Honda Civic Vulnerable to Evil Maid Attack: Code Execution Possible via USB Physical Access

A security investigation has revealed that the Honda Civic is vulnerable to the so-called “Evil Maid Attack.” This attack method, where an attacker with physical access modifies a device in a way that is difficult to detect, has now been shown to be applicable to modern connected cars, highlighting the reality of the threat.

The Nature of the Vulnerability

The core of the issue lies in the Android software packages installed in the Honda Civic. According to reports from Solidot, these packages are signed using publicly available AOSP (Android Open Source Project) test keys. Test keys are intended for verification purposes during development and should not be used in production versions. Because the packages are signed with keys that anyone can obtain, the signature verification mechanism is effectively non-functional.

If an attacker can physically access the vehicle’s USB port, they can write arbitrary software packages and execute arbitrary code. As a specific attack scenario, researchers have pointed to a malicious hotel valet parking attendant. An attacker could modify the vehicle via USB during a short parking period, then later remotely access the vehicle.

Technical Background

An Evil Maid Attack is a technique where an attacker with physical access modifies a device’s firmware, bootloader, or operating system, allowing later access to the device or its internal data. While this was previously known as an attack on laptops and smartphones, the noteworthy aspect here is its confirmed applicability to automobiles.

A detailed analysis by researchers at Juniperspring shows a fundamental problem with the signature verification of Android packages used in Honda vehicles. AOSP test keys are publicly available in the source code repository, and no special privileges are required to obtain them. Consequently, anyone in a physical position to access the USB port can install a modified package on the vehicle as if it were legitimate.

Scope of Impact and Risk Assessment

With the proliferation of connected cars, vehicle software security has become more important than ever. While in-vehicle infotainment systems are generally separate from engine control units, interconnection through gateways is increasing, and the risk that a compromise of the infotainment system could extend to driving safety-related systems cannot be ruled out.

Exploiting this vulnerability requires physical access to the USB port. This constraint raises the practical difficulty of an attack, but the possibility of insider attacks by individuals with legitimate physical access—such as parking lot staff handling parked vehicles, rental car companies, or service center employees—cannot be ignored.

Honda is expected to replace the test keys before shipping production vehicles. This issue stems from a lack of basic security practices regarding the use of test keys, and fundamentally requires a review of the software signing process.

Implications for the Industry

This case highlights challenges in software supply chain management within the automotive industry. With the spread of Android Automotive OS and Android Auto, automakers are increasingly dependent on Google’s ecosystem. The misuse of AOSP test keys is a typical example of a decision that fails to balance development efficiency with production security.

The software stack in automobiles is growing more complex each year, underscoring the importance of reliably implementing basic security mechanisms such as firmware signing, boot chain verification, and application sandboxes.

Editorial Opinion

This issue demonstrates that automotive security challenges remain vulnerable not only to conventional cyberattacks but also to classic methods requiring physical access. In the short term, Honda will likely need to add some form of authentication mechanism for package writes via USB port, or replace the signing keys through an OTA update. Within 3 to 6 months, similar misuse of test keys may be discovered in in-vehicle Android systems from other manufacturers.

From a long-term perspective, the push for stricter regulations on connected car software security will likely accelerate. While UN R155 (international standard for cybersecurity management systems) and ISO 21434 are becoming mandatory from 2025 onward, this case raises questions about the effectiveness of the scope these standards cover. Automakers need to fundamentally overhaul security audits across the entire supply chain and management processes for test keys during development.

We would like readers to consider the extent to which threat models assuming physical access should be incorporated into automotive design philosophy. As the Evil Maid Attack—traditionally targeting information systems—has now extended to automobiles as physical assets, the premises of security design are undergoing a major shift.

References

• Solidot: Honda Civic Vulnerable to “Evil Maid Attack” — Published 2026-06-15
• Juniperspring: Honda Evil Valet — Researcher’s blog
• Wikipedia: Evil maid attack