Honda Civics and the Evil Valet

A security researcher has disclosed a vulnerability in Honda Civic headunits that permits physical attackers to install malicious software via USB, a flaw dubbed ‘EvilValet.’ This development raises concerns about vehicle security and potential misuse by malicious actors with physical access.

The researcher reverse-engineered the update process of Honda Civic headunits, discovering that they accept signed AOSP update files verified with a publicly-known test key. This means anyone with physical access can create and sign malicious updates to gain arbitrary code execution on the headunit, without needing root access or additional exploits.

The attacker would need physical access to the vehicle’s front USB port, which is feasible in scenarios such as leaving a car with valet services. The researcher demonstrated that by formatting a USB drive with the correct signature, malicious updates—including those installing root privileges—could be delivered silently, potentially compromising vehicle functions or installing persistent malware.

The researcher has also released tools, including ‘ota-builder,’ to help others prepare such malicious updates, and ‘apk-rebuilder,’ which can extract and analyze the headunit’s code, aiding further reverse engineering. While the researcher cannot confirm if all Honda updates are signed with the test key, evidence suggests most are, increasing the scope of potential vulnerability.

Implications for Honda Civic Owners and Vehicle Security

This vulnerability highlights a significant security flaw in Honda Civic headunits, which could be exploited by malicious actors with physical access to vehicles. Such attacks could lead to unauthorized control over vehicle systems, data theft, or persistent malware infections. The discovery underscores the risks associated with insecure update mechanisms in modern vehicles, raising questions about manufacturer security practices and the need for improved protections.

Technical Background of the Honda Civic Headunit Vulnerability

Three years ago, the researcher began analyzing the headunit of a 2021 Honda Civic, focusing on its update process supported via USB. They found that the update files are signed with a publicly-known AOSP test key, and the verification process matches stock Android Open Source Project (AOSP) behavior. This means that anyone capable of formatting a USB drive and signing it with the test key can install arbitrary code on the headunit.

The researcher demonstrated that this flaw enables an ‘evil maid’ style attack—here termed ‘EvilValet’—where a malicious valet or other physical attacker could update the headunit with malicious software without the owner’s knowledge. The researcher also developed tools to analyze and create update files, facilitating further research and potential exploitation.

While the update process itself is fragile and relies on version numbers, which can be spoofed, the core issue remains: the verification process is insufficiently secure, allowing unsigned or malicious updates to be accepted if signed with the test key.

“As long as the headunit has power and an attacker has physical access to the USB port, they can install arbitrary code via the update process.”

— Researcher

GINTOOYUN USB Port Lock Removable USB -A Port Blocker with 2 Key and 10 USB Lock for PC,Laptop & Protect Information Security,Dust &Moisture Resistant Shield (Black)

USB-A Port Blocker is used for USB device ports with security requirements, and can also play the role…

AmazonView Latest Price

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Extent of the Vulnerability Across Honda Models

It is not yet confirmed whether all Honda Civic headunits or other Honda models use the same signing process or are vulnerable. The researcher suspects most updates are signed with the test key, but cannot verify every variant or firmware version.

Additionally, the full scope of potential malicious modifications—such as persistent malware or control over vehicle functions—remains to be tested in real-world scenarios.

PortPlugs (10-Pack) USB-A Port Blockers – Key Lock USB Security to Help Prevent Data Theft – Removable Type-A Data Protection – Dust & Moisture Resistant Shield | Black

USB A PORT BLOCKERS WITH KEY: Designed for standard USB A ports on laptops, desktop PCs, notebooks, and…

AmazonView Latest Price

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Potential Security Improvements and Research Directions

Further investigation is needed to determine whether Honda will address this vulnerability through firmware updates or security patches. Researchers and security experts are likely to scrutinize other vehicle models with similar update mechanisms. The researcher plans to expand testing to verify vulnerability scope and develop defenses against such physical attacks.

Owners should remain cautious about leaving vehicles with accessible USB ports in unsecured environments until official fixes are announced.

Key Questions

Can this vulnerability be exploited remotely?

No. The attack requires physical access to the vehicle’s USB port, making remote exploitation unlikely.

Does this affect all Honda Civics?

The researcher has demonstrated the vulnerability on a 2021 Honda Civic and suspects most models using similar update processes are vulnerable, but confirmation across all variants is pending.

What can owners do to protect their vehicles?

Owners should avoid leaving their cars with accessible USB ports in unsecured environments and stay tuned for official security updates from Honda.

Will Honda release a fix for this vulnerability?

It is currently unknown whether Honda plans to address this flaw with firmware updates or security patches. No official statement has been issued yet.

Source: Hacker News