A security researcher discovered a critical flaw in the 2021 Honda Civic's infotainment system that allows anyone with physical USB access to install arbitrary software. The vulnerability stems from the head unit using publicly known Android Open Source Project (AOSP) test keys to verify signed update files.

The researcher, a software architect, found that the system accepts signed AOSP images during updates. However the signing key is not a secret. It is the well-known AOSP test key, which is freely available online. This means an attacker can craft a custom update image, sign it with the public test key and load malware onto the car's infotainment system through a simple USB drive.

How the Exploit Works

The attack relies on the head unit's update mechanism. It checks for a valid AOSP signature but does not verify that the signature comes from a trusted private key. Since the test key is public, anyone can sign malicious packages. Once a USB drive is inserted, the system can be tricked into installing an unauthorized app or even a full firmware modification.

This technique enables what security researchers call an EvilValet attack. A malicious valet or anyone with temporary access to the car's USB port could install software that persists after the car is returned. The occupant might not notice any immediate change, but the attacker could later access vehicle data or control certain functions remotely.

Broader Automotive Security Implications

The flaw highlights a wider issue in connected vehicles that rely on Android Automotive or similar platforms. Automotive infotainment systems increasingly use commodity operating systems, but their update mechanisms must be locked down with unique cryptographic keys. Using public test keys for production hardware is a dangerous shortcut.

This vulnerability is not unique to Honda. Other manufacturers using AOSP-based systems with test keys may face similar exposures. The industry trend toward software-defined vehicles demands rigorous security reviews of every signed component.

Why This Matters

Car owners who park at airports, use valet service or lend their vehicle to others face a real risk. A simple USB stick could compromise the infotainment system without leaving obvious traces. While the attacker needs physical access, the attack is cheap and easy to execute with basic technical knowledge.

The exposure also raises questions about privacy. Infotainment systems store contacts, navigation history and synced smartphone data. An EvilValet attack could siphon this information or turn the car into a surveillance point. The issue affects not just the 2021 Civic but potentially earlier models using the same platform.

Honda has not publicly responded to the disclosure. Owners should be cautious about leaving USB devices in the car and consider disabling automatic update acceptance if possible. The broader lesson is clear: automotive cybersecurity must move beyond using default development keys in production systems.