• Category: Security
  • Status: discussion
  • Sources: Researcher write-up, HN discussion
  • Summary: A researcher (Eric McDonald) reports that the Android-based head unit in a 2021 (10th generation) Honda Civic verifies USB update packages against the publicly known AOSP test signing key left in res/keys, so a crafted update signed with that public key is accepted and executed. With physical access to the front USB port, an attacker can install arbitrary code in an "evil valet" scenario. The original research dates to 2023, with a status update on 2026-06-13.
  • Why it matters: Shipping production firmware that trusts the public AOSP test key removes the signing boundary entirely, a recurring failure mode in embedded and automotive update chains.

Send feedback on this story