Which Honda Civic models are affected by this vulnerability?

The vulnerability has been confirmed for the 2021 Honda Civic. Similar risks may exist in other models using comparable infotainment systems.

Can attackers gain full control of the vehicle through this flaw?

No, the vulnerability only affects the infotainment system. Critical functions like engine control or braking remain secure and inaccessible.

How can owners protect against EvilValet attacks?

Avoid handing over the vehicle to third parties unnecessarily and never connect untrusted devices to the USB port. Manufacturers should enhance software update security protocols.

← All news

Security

Honda Civic Infotainment Vulnerability Enables Malware Installation via USB

June 15, 2026

Photo: Tom's Hardware

Quick answer

A critical vulnerability in the 2021 Honda Civic's infotainment system allows unauthorized app installations via USB using public Android Open Source Project (AOSP) test keys.

Software developer Erik McDonald has discovered a critical vulnerability in the 2021 Honda Civic's infotainment system. The issue stems from inadequate protection during USB-based software updates: the system accepts files signed with public Android Open Source Project (AOSP) test keys. This allows attackers to install unauthorized applications, including malware.

The expert outlined an attack scenario dubbed "EvilValet." For instance, if a vehicle owner leaves their car with valet parking or a service center, an attacker could exploit temporary access to install spyware. The malicious app can collect data from vehicle sensors, including audio recordings, location tracking, and even video footage. The stolen data can then be transmitted via Bluetooth, Wi-Fi, or mobile networks.

While the vulnerability does not impact critical vehicle safety systems, it poses a serious threat to user privacy. McDonald noted that such issues are common in the automotive industry, where manufacturers often overlook basic security measures despite increasing digitalization. He cited Volkswagen's refusal to patch vulnerabilities in Audi and VW models due to lack of over-the-air (OTA) update capabilities as an example.

For 2021 Honda Civic owners, McDonald has developed "jailbreak" tools for the infotainment system, available on GitHub. However, he warns that improper use could render the system inoperable, requiring a full replacement.

Common questions

Which Honda Civic models are affected by this vulnerability?: The vulnerability has been confirmed for the 2021 Honda Civic. Similar risks may exist in other models using comparable infotainment systems.
Can attackers gain full control of the vehicle through this flaw?: No, the vulnerability only affects the infotainment system. Critical functions like engine control or braking remain secure and inaccessible.
How can owners protect against EvilValet attacks?: Avoid handing over the vehicle to third parties unnecessarily and never connect untrusted devices to the USB port. Manufacturers should enhance software update security protocols.

Dzen feed: /feed/dzen.xml · RSS: /feed.xml