tl;dr: A reverse engineer discovered that 2021 Honda Civic headunits accept USB firmware updates signed with the publicly-known AOSP test key, enabling arbitrary code execution with brief physical access to the cabin USB port—an attack dubbed "EvilValet." The author released ota-builder and apk-rebuilder tools to facilitate building custom update files and reverse engineering, and is calling for contributors to catalog headunit versions and extend tooling since they're winding down active work on the project.