 and Wesley Li from Star-V Lab explained that this same bug may exist in other automaker’s vehicles which is why they dubbed it Rolling-PWN instead of just Honda-PWN.

Still though, the researchers successfully tested the bug out on 10 of the most popular Honda vehicles from 2012-2022, including the following models:

  • Honda Civic 2012
  • Honda X-RV 2018
  • Honda C-RV 2020
  • Honda Accord 2020
  • Honda Odyssey 2020
  • Honda Inspire 2021
  • Honda Fit 2022
  • Honda Civic 2022
  • Honda VE-1 2022
  • Honda Breeze 2022

They also have reason to believe that the vulnerability affects other car manufacturers with plans to release more details at a later date.

Older Honda driving on a road next to the sea

(Image credit: Kushan Pancholi/Unsplash)

A fix likely isn’t coming for older models

Owners of older Honda vehicles may be out of luck when it comes to a fix as they don’t support over the air (OTA) updates.

The company may roll out a patch for newer model cars that will be delivered wirelessly but as older cars lack the capacity to receive these updates, they’ll likely still be vulnerable to Rolling-PWN.

Thankfully, this hack requires sophisticated equipment and some technical know-how which means that replicating it won’t be possible for everyone. However, you may want to keep a closer eye on your vehicle, install one of the best dash cams and use your keys as opposed to your key fob to unlock your car in the meantime.

Anthony Spadafora
Managing Editor Security and Home Office

Anthony Spadafora is the managing editor for security and home office furniture at Tom’s Guide where he covers everything from data breaches to password managers and the best way to cover your whole home or business with Wi-Fi. He also reviews standing desks, office chairs and other home office accessories with a penchant for building desk setups. Before joining the team, Anthony wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Read more
Find My iPhone
Apple Find My hack turns any Bluetooth device into a secret AirTag — what we know
Cars on the road with blue overlay indicating what data may be contained about the drivers within
Millions at risk due to severe security flaw in license plate readers
Eight Sleep Pod 4 Ultra with head raised in beige bedroom
Eight Sleep smart beds reportedly have a secret backdoor that can be accessed remotely — everything you need to know
Hacker typing on laptop in darkened room
Hackers create "BRUTED" tool to attack VPNs – how to stay safe
and image of the Google Chrome logo on a laptop
Billions of Chrome users at risk from new browser-hijacking Syncjacking attack — how to stay safe
A hacker typing quickly on a keyboard
Hackers can steal your accounts, and all it takes is a double-click — don’t fall for this new form of clickjacking
Latest in Online Security
A picture of a skull and bones on a smartphone depicting malware
Hundreds of malicious Android apps with 60 million downloads found spamming Android users with ads and stealing credentials
Malware
Dangerous new password-stealing trojan automatically reinstalls itself on infected PCs
An FBI agent typing on a computer
FBI issues warning to millions of Americans to avoid these websites that can steal your passwords and banking info
A hacker typing quickly on a keyboard
New MassJacker malware is hijacking digital wallets to steal large sums from users
iPhone 15 Pro Max shown in hand
5 iPhone settings you should always shut off — because they’re a security nightmare
A woman using her laptop securely with a cup of coffee in hand
5 common mistakes people make when shopping for antivirus software
Latest in News
Chromecast with Google TV connected to display
Google finally pushes out full Chromecast fix for users who factory reset — here’s what to do
A picture of a skull and bones on a smartphone depicting malware
Hundreds of malicious Android apps with 60 million downloads found spamming Android users with ads and stealing credentials
Switch 2 console and logo
Nintendo Switch 2 rumor just tipped possible release date — and it's much sooner than we thought
Hacker typing on laptop in darkened room
Hackers create "BRUTED" tool to attack VPNs – how to stay safe
Malware
Dangerous new password-stealing trojan automatically reinstalls itself on infected PCs
(L-R) Mark Eydelshteyn as Vanya and Mikey Madison as Anora "Ani" Mikheeva in "Anora"
Hulu top 10 movies — here's the 3 you need to stream right now