Hacker NewsHacker News
10th Gen Honda Civic Updates Are Signed with AOSP Test Keys
101 points by librick 4 hours ago | 16 comments
librick 4 hours ago
To update 10th-gen Honda Civics, Honda ships updates on specially-formatted USB drives. They're essentially Android 4.2.2rc1-era recovery packages with some Honda-added version checks (which can be spoofed). The packages are signed with the publicly-known AOSP test key, so with physical access to the front USB port you can sign and flash your own package for arbitrary code execution on the headunit. This doesn't require root/su. I've run it end-to-end on my own 2021 Civic and separately confirmed an official EU update file carries the AOSP test-key signature. Tooling and writeup in the post.
reply
vel0city 56 minutes ago
A number of other cars' infotainment systems are also based on ASOP. I remember downloading updates for my Hyundai which were also essentially Android images
reply
hparadiz 45 minutes ago
The head units themselves are very dated and simply could not run recent versions of Android. I have a 2020 and I'm always eyeing up the after market units which are all better in every way.
reply
userbinator 14 minutes ago
IMHO this is a good sign(!?) that they didn't even think about locking down their systems against the owner.
reply
BobbyTables2 42 minutes ago
I’ve heard product managers proudly proclaim their firmware was signed using the corporate internal signing service (good).

Of course, the question explicitly being asked (related to internal mandate) was if the firmware was signed — not if the firmware update process actually checked the signature (it certainly did not).

reply
mschulkind 23 minutes ago
I'm surprised someone named BobbyTables2 wouldn't go straight for the proper way to check email PGP signatures...
reply
hnav 33 minutes ago
Wonder how good the rest of the security is. The head unit is likely hooked up to a CAN gateway, can it call into telematics. Maybe find some novel way to abuse carplay/aa to call home.
reply
hankbond 2 hours ago
Seeing more and more projects eschew code docs with the idea that "well architected code can be queried by LLMs" and stick to more functional runbook style docs. It really is unlikely that at any given point all of the docs of a project are up to date with the code.

I'm generally aligned with this, but it is predicated on the whole "well architected" code part.

reply
jmalicki 2 hours ago
I'd rather see unit tests as documentation.

The test can show intended use, show interesting corner cases, and I know it is up to date because it is constantly running and passing.

I think that is a huge underrated benefit of adding a lot more testing.

If I think a developer is going to ask a question of how something works, or about a corner case, isn't that deserving of a test, so they can just see proof of the answer to their question immediately rather than trying to re-derive it?

reply
hankbond 49 minutes ago
You know what, you are right on the money with that. I think if you expand to include functional/smoke/e2e tests, that covers pretty much everything documentation is supposed to be.

Just by running them you can measure if they are in or out of sync with the code (well, if they were written correctly).

reply
EPWN3D 58 minutes ago
LLMs are great at writing unit tests.
reply
t1234s 2 hours ago
Could you use this to get a version of lineage OS running on it?
reply
baby_souffle 2 hours ago
Yes, but it'll still be using their kernel so not all functionality from lineage might work.
reply
DANmode 2 hours ago
EvilValet, sick
reply
rootsudo 2 hours ago
Yeah jealous he even got to name an attack surface. Damn.
reply
bri3d 2 hours ago
Hyundai head units at one point used an RSA key you got by googling “RSA key” (no joke: https://programmingwithstyle.com/posts/howihackedmycar/ ), an honestly even more amazing mistake since it required effort rather than just a default.
reply