The Car as a Hackable Platform Is Getting Harder to Ignore
The Honda Civic firmware update story described how Honda ships over-the-air updates on specially formatted USB drives using Android 4.2.2-era recovery package formats with weak version checks that can be bypassed. A researcher reverse-engineered the process and named the attack 'EvilValet,' covering a scenario where physical access to a car for a few minutes allows firmware modification. Commenters immediately asked whether this could be used to run LineageOS on it, treating the car infotainment system as just another Android device.
The pattern: car manufacturers are shipping complex software systems built on decade-old foundations with minimal security rigor. The gap between what automotive infosec researchers can do and what manufacturers have deployed is still enormous. This has been true for years but the Honda thread shows it is still very much an open problem on current-generation vehicles.
The counterpoint is that physical access requirements limit the practical threat surface for most owners. But the deeper issue is that car manufacturers are not treating their software as a serious security engineering problem, which means the attack surface keeps growing as connectivity increases.
So what?
Founders building anything in the automotive software, fleet management, or connected vehicle space need to understand that the security baseline in production vehicles is genuinely low. That is both a risk (your product runs on a compromised platform) and an opportunity (there is real demand for the security and observability layer that does not exist yet).