Honda Civics and the Evil Valet
Points and comments are a snapshot, not live.
Researcher discovers Honda Civic infotainment systems use public Android test key for unsigned code execution via USB.
A researcher has documented how 2021 Honda Civic headunits can be modified through their USB update mechanism. Honda's system uses Android recovery packages signed with the publicly-known AOSP test key, allowing anyone with physical USB port access to install arbitrary code without requiring root privileges. The researcher released ota-builder, a tool to construct signed update files, and apk-rebuilder to decompile and analyze Honda's firmware. A publicly available EU software update file was confirmed to use the test key signature. The researcher calls this attack vector "EvilValet" (analogous to evil maid attacks). Outstanding work includes documenting headunit version numbers across Civic variants, publishing a clean build toolchain, and improving AIDL interface mapping tools. The author is transitioning to other projects but welcomes pull requests.
What commenters are saying
Commenters acknowledge the security issue stems from Honda's incompetence rather than intentional openness, though some note this enables owner modification. A counter-argument raises that real threats like valets stealing cars or leaving tracking devices are more practical than flashing firmware, and that requiring owner approval mechanisms creates usability problems (forgotten PINs, recovery loops). One commenter noted Hyundai used an even worse public RSA key. Discussion reflects skepticism that the evil valet scenario is realistic, though it could theoretically chain into rental car or CarPlay exploits. The thread debates whether poor security is preferable to vendor lock-in.