Honda hack can unlock and start your car — what you need to know

A person unlocking a Honda car using a key fob
(Image credit: emirhankaramuk/Shutterstock)

Security researchers have found a new way to remotely unlock and even start many Honda car models by stealing codes from an owner’s key fob.

The newly discovered bug, dubbed “Rolling-PWN”, has been detailed in a new blog post from Star-V Lab. In order to exploit it, though, an attacker would first need to wirelessly steal the codes from a Honda owner’s key fob. However, this can be done from almost 100 feet away.

Once these codes are saved, they can be reused later to unlock older vehicles or to remotely start newer ones without an owner’s knowledge. Rolling-PWN has also been tested by Rob Stumpf from The Drive who used the bug to unlock and start his Honda.

Fortunately, the bug can’t be used by an attacker to drive off with your Honda as they would need the actual key fob in hand to do so.

Static codes vs rolling codes

Regardless of which make or model of car you have, your key fob is actually a tiny radio that sends codes to your vehicle to unlock/lock it or even to start newer car models. 

While older vehicles use static codes that don’t change, newer cars use rolling codes that change each time the key fob is pressed. Rolling-PWN works by capturing static codes and then replaying them to gain access to a vulnerable car. 

This isn’t the first time that Honda’s key fobs have been used in this way. In fact, a vulnerability in Honda Civic 2012 vehicles (tracked as CVE-2021-46145) allows codes to be replayed to unlock them and this also the case with a separate vulnerability (tracked as CVE-2022-27254) in Honda Civic 2018 vehicles.  

A Honda spokesperson provided further details in an email to Tom’s Guide, saying:

“We can confirm researcher claims that it is possible to employ sophisticated tools and technical know-how to mimic Remote Keyless commands and gain access to certain vehicles or ours. However, while it is technically possible, we want to reassure our customers that this particular kind of attack, which requires continuous close-proximity signal capture of multiple sequential RF transmissions, cannot be used to drive the vehicle away. Furthermore, Honda regularly improves security features as new models are introduced that would thwart this and similar approaches.”

Not just Hondas 

In their initial report on the matter, security researchers Kevin2600 and Wesley Li from Star-V Lab explained that this same bug may exist in other automaker’s vehicles which is why they dubbed it Rolling-PWN instead of just Honda-PWN.

Still though, the researchers successfully tested the bug out on 10 of the most popular Honda vehicles from 2012-2022, including the following models:

  • Honda Civic 2012
  • Honda X-RV 2018
  • Honda C-RV 2020
  • Honda Accord 2020
  • Honda Odyssey 2020
  • Honda Inspire 2021
  • Honda Fit 2022
  • Honda Civic 2022
  • Honda VE-1 2022
  • Honda Breeze 2022

They also have reason to believe that the vulnerability affects other car manufacturers with plans to release more details at a later date.

Older Honda driving on a road next to the sea

(Image credit: Kushan Pancholi/Unsplash)

A fix likely isn’t coming for older models

Owners of older Honda vehicles may be out of luck when it comes to a fix as they don’t support over the air (OTA) updates.

The company may roll out a patch for newer model cars that will be delivered wirelessly but as older cars lack the capacity to receive these updates, they’ll likely still be vulnerable to Rolling-PWN.

Thankfully, this hack requires sophisticated equipment and some technical know-how which means that replicating it won’t be possible for everyone. However, you may want to keep a closer eye on your vehicle, install one of the best dash cams and use your keys as opposed to your key fob to unlock your car in the meantime.

Anthony Spadafora
Managing Editor Security and Home Office

Anthony Spadafora is the managing editor for security and home office furniture at Tom’s Guide where he covers everything from data breaches to password managers and the best way to cover your whole home or business with Wi-Fi. He also reviews standing desks, office chairs and other home office accessories with a penchant for building desk setups. Before joining the team, Anthony wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Read more
A digital license plate on a grey car
Digital license plates can be hacked to avoid tolls, fines and tickets
Find My iPhone
Apple Find My hack turns any Bluetooth device into a secret AirTag — what we know
Cars on the road with blue overlay indicating what data may be contained about the drivers within
Millions at risk due to severe security flaw in license plate readers
Eight Sleep Pod 4 Ultra with head raised in beige bedroom
Eight Sleep smart beds reportedly have a secret backdoor that can be accessed remotely — everything you need to know
Green skull on smartphone screen.
Only 3 of the top 150 Android apps can detect reverse engineering tool Frida — here's why that's bad
and image of the Google Chrome logo on a laptop
Billions of Chrome users at risk from new browser-hijacking Syncjacking attack — how to stay safe
Latest in Online Security
Apple iPhone 16 Plus Review.
Apple just released an emergency security update for a flaw used in an ‘extremely sophisticated attack’ — update your devices right now
A person trying to set up a new Wi-Fi router
Thousands of TP-Link routers have been infected by a botnet to spread malware
An image of a CAPTCHA
Hackers are using reCAPTCHA to trick users into infecting their own PCs with malware — how to stay safe
A smartphone screen displaying the Android name and logo next to a sign reading 'MALWARE'.
Fake Google Play Store pages are spreading Trojan malware that can steal your financial data
Best antivirus software
How does antivirus software work
and image of the Google Chrome logo on a laptop
Google Chrome at risk from shape-shifting browser extensions — how to stay safe
Latest in News
iPhone 17 Air render
iPhone 17 Air leak just tipped size of camera bump — how thin will it really be?
Sterling K. Brown in Paradise
Hulu top 10 shows — here's the 3 worth watching right now
iPhone 16
Hoping for a new iPhone 16 color? Here's why that's looking unlikely
iOS Photos app
iOS 18.4 Photos update makes it easier to sort, hide and delete your photos on iPhone — here’s what you can do
Dyson Purifier Cool (TP11) in office
Dyson just launched its new high-tech air purifier — right in time for allergy season
Nvidia RTX 5090
RTX 5060 breaks cover in Acer gaming PC — is Nvidia’s next GPU launch imminent?