The 'EvilValet' Vulnerability: Privacy Risks in Modern Infotainment

Automakers continue to overlook cybersecurity in vehicle software, leaving significant privacy gaps in consumer hardware. Software architect Eric McDonald discovered that the 2021 Honda Civic infotainment system contains a vulnerability accessible through the front USB port. The system allows head unit updates via USB but lacks strong security measures, as the hardware only verifies a signed AOSP (Android Open Source Project) file using a publicly known test key.

This flaw enables what McDonald calls an “EvilValet” attack. By using a USB drive signed with the AOSP test key, an individual with temporary physical access—such as a valet—can install unauthorized applications or malware. While this provides utility for tinkerers, the security implications are severe. Once malware is installed, it can use vehicle sensors to record conversations, track locations, and capture video recordings. The system can then use Bluetooth, Wi-Fi, or cellular connectivity to exfiltrate this captured data.

The attack does not compromise the fundamental safety of the vehicle. Malware is limited to the infotainment system, meaning an attacker cannot remotely control the engine, braking systems, or unlock the vehicle. However, the privacy risk remains high. For high-value targets, this vulnerability allows attackers to compromise the vehicles of staff or security personnel to gather information for reconnaissance.

The persistence of such flaws suggests that the industry's focus remains on connectivity features rather than the security of the update path. As vehicles become more integrated with mobile ecosystems, the USB port remains a physical gateway for unauthorized software.

Consider whether the convenience of seamless software updates justifies the current lack of verification standards in automotive hardware.

Source