Skip to content
Tech News
← Back to articles

10th Gen Honda Civic Updates Are Signed with AOSP Test Keys

2026-06-14 | original
read original get Android Open Source Project Test Keys → more articles
Why This Matters

This discovery highlights a significant security vulnerability in Honda Civic's headunit update process, exposing vehicles to potential physical access attacks that could compromise the system. It underscores the importance of robust security measures in automotive software, especially as vehicles become more connected and reliant on software updates. Consumers and manufacturers alike must prioritize securing update mechanisms to prevent malicious exploits that could impact safety and privacy.

Key Takeaways

Three years ago, I published my initial work to understand and reverse engineer my car, specifically the headunit of my 2021 Honda Civic.

The initial response was incredibly encouraging. I’m writing to give a project update.

Keys to the Kingdom#

The biggest progress has been made while mapping out the update process.

Honda supports updating the headunit via USB. There are a number of Honda-specific checks, but ultimately the USB drive contains a signed AOSP update file that gets staged and applied via Android recovery. The good news? They left the publicly-known AOSP test key in res/keys *, and, even though they modified the recovery binary, the verify_file signature logic matches stock AOSP.

So as long as you can properly format a USB drive and sign it with the publicly-known AOSP test key, you can install whatever you want to the headunit, without conventional root access (no need for su with setuid ). This means that, as long as the headunit has power and an attacker has physical access to the front-most USB port, they have arbitrary code execution on the headunit via the update path.

This is an evil maid attack. Since it requires physical access to the cabin of the car rather than the hotel room, I call it an evil valet attack. Imagine a journalist drives to a hotel and leaves their car with the valet. The valet, who works for a three-letter agency, installs an update via USB. When the car is returned, the journalist doesn’t know the headunit has been modified. Since I want a cool vulnerability name, I’m calling this “EvilValet”.

This blog article is not intended as a technical writeup. If you want the gory details, see the technical docs.

I’ve also published a new tool, ota-builder, that allows people to easily prepare update files that will be accepted by the headunit. While in its early days, it should be trivial to now build an update file that, for example, installs an su binary with setuid set (i.e., to root the device).

*I have strong reason to believe that all updates are signed with the publicly-known AOSP test key, but I don’t have access to every possible official update file, nor access to every headunit variant and its filesystem. My headunit has the AOSP test key in res/keys , though I’ve also installed HondaHack, so it’s possible that it injected the key into the keystore. However, I’ve also confirmed that MRC_EU_SW_v12_4.zip , a publicly-available EU software update file, is test key signed. This file was downloaded from a public forum and was never modified by me. So it seems highly likely that all updates are signed with the AOSP test key. Contributors are welcome to help support or refute this hypothesis.

... continue reading

Explore topics: aosp honda civic headunit usb update evil maid
Related:
Microsoft designed some new Android-based hardware, and it’s not at all what you’re expecting
The Intolerable Hypocrisy of Cyberlibertarianism
The hypocrisy of cyberlibertarianism
Changes to Android Open Source Project
Google Will Now Only Release Android Source Code Twice a Year

© 2026 GoKawiil

About | Editorial Policy | Contact