Honda left the publicly-known AOSP test key in the 10th gen Civic headunit's update verification, giving anyone with a USB stick and a few minutes of cabin access arbitrary code execution on the dash.
The EvilValet Attack: Physical Access Is All You Need
Three years of reverse engineering by juniperspring.org revealed that Honda's USB-based update process relies on Android recovery's verify_file logic — and they never bothered to swap out the signing key. The res/keys file on the headunit contains the well-known AOSP test key. Every official update file examined, including the EU firmware MRC_EU_SW_v12_4.zip pulled from public forums, is signed with that same key. No su, no setuid, no conventional root exploit required.
The attack vector is trivial: format a USB drive, sign your payload with the AOSP test key, and plug it into the front-most USB port while the car is powered. The headunit stages the update and applies it via Android recovery. The author calls this an "evil valet attack" — a hotel valet, airport attendant, or anyone with brief cabin access can silently compromise the headunit. Unlike an evil maid attack that requires access to a hotel room, this only needs access to the car's interior while it's parked.
What the ota-builder Tool Unlocks
The researcher released ota-builder, a tool that automates crafting update files accepted by the headunit. It handles version spoofing (the update process is fragile about expected version numbers, but those can be faked), signing with the test key, and packaging. The companion apk-rebuilder takes any official Honda update file (not hosted by the author, avoiding copyright issues) and produces a clean tree of .smali code, resources, and ramdisk contents for analysis.
This means the barrier to entry for custom firmware, rooting the device, or injecting malicious code has dropped to near zero for anyone with physical USB access. No advanced exploit development needed — just the key that's been public since Android's early days.
Why This Matters Beyond the Civic
The 10th gen Civic headunit runs Android Automotive with a Mitsubishi-forked AOSP framework. If Honda shipped a test key in production, odds are other automakers using similar Android-based infotainment stacks have made the same mistake. The researcher notes that custom themes would require surgical edits to vendor framework binaries — further evidence of minimal hardening.
Responsible disclosure? The author published the full technical docs and tools without warning Honda first. Given that the attack requires physical access, the practical risk to average owners is limited. But for high-value targets — journalists, executives, anyone whose car gets valeted at a hotel — the compromise is silent and severe. Automotive OEMs relying on AOSP need to audit their signing chains before someone builds a $20 USB dongle that turns every Civic into a listening post.
Source: 10th Gen Honda Civic Updates Are Signed with AOSP Test Keys
Domain: juniperspring.org
Comments load interactively on the live page.