2021 Honda Civic Infotainment System Vulnerable to USB Jailbreak via Public Android Keys
A security flaw has been identified in the 2021 Honda Civic's infotainment system, allowing for unauthorized application installation via the front USB port. This vulnerability, discovered by a software architect, exploits publicly known Android Open Source Project (AOSP) test keys. While the head unit requires a signed AOSP file for updates, the public availability of the AOSP test key means that individuals with sufficient technical knowledge could potentially create their own malicious update files. This security weakness also enables a type of exploit known as "EvilValet" attacks.
A software architect has discovered a security vulnerability in the infotainment system of the 2021 Honda Civic. This flaw reportedly allows the system to be "jailbroken" through the vehicle's front USB port, enabling the installation of unauthorized applications.
The vulnerability stems from the system's reliance on publicly known Android Open Source Project (AOSP) test keys. These keys can be leveraged to bypass security protocols and load unapproved software onto the infotainment unit.
While the infotainment head unit is designed to require a signed AOSP file for system updates, the public knowledge of the AOSP test key undermines this security measure. This means that individuals possessing the technical expertise could potentially construct their own update files and load them with malware.
The discovered flaw has significant implications for new types of attacks, specifically enabling what are referred to as "EvilValet" attacks.
According to Tom's Hardware, this discovery was made by a software architect who demonstrated the ability to install various applications on their own vehicle's infotainment system.
