TL;DR
A security researcher has discovered a vulnerability in Honda Civic headunits that permits physical attackers to install malicious updates through the USB port, termed ‘Evil Valet.’ The flaw exploits the signing process, enabling arbitrary code execution without root access. The researcher has developed tools to facilitate testing, raising concerns about vehicle security during valet and service scenarios.
A security researcher has revealed a vulnerability in Honda Civic headunits that allows anyone with physical access to install arbitrary software via the vehicle’s USB update process. This flaw, dubbed ‘Evil Valet,’ enables malicious actors, such as unauthorized valet personnel or service technicians, to potentially compromise vehicle systems without needing root access or advanced hacking techniques. The discovery raises concerns about vehicle security during routine service or parking scenarios.
The researcher, who has been studying the update mechanisms of Honda Civics for several years, found that the car’s headunit verifies updates using a publicly-known AOSP test key. This means that anyone with access to a formatted USB drive and the correct signing key can create and load malicious updates. These updates can include arbitrary code, such as installing root access binaries, without triggering traditional security checks.
The vulnerability relies on the fact that Honda’s update process, designed for convenience, does not adequately authenticate the source of the update beyond the signature check with the test key. Since the headunit stages and applies the update in a way similar to Android recovery, an attacker with physical access can exploit this to execute code that persists after the update completes. The researcher has developed a tool called ‘ota-builder’ to assist in crafting such malicious updates, although the process requires technical expertise.
The researcher emphasizes that the attack requires physical access—such as leaving a vehicle with a valet or service technician—making it an ‘evil valet’ attack. The flaw is consistent across multiple Honda Civic models, as the update signing process appears uniform, and the researcher has confirmed the signature verification method on several update files.
Implications for Vehicle Security During Physical Access
This discovery highlights a significant risk in modern connected vehicles that support remote and manual updates. The ‘Evil Valet’ vulnerability demonstrates how physical access combined with inadequate update authentication can lead to potential security breaches, including unauthorized control over vehicle systems. While the researcher clarifies that the flaw does not directly enable remote hacking, it underscores the importance of robust security measures in automotive update processes to prevent malicious modifications during routine service or parking scenarios.
Automakers and consumers should be aware that physical access to a vehicle’s update port can be exploited if security controls are weak. This could lead to compromised infotainment systems, data theft, or even control over critical vehicle functions if malicious updates are installed. The issue also raises questions about the security of other vehicle models that may use similar update mechanisms.
OBD2 Port Anti-Theft Lockout Tool, OBD Port Protector for Cars/SUV/Trucks、obd2 Lock Anti Theft Protector (Red)
Anti-theft: It can effectively lock the OBD2 port of the car, preventing illegal connection, eliminating the theft of…
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Background on Honda Civic Update Mechanisms and Security
Over the past few years, automotive security researchers have increasingly examined the update processes of connected vehicles. Honda Civics, particularly models from 2021 onward, utilize a USB-based update system that verifies updates using a signature check. The verification relies on a publicly-known AOSP test key, which is intended for testing but appears to be used in production updates, according to the researcher’s findings.
Previous research has shown that many vehicle infotainment systems and headunits are vulnerable to exploitation if their update processes are not properly secured. In this case, the researcher’s work builds on prior reverse-engineering efforts, revealing that the signing process can be bypassed or exploited if the attacker can produce a signed update file with the known test key. The researcher has also developed tools to analyze and rebuild APK files and other update components, facilitating further testing and potential exploitation.
This vulnerability is not yet widely known among consumers or automakers, but it echoes broader concerns about the security of automotive software, especially as vehicles become more connected and reliant on software updates for functionality and security patches.
“As long as the headunit has power and an attacker has physical access to the USB port, they can install arbitrary code, effectively compromising the vehicle.”
— Security researcher
PortPlugs (10-Pack) USB-A Port Blockers – Key Lock USB Security to Help Prevent Data Theft – Removable Type-A Data Protection – Dust & Moisture Resistant Shield | Black
USB A PORT BLOCKERS WITH KEY: Designed for standard USB A ports on laptops, desktop PCs, notebooks, and…
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Extent of Vulnerability Across Honda Models and Updates
While the researcher has confirmed the vulnerability on their own Honda Civic and identified the signing process as a common factor, it is not yet clear whether all Honda Civic models or other Honda vehicles are equally affected. The full scope of affected firmware versions and regional variants remains under investigation. Additionally, the potential for remote exploitation or mitigation measures has not been fully assessed.
CARLOCK Anti Theft Car Device – Real Time 4G Car Tracker & Car Alarm System. Comes with Device & Phone App. Tracks Your Car in Real Time & Notifies You Immediately of Suspicious Behavior.OBD Plug&Play
WORK & SLEEP WITHOUT WORRY – CarLock anti theft car device and car alarm monitors and alerts you…
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Automaker Response and Security Improvements Under Consideration
Honda has not yet issued an official statement regarding this vulnerability. Industry experts anticipate that the automaker will review the update signing process and may implement stronger cryptographic measures or additional authentication steps. Consumers and service providers are advised to be cautious about USB access during vehicle servicing until security patches are confirmed. Researchers plan to continue testing across different models and firmware versions, and the community may develop tools to detect or mitigate such exploits.
automotive firmware update protection
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Key Questions
Can this vulnerability be exploited remotely?
No. The ‘Evil Valet’ attack requires physical access to the vehicle’s USB port, making remote exploitation unlikely without physical entry.
Does this affect all Honda Civics?
The researcher confirmed the vulnerability on their own vehicle and identified the signing process as consistent across some models, but the full extent across all Civics and regions remains unverified.
What can owners do to protect their vehicles?
Owners should limit USB access during vehicle servicing and monitor official updates from Honda for security patches addressing this issue.
Will Honda fix this vulnerability?
Honda has not publicly commented yet, but it is likely that they will review the update process and consider implementing stronger security measures.
Source: Hacker News
