2021 Honda Civic Headunit Accepts Public AOSP Test Key for USB Updates
The EvilValet attack on 2021 Honda Civics stems from retention of the AOSP test key in production headunit recovery. Physical USB access yields unsigned code execution. No vendor patch or CVE exists yet.
Reverse engineering of the 2021 Honda Civic headunit mapped the USB update path through Android recovery. Honda applies multiple proprietary checks before staging a signed AOSP payload. The recovery binary retains stock verify_file logic, which accepts the well-known AOSP test key rather than a rotated production key.
Verification used the publicly downloadable MRC_EU_SW_v12_4.zip archive. Its signatures matched the test key present in the headunit keystore. The ota-builder tool now automates package construction, allowing any properly formatted update to execute without setuid root. This constitutes a persistent evil-valet vector once physical cabin access is obtained.
The finding exposes a systemic pattern in automotive Android deployments where AOSP debug artifacts ship in production ECUs. No CVE has been assigned. Affected units remain vulnerable until Honda rotates the verification key or disables the USB update path entirely.
Honda has not published a timeline. Owners can mitigate exposure only by denying unsupervised physical access to the cabin USB port.
Honda: Publishes key rotation or USB update disablement for 2021 Civic headunits within 9 months
Sources (2)
- [1]Primary Source(https://juniperspring.org/posts/honda-evil-valet/)
- [2]AOSP Recovery Verification(https://android.googlesource.com/platform/bootable/recovery/+/refs/heads/master/verifier.cpp)