Honda Civics and the Evil Valet
189 points
5 hours ago
| 13 comments
| juniperspring.org
| HN
Previously: Show HN: Honda Civic Infotainment Reverse-Engineering - https://news.ycombinator.com/item?id=36052753 - May 2023 (43 comments)
librick
5 hours ago
[-]
To update 10th-gen Honda Civics, Honda ships updates on specially-formatted USB drives. They're essentially Android 4.2.2rc1-era recovery packages with some Honda-added version checks (which can be spoofed). The packages are signed with the publicly-known AOSP test key, so with physical access to the front USB port you can sign and flash your own package for arbitrary code execution on the headunit. This doesn't require root/su. I've run it end-to-end on my own 2021 Civic and separately confirmed an official EU update file carries the AOSP test-key signature. Tooling and writeup in the post.
reply
Alive-in-2025
20 minutes ago
[-]
Thanks so much for your analysis. This kind of investigation and exposure of lazy work is the reason I love hacker news.
reply
DANmode
1 hour ago
[-]
> AOSP

Android Open Source Project

for those outside the bubble!

reply
vel0city
2 hours ago
[-]
A number of other cars' infotainment systems are also based on ASOP. I remember downloading updates for my Hyundai which were also essentially Android images
reply
hparadiz
2 hours ago
[-]
The head units themselves are very dated and simply could not run recent versions of Android. I have a 2020 and I'm always eyeing up the after market units which are all better in every way.
reply
bigfatkitten
7 minutes ago
[-]
Most (if not all) cars on the road are terrible in terms of the security of the infotainment system and other onboard electronics. What makes this even worse is the sensors they have onboard these days; the microphones, cameras, GNSS receivers, wifi and BT radios make them into mobile surveillance platforms.

In March 2026, a bunch of controls were added to the Australian Government Information Security Manual[0] basically instructing people to not connect government devices to the infotainment systems of any vehicles, or to view or discuss anything sensitive in the presence of one.

> Security Control: 2099; Revision: 0; Updated: Mar-26; Marking: NC, OS, P, S, TS Mobile devices are not connected to the infotainment systems of connected vehicles.

> Security Control: 2100; Revision: 0; Updated: Mar-26; Marking: NC, OS, P, S, TS Sensitive or classified data is not viewed on mobile devices within or near connected vehicles.

> Security Control: 2101; Revision: 0; Updated: Mar-26; Marking: NC, OS, P, S, TS Sensitive or classified phone calls and conversations are not conducted within or near connected vehicles.

[0] https://www.cyber.gov.au/business-government/asds-cyber-secu...

reply
BobbyTables2
2 hours ago
[-]
I’ve heard product managers proudly proclaim their firmware was signed using the corporate internal signing service (good).

Of course, the question explicitly being asked (related to internal mandate) was if the firmware was signed — not if the firmware update process actually checked the signature (it certainly did not).

reply
Koffiepoeder
45 minutes ago
[-]
I once came across a similar "solution". The signing algorithm was directly executed from the update package. How would we otherwise be able to update the signature algorithm? Worst part was that it was correct at some point. It was an introduced regression because of a signature change due to " post-quantum safe" signatures now being required by the security team.
reply
mschulkind
2 hours ago
[-]
I'm surprised someone named BobbyTables2 wouldn't go straight for the proper way to check email PGP signatures...
reply
dang
8 minutes ago
[-]
Previously: Show HN: Honda Civic Infotainment Reverse-Engineering - https://news.ycombinator.com/item?id=36052753 - May 2023 (43 comments)
reply
userbinator
2 hours ago
[-]
IMHO this is a good sign(!?) that they didn't even think about locking down their systems against the owner.
reply
varenc
55 minutes ago
[-]
It's not good that they allow anyone that happens to be in your car briefly root access. It'd be live having an always-on laptop in your office with a open shell on it.

They should have provided some mechanism for the real owner to approve updates if the updates aren't all trusted by default.

reply
Lammy
12 minutes ago
[-]
This is a good thing because it means I can sign something that will work if I own that hardware
reply
1-6
22 minutes ago
[-]
Honda knows how to build great cars but they haven't up-skilled their software knowledge.
reply
hnav
2 hours ago
[-]
Wonder how good the rest of the security is. The head unit is likely hooked up to a CAN gateway, can it call into telematics. Maybe find some novel way to abuse carplay/aa to call home.
reply
TheDong
41 minutes ago
[-]
If you have physical access to a car and want to phone home, may I recommend leaving a gps tracking device under the floormat.

