## The Story Behind Honda Civics and the "Evil Valet" Attack **Overview** The "Evil Valet" vulnerability is a critical security flaw discovered by researcher Eric McDonald in the infotainment system (headunit) of 10th-generation Honda Civics (specifically his 2021 model). It allows an attacker with brief physical access to the vehicle to gain complete control over the car's computer system via a simple USB update. ### The Vulnerability: "Evil Valet" McDonald discovered that Honda's headunit update process relies on **Android Open Source Project (AOSP) recovery mechanisms**. Crucially, Honda left the **publicly-known AOSP test key** in the system's `res/keys` directory. This means the system accepts software updates signed with this default, publicly available key. **How the Attack Works:** 1. **Physical Access:** An attacker needs only brief access to the front USB port of the car (e.g., a valet, mechanic, or someone at a parking lot). 2. **Malicious Update:** The attacker inserts a USB drive containing a specially crafted update file signed with the AOSP test key. 3. **Execution:** The headunit accepts the update, granting the attacker **arbitrary code execution** without needing to root the device conventionally. 4. **Persistence:** The modified headunit can then be used to monitor the driver, track location, or potentially interfere with vehicle functions. McDonald named this an "Evil Valet" attack, a variation of the classic "Evil Maid" attack, highlighting the risk of leaving a car with an untrusted valet. ### The Original Research (2023) In May 2023, McDonald published his initial reverse engineering work on the Honda Civic headunit on GitHub (`librick/ic1101`). His motivations included: * **Security Auditing:** To understand the security posture of his own vehicle. * **Open Source Ecosystem:** To create free, open-source tools for rooting and modifying Honda headunits, challenging paid services like "Honda Hack." * **Modernization:** To enable porting newer, more secure versions of Android to the aging infotainment system (which runs Android 4.2.2 from 2012). He noted that the headunit, based on an NVIDIA Tegra 3 SoC, runs outdated software with known vulnerabilities (like Stagefright) and has a large attack surface via Bluetooth, Wi-Fi, and radio interfaces. ### The 2026 Update: "Status Update, Three Years Later" In June 2026, McDonald provided a significant update, detailing progress and new tools: 1. **Confirmed "Evil Valet" Attack:** He confirmed that the vulnerability is real and practical. He also verified that a publicly available European Honda update file (`MRC_EU_SW_v12_4.zip`) is signed with the same AOSP test key, suggesting this is a widespread issue. 2. **New Tools Released:** * **`ota-builder`:** A tool that allows users to easily create malicious update files that the headunit will accept, enabling attacks or custom modifications. * **`apk-rebuilder`:** A tool that automates the reverse engineering process of Honda's update files, extracting resources, reconstructing code, and repacking APKs without distributing sensitive Honda code. 3. **Call for Contributors:** McDonald is seeking community help to: * Catalog known software versions for different Civic trims. * Develop a clean toolchain for compiling custom code for the headunit. * Improve tools for mapping AIDL interfaces (to enable custom apps like virtual speedometers). ### Key Takeaways * **Critical Risk:** The "Evil Valet" attack demonstrates a severe security oversight by Honda, allowing complete system compromise with minimal physical access. * **Outdated Software:** The headunit runs a decade-old version of Android with unpatched vulnerabilities, posing ongoing security risks. * **Open Source Response:** McDonald's work provides the tools for both security researchers and enthusiasts to understand, audit, and modify their vehicle's software, promoting transparency and user control. **Sources:** - [Honda Civics and the Evil Valet (2026 Update)](https://juniperspring.org/posts/honda-evil-valet/) - [Honda Civic Reverse Engineering (2023 Original)](https://juniperspring.org/posts/honda-reverse-engineering/) - [GitHub Repository: librick/ic1101](https://github.com/librick/ic1101/) - [Hackaday Coverage of Original Research](https://hackaday.com/2023/06/27/honda-headunit-reverse-engineering-and-the-dismal-state-of-infotainment-systems/)