Honda Civics and the Evil Valet

To update 10th-gen Honda Civics, Honda ships updates on specially-formatted USB drives. They're essentially Android 4.2.2rc1-era recovery packages with some Honda-added version checks (which can be spoofed). The packages are signed with the publicly-known AOSP test key, so with physical access to the front USB port you can sign and flash your own package for arbitrary code execution on the headunit. This doesn't require root/su. I've run it end-to-end on my own 2021 Civic and separately confirmed an official EU update file carries the AOSP test-key signature. Tooling and writeup in the post.

Most (if not all) cars on the road are terrible in terms of the security of the infotainment system and other onboard electronics. What makes this even worse is the sensors they have onboard these days; the microphones, cameras, GNSS receivers, wifi and BT radios make them into mobile surveillance platforms.

In March 2026, a bunch of controls were added to the Australian Government Information Security Manual[0] basically instructing people to not connect government devices to the infotainment systems of any vehicles, or to view or discuss anything sensitive in the presence of one.

> Security Control: 2099; Revision: 0; Updated: Mar-26; Marking: NC, OS, P, S, TS Mobile devices are not connected to the infotainment systems of connected vehicles.

> Security Control: 2100; Revision: 0; Updated: Mar-26; Marking: NC, OS, P, S, TS Sensitive or classified data is not viewed on mobile devices within or near connected vehicles.

> Security Control: 2101; Revision: 0; Updated: Mar-26; Marking: NC, OS, P, S, TS Sensitive or classified phone calls and conversations are not conducted within or near connected vehicles.

[0] https://www.cyber.gov.au/business-government/asds-cyber-secu...

I keep hoping that one of those hacks will eventually be available for Ford Lightning. There is a reason why Civics were a target for hacking ( relative low cost of failure ).

But we go back to the old question of: Why do I have to rely on hacks ( like with cellphones, tvs and so on )? Why am can't it be ready for heavy customization ootb ( and before you tell me that people do dangerous stuff on the roads -- have you driven around lately )?

I wish other car makers were as reasonable as Honda here.

No "evil valet" with half a brain cell would waste time hacking the head unit if they have physical access to the car. They would simply hide a spying device somewhere in the car.

Not to mention that people with Civics are never targets of three letter agencies.

In one thread people fighting the ever decreasing amount of hw ownership of most devices in our lives and when we have one that is more open, the crowds come to attack that too.

The theat model with tech has always been that if an attacker has physical access to the device and time then it's game over.

This is great information, thank you for posting!

I think there is a line between security, and keeping a device useful in the long term. I think the threat of people installing listening malware on the car via an evil-maid type attack is low.

However, when these cars are 10+ years old, and are in the hands of those willing to tinker, I think the ability to open up the software and customize will be a great thing. Hopefully communities form around creating modifications they find useful, and prolongs the life of the devices.

Seems much better than the end-users ripping out the factory head unit to install the Aliexpress "Android Tablet" style units, which likely have much worse security and engineering than the Honda units they'd be replacing.

I’ve heard product managers proudly proclaim their firmware was signed using the corporate internal signing service (good).

Of course, the question explicitly being asked (related to internal mandate) was if the firmware was signed — not if the firmware update process actually checked the signature (it certainly did not).

IMHO this is a good sign(!?) that they didn't even think about locking down their systems against the owner.

Maybe turning cars into gigantic computers on wheels was a bad thing? more study required.

Wonder how good the rest of the security is. The head unit is likely hooked up to a CAN gateway, can it call into telematics. Maybe find some novel way to abuse carplay/aa to call home.

Seeing more and more projects eschew code docs with the idea that "well architected code can be queried by LLMs" and stick to more functional runbook style docs. It really is unlikely that at any given point all of the docs of a project are up to date with the code.

I'm generally aligned with this, but it is predicated on the whole "well architected" code part.

If I'm reading the room, the sentiment is Honda is incompetent and their cars are security holes on wheels. But if the opposite happened, they would be technofascists locking us out of our own cars, a 30 post sub-thread "this is why I drive a 1999 Ford Ranger" would ensue, and someone would be investigating it as a possible GPL violation. Do I have this right?

It's also a good assumption most people airing such complaints have never eaten in a restaurant fancy enough to have valet parking, let alone evil valets.

That said, are evil valets known to tote around USB drives, or would they more likely use your navigation system to drive back to your empty house and clean it out while you're eating?

This is a good thing because it means I can sign something that will work if I own that hardware

The framing of this article sucks.

It is rather cool that you can hack your own car that easily. Framing it like "the evil valet" gives incentive and excuse to the manufacturer to lock down everything. While a real 3 letter agency evil valet will not car anyway. There is an endless list of things that it can do anyway, like put microphone in 100 places, change the electronic, get the key from the manufacturer, add man in the middle devices,...

The irony in this is that it's hard to imagine a Civic owner going to a luxury hotel with a valet. Maybe a Type R owner with a stretch...

On the other hand rom-ing your civic sounds easy

Honda knows how to build great cars but they haven't up-skilled their software knowledge.

Previously: Show HN: Honda Civic Infotainment Reverse-Engineering - https://news.ycombinator.com/item?id=36052753 - May 2023 (43 comments)

One more reason to remove the cellular modem from the car, so that even a compromised vehicle cannot exfiltrate information or be otherwise remotely controlled. This is something that every modern car owner should do immediately when taking possession of the car.

>>> you could get stuck in a recovery loop and softbrick your device.

Your car …

Could you use this to get a version of lineage OS running on it?

Relying on users to use an LLM to generate their own docs presupposes that the users have a Claude subscription or whatever. That sucks imo

It's difficult for car manufacturer theese days. You do proper security with secure boot etc. and the reverse engineering homebrew community complains about no way to install own software. You use the public known test key that everyone can do homebrew stuff when he wants, the reverse engineering homebrew community calls it a security risk.

In my opinion this auther don't know what he wants.

I think Porsche (and related brands) also have this or a somewhat similar vulnerability. Owners use it to add Android Auto to a car that formerly only supported Apple Carplay.

EvilValet, sick

Hyundai head units at one point used an RSA key you got by googling “RSA key” (no joke: https://programmingwithstyle.com/posts/howihackedmycar/ ), an honestly even more amazing mistake since it required effort rather than just a default.

[dead]

[dead]