It works on more brands of cars too than just one gen of honda civics, and probably quicker to install.

reply
hankbond
3 hours ago
[-]
Seeing more and more projects eschew code docs with the idea that "well architected code can be queried by LLMs" and stick to more functional runbook style docs. It really is unlikely that at any given point all of the docs of a project are up to date with the code.

I'm generally aligned with this, but it is predicated on the whole "well architected" code part.

reply
jmalicki
2 hours ago
[-]
I'd rather see unit tests as documentation.

The test can show intended use, show interesting corner cases, and I know it is up to date because it is constantly running and passing.

I think that is a huge underrated benefit of adding a lot more testing.

If I think a developer is going to ask a question of how something works, or about a corner case, isn't that deserving of a test, so they can just see proof of the answer to their question immediately rather than trying to re-derive it?

reply
nucleardog
53 minutes ago
[-]
I think unit tests are documentation in the same way that a Dockerfile is... it's not. The tests don't paint the bigger picture, explain why, etc.

That said, if you pitched me something like a Jupyter notebook style doc where tests validating the claims of the documentation were inline, I'd totally buy into that.

reply
hankbond
2 hours ago
[-]
You know what, you are right on the money with that. I think if you expand to include functional/smoke/e2e tests, that covers pretty much everything documentation is supposed to be.

Just by running them you can measure if they are in or out of sync with the code (well, if they were written correctly).

reply
EPWN3D
2 hours ago
[-]
LLMs are great at writing unit tests.
reply
naturalmovement
1 hour ago
[-]
If I'm reading the room, the sentiment is Honda is incompetent and their cars are security holes on wheels. But if the opposite happened, they would be technofascists locking us out of our own cars, a 30 post sub-thread "this is why I drive a 1999 Ford Ranger" would ensue, and someone would be investigating it as a possible GPL violation. Do I have this right?

It's also a good assumption most people airing such complaints have never eaten in a restaurant fancy enough to have valet parking, let alone evil valets.

That said, are evil valets known to tote around USB drives, or would they more likely use your navigation system to drive back to your empty house and clean it out while you're eating?

reply
js2
12 minutes ago
[-]
That's a false dichotomy. Honda could both secure the system and provide the owner access.
reply
TheDong
42 minutes ago
[-]
I think the evil valet risk isn't real, but this could be part of a chain-of-attack in some scenarios, mainly rental cars.

Like, sure, if you're just going to use it to spy on the user, you could also rent a rental car and leave a recording device under the floormat, or hidden behind the head unit, or whatever.

But if you have an Apple Carplay exploit, where someone tethering their phone to the car can be compromised, renting a car and flashing a malicious OS to exploit the phones of people who come after you could maybe be a real attack. It's kinda hard to get people to otherwise connect to a malicious infotainment system with carplay, so if you have an exploit that requires that, this could be part of it...

Except actually, no, if you have a carplay exploit, just rent the car, and rewire the USB port to go through a flipper zero or whatever and don't bother reflashing the car's software, that's just as easy.

... So yeah, I guess I agree with you, even in the rental car scenario, where this seems like it would be worst, your attacker might as well just hide something in the car instead of flashing the software.

reply
naturalmovement
29 minutes ago
[-]
Having rented a car and seeing 80 variations of "Ben's iPhone" in the Bluetooth pairing list leads me to believe 99.99% of society isn't worried about this.

Another thing to consider is Honda may have signed these packages with a wink and a nudge, because it may be required, regulatory or Android or otherwise, but they're also not interested in building closed devices. Instead of thanking them we're complaining.

reply
Nition
33 minutes ago
[-]
Yeah ultimately society really relies on the fact that most people aren't actively trying to be evil.
reply
t1234s
3 hours ago
[-]
Could you use this to get a version of lineage OS running on it?
reply
runjake
1 hour ago
[-]
You could, but if this unit is anything like it is in my CR-V, and its most likely the same, it's an ancient slow OMAP processor and 4GB of RAM (IIRC).

Edit: Looks like a Tegra 3 in this one, but my bet is meager RAM.

reply
baby_souffle
3 hours ago
[-]
Yes, but it'll still be using their kernel so not all functionality from lineage might work.
reply
DANmode
3 hours ago
[-]
EvilValet, sick
reply
rootsudo
3 hours ago
[-]
Yeah jealous he even got to name an attack surface. Damn.
reply
bri3d
2 hours ago
[-]
Hyundai head units at one point used an RSA key you got by googling “RSA key” (no joke: https://programmingwithstyle.com/posts/howihackedmycar/ ), an honestly even more amazing mistake since it required effort rather than just a default.
reply