This isn't a new issue at all, but it seems that automakers still don't care enough for cybersecurity on their vehicles.
When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works .
If you know how to set up a USB drive and sign it with this AOSP test key, you (or anyone else, for that matter) can potentially install anything on your head unit through the update path. While this is useful for tinkerers who want to get more out of their vehicles, McDonald also noted that it can be used for an “evil maid attack.” This method of compromising hardware uses the temporary physical access of a person (like a hotel maid, for example) to install malware on equipment. In their example, they said that a journalist could leave their car with a valet, and then the said valet could install malware on their infotainment system, thus giving the vulnerability the name “EvilValet.”
Once the app or malware has been installed, it could then use the myriad sensors that vehicles have to record conversations, track locations, and even capture video recordings with the owner none the wiser. It could then use the various wireless connectivity options of the infotainment system, like Bluetooth, Wi-Fi, or even cellular, to exfiltrate the data it captured.
Vulnerabilities like these have been known for years in the car industry — we have a report from eight years ago where Volkswagen refused to patch a flaw that could be exploited over the internet on VW and Audi models because they don’t have OTA update capabilities. There has also been a 2017 post on WikiLeaks that suggests that the CIA looked into taking control of cars remotely through vehicle vulnerabilities. While internet connectivity and software features have made driving more convenient, the lack of even basic security is alarming. This is only bound to get worse as almost every new car available today has some form of advanced driver assistance systems, digital infotainment systems, wireless connectivity features, and more.
Gaming soundbar can be hijacked from over 16 yards away without touch or pairing
Microsoft BitLocker-protected drives can now be opened with just some files on a USB stick
New 'GeForge' and 'GDDRHammer' attacks can fully infiltrate your system through Nvidia's GPU memory
If you want to experiment with the head unit on your 2021 Honda Civic, McDonald built tools to make it easier to “jailbreak.” You can check out the available files on GitHub , but, as usual, you should be careful when tinkering with the infotainment system on your vehicle, as you could end up bricking it, meaning you’ll have to replace it with a new one instead.
Follow Tom's Hardware on Google News , or add us as a preferred source , to get our latest news, analysis, & reviews in your feeds.
Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
Key considerations
- Investor positioning can change fast
- Volatility remains possible near catalysts
- Macro rates and liquidity can dominate flows
Reference reading
- https://www.tomshardware.com/tech-industry/cyber-security/SPONSORED_LINK_URL
- https://www.tomshardware.com/tech-industry/cyber-security/2021-honda-civic-infotainment-system-can-be-jailbroken-via-usb-flaw-uses-public-android-test-keys-to-install-unauthorized-apps-enables-for-evilvalet-attacks#main
- https://www.tomshardware.com/subscription
- Samsung's 49-inch ultrawide Odyssey G9 gaming monitor dips to the lowest-ever price of $664 at Amazon — get 240Hz refresh rate and dense 109 PPI for 34% off
- NVIDIA Enables the Next Era Of Physical AI Research With Agent Skills For Autonomous Vehicles, Robotics And Vision AI
- 42% slashed off Samsung's 990 Pro SSD, 2TB now $369 — $270 savings brings one of the fastest PCIe 4.0 SSDs to its lowest price in months
- NVIDIA and LG Group Build an AI Factory to Advance Physical AI, Mobility and AI Infrastructure
- Cancelled Xbox 360 version of GoldenEye 007 gets recompiled for PC — ‘No emulator, the game runs as a real native executable,’ insists dev
Informational only. No financial advice. Do your own research.