Software architect Eric McDonald discovered that the infotainment system of their 2021 Honda Civic has a glaring vulnerability through its front USB port. According to the post on their blog, Honda allows the head unit of this particular vehicle to be updated via USB. However, it apparently does not have strong security measures, with the hardware only looking for a signed AOSP (Android Open Source Project) file with a publicly known test key.
If you know how to set up a USB drive and sign it with this AOSP test key, you (or anyone else, for that matter) can potentially install anything on your head unit through the update path. While this is useful for tinkerers who want to get more out of their vehicles, McDonald also noted that it can be used for an “evil maid attack.” This method of compromising hardware uses the temporary physical access of a person (like a hotel maid, for example) to install malware on equipment. In their example, they said that a journalist could leave their car with a valet, and then the said valet could install malware on their infotainment system, thus giving the vulnerability the name “EvilValet.”
Once the app or malware has been installed, it could then use the myriad sensors that vehicles have to record conversations, track locations, and even capture video recordings with the owner none the wiser. It could then use the various wireless connectivity options of the infotainment system, like Bluetooth, Wi-Fi, or even cellular, to exfiltrate the data it captured.
Note that this does not affect the safety of the vehicle since the malware is limited to the infotainment system. That means it’s still impossible for the attacker to remotely control the engine or braking systems, modify its safety features, or even unlock the vehicle. But still, this is a major privacy and security concern, especially given that the Honda Civic is such a popular model. Even though most high-value targets have specialized security that helps prevent attacks like this, it could still be used against the people around them, like their security or staff, and then use the gathered information for reconnaissance or even as leverage to gain access to the target. It’s also possible that the same vulnerability exists in other car makes and models, especially as OEMs could supply the same infotainment system hardware/software to multiple brands.
Vulnerabilities like these have been known for years in the car industry — we have a report from eight years ago where Volkswagen refused to patch a flaw that could be exploited over the internet on VW and Audi models because they don’t have OTA update capabilities. There has also been a 2017 post on WikiLeaks that suggests that the CIA looked into taking control of cars remotely through vehicle vulnerabilities. While internet connectivity and software features have made driving more convenient, the lack of even basic security is alarming. This is only bound to get worse as almost every new car available today has some form of advanced driver assistance systems, digital infotainment systems, wireless connectivity features, and more.
If you want to experiment with the head unit on your 2021 Honda Civic, McDonald built tools to make it easier to “jailbreak.” You can check out the available files on GitHub, but, as usual, you should be careful when tinkering with the infotainment system on your vehicle, as you could end up bricking it, meaning you’ll have to replace it with a new one instead.
Follow Tom's Hardware on Google News, or add us as a preferred source, to get our latest news, analysis, & reviews in your feeds.