A software architect has discovered that the infotainment system in a 2021 Honda Civic can be compromised through the car's front USB port — and the method is surprisingly straightforward.

According to Tom's Hardware, the researcher found that the head unit runs Android Open Source Project (AOSP) software and requires a signed file to accept updates. The catch: the signing key used is the publicly known AOSP test key, one that Google distributes openly for development purposes. That means anyone who knows where to look can sign their own software and push it onto the system.

The result, as Tom's Hardware reports, is that the researcher could "practically install anything" on the infotainment system just by plugging into the USB port that most drivers use to charge their phones or play music.

The disclosure also introduces the concept of an "EvilValet" attack — a scenario where someone with brief physical access to your car, like a parking attendant or service technician, could plug in a device and silently install malicious software on your vehicle's computer without leaving any obvious trace.

Modern car infotainment systems are far more than glorified radio panels. They often connect to navigation, Bluetooth, contacts, call logs, and in some cases vehicle diagnostics. A compromised system could expose personal data, track location, or serve as a foothold for deeper intrusion depending on how the car's internal networks are configured.

Honda has not been quoted in the source material, and it is not clear whether a patch has been issued. The vulnerability matters because it demonstrates that a decades-old software development shortcut — shipping with default test keys — has made its way into consumer vehicles sitting in millions of driveways.