This isn't a new issue at all, but it seems that automakers still don't care enough for cybersecurity on their vehicles.
When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works .
If you know how to set up a USB drive and sign it with this AOSP test key, you (or anyone else, for that matter) can potentially install anything on your head unit through the update path. While this is useful for tinkerers who want to get more out of their vehicles, McDonald also noted that it can be used for an “evil maid attack.” This method of compromising hardware uses the temporary physical access of a person (like a hotel maid, for example) to install malware on equipment. In their example, they said that a journalist could leave their car with a valet, and then the said valet could install malware on their infotainment system, thus giving the vulnerability the name “EvilValet.”
Once the app or malware has been installed, it could then use the myriad sensors that vehicles have to record conversations, track locations, and even capture video recordings with the owner none the wiser. It could then use the various wireless connectivity options of the infotainment system, like Bluetooth, Wi-Fi, or even cellular, to exfiltrate the data it captured.
Vulnerabilities like these have been known for years in the car industry — we have a report from eight years ago where Volkswagen refused to patch a flaw that could be exploited over the internet on VW and Audi models because they don’t have OTA update capabilities. There has also been a 2017 post on WikiLeaks that suggests that the CIA looked into taking control of cars remotely through vehicle vulnerabilities. While internet connectivity and software features have made driving more convenient, the lack of even basic security is alarming. This is only bound to get worse as almost every new car available today has some form of advanced driver assistance systems, digital infotainment systems, wireless connectivity features, and more.
Gaming soundbar can be hijacked from over 16 yards away without touch or pairing
Microsoft BitLocker-protected drives can now be opened with just some files on a USB stick
New 'GeForge' and 'GDDRHammer' attacks can fully infiltrate your system through Nvidia's GPU memory
If you want to experiment with the head unit on your 2021 Honda Civic, McDonald built tools to make it easier to “jailbreak.” You can check out the available files on GitHub , but, as usual, you should be careful when tinkering with the infotainment system on your vehicle, as you could end up bricking it, meaning you’ll have to replace it with a new one instead.
Follow Tom's Hardware on Google News , or add us as a preferred source , to get our latest news, analysis, & reviews in your feeds.
Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
Key considerations
- Investor positioning can change fast
- Volatility remains possible near catalysts
- Macro rates and liquidity can dominate flows
Reference reading
- https://www.tomshardware.com/tech-industry/cyber-security/SPONSORED_LINK_URL
- https://www.tomshardware.com/tech-industry/cyber-security/2021-honda-civic-infotainment-system-can-be-jailbroken-via-usb-flaw-uses-public-android-test-keys-to-install-unauthorized-apps-enables-for-evilvalet-attacks#main
- https://www.tomshardware.com/subscription
- Snapmaker launches $150,000 Innovation Fund for open source 3D printing — cash rewards target developers backing the U1 toolchanger across Klipper, OrcaSlicer,
- NVIDIA Jetson Brings Agentic AI to the Physical World
- AI costs spike as subscriptions hit pricing wall — firms turn towards Chinese LLMs, open-source models to extend budget
- NVIDIA Blackwell Leads on First Agentic AI Infrastructure Benchmark
- Samsung's 49-inch ultrawide Odyssey G9 gaming monitor dips to the lowest-ever price of $664 at Amazon — get 240Hz refresh rate and dense 109 PPI for 34% off
Informational only. No financial advice. Do your own research.