漏洞概述 漏洞名称: Suzuki Swift (2024): rolling-code keyless entry defeated by RollBack-style replay, enabling unauthorized lock/unlock CVE ID: CVE-2026-49319 发布日期: 2026年6月25日 描述: Suzuki Swift (2024) 的远程无钥匙进入系统(RKES)存在一个RollBack风格的捕获重放攻击漏洞。攻击者可以在无线电范围内捕获合法钥匙扣的传输序列,并在稍后重放这些传输以强制接收器重新同步,从而接受之前有效的代码,允许车辆解锁(和锁定)而无需车主的钥匙扣。由于捕获的传输在事后仍然有效,RollBack攻击使得传统的滚动代码反重放保护失效。 影响范围 受影响产品: Suzuki Motor Corporation – Suzuki Swift, 2024 model year (observed on the SWIFT 15G GLS trim); Remote Keyless Entry System (RKES) rolling-code key fob, FCC ID CWTR33R0. 问题类型: CWE-294 Authentication Bypass by Capture-replay CAPEC ID: CAPEC-60 Reusing Session IDs (aka Session Replay) CVSS 3.1: 5.4 CVSS 4.0: 5.3 修复方案 推荐补救措施: 使用新鲜挑战的滚动代码替换计数器滚动代码,例如双向挑战-响应密钥,从每个车辆的秘密存储在安全元素中,拒绝陈旧或回滚的计数器值,并约束重新同步,以便以前传输的代码永远不能被重新接受。距离限制(例如,UWB)进一步减轻了重放和中继对抗无钥匙进入。 参考 Reporter: Danilo Ezequiel (independent automotive cybersecurity researcher) CWE-294: https://cwe.mitre.org/data/definitions/294.html CWE-1390: https://cwe.mitre.org/data/definitions/1390.html CAPEC-60: https://capec.mitre.org/data/definitions/60.html Affected key fob FCC ID (public): CWTR33R0 – https://fcc.io/CWTR33R0 Attack-class background: RollBack – a time-agnostic replay attack against automotive RKES (USENIX Security 2022) 信用 Danilo Ezequiel (independent automotive cybersecurity researcher) (finder) 时间线 2026-06-25: Advisory published by ASRG. Vendor remediation pending.