As more and more of the ‘smart’ infotainment systems in cars begin to age out of support, it becomes increasingly more relevant to figure out how to do something with that lump of computer-and-display sitting prominently in the dashboard.
Here [Eric McDonald]’s reverse-engineering of the 2012-era Android-based infotainment system in a 2021 Honda Civic is an interesting case study, with recently the discovery made that the head unit of these infotainment systems can be updated via USB by using standard Android Open Source Project (AOSP) test keys as these were left on the file system.
This is a nice update to his initial reverse-engineering back in the innocent days of 2023, when such a facepalm-worthy exploit seemed unimaginable, but then the ‘s’ in ‘infotainment’ has always stood for ‘security’. In this exploit that [Eric] calls the EvilValet attack, it means that anyone with physical access to the USB port inside the car can theoretically run arbitrary code signed with these test keys, as documented in the GitHub project.
So far this rather foolish security issue has only been confirmed on [Eric]’s 2021 Honda Civic, but considering how those – often third-party – infotainment systems tend to get reused and recycled across generations and car variants, it’s quite possible that more Android-based infotainment systems have this vulnerability.
This exploit is obviously a double-edged sword, as on one hand it’s great that an owner of one of these cars can now basically do whatever they want with said infotainment system, but on the other hand it means that anyone who slides into your car with a USB stick can do the same.
One of my most amusing realizations about how this world works is what Honda Civics taught me about “brand maturation.” When a cheapo brand like the Honda Civic is introduced, young people buy it, fall in love, and become loyal customers. They get richer too, and want bigger cars that burn more gasoline. Honda dutifully changed the Civic to suit. It is no longer a cheapo little car for broke young people, something I discovered in my late 30s when I went to buy my fourth or fifth Civic. Now you have to buy a Honda Fit for that product, though of course some day there will be a Honda Fit SUV.
I’m in my mid 40s, have a great job and am more than capable of buying a more expensive car. I still drive my 09 fit which is about to approach 300k miles. It gets me where I am going reliably with no payment and relatively good gas mileage. Meanwhile the money I could pay for a ‘better’ car goes towards building the retirement fund with which I hope to one day buy some time to hack on my own projects before I die.
I actually like cars. But I am convinced that people spend way too much on them. It’s a brainwashed culture thing.
Oh yes, bring this issue to light.
So the next generation is locked down better and can no longer be updated making the car a paperweight as soon as it’s paid off.