[librick]

Addressing "(It doesn't have a cellular data connection so it's not a security risk)" - I wouldn't say it's not a security risk. Check out the Bluetooth docs in the repo for example. Cellular data is only one interface out of many others (Bluetooth, Wi-Fi, CAN, XM radio, HD radio). Jailbreaking anything isn't without its risks.

Further, I agree that it's reasonable to ship a 2016 car with 2012 software. But I've seen no evidence that these headunits have gotten security updates within that timeframe. Think of it like a smartphone. I can make do with a phone that's a few years old, but I have an expectation that it will receive timely security updates. In the case of the Honda headunits, they run Android. They should receive Android security patches (I'll admit there's certainly complexity there, Google has long struggled with the tradeoff between device security and AOSP ubiquity). There's nothing wrong with using an older version of Android or an LTS kernel, but it should still receive security patches.

Last year, some Mazda cars were accidentally bricked by a radio station broadcast omitting file extensions: https://arstechnica.com/cars/2022/02/radio-station-snafu-in-.... That was an accident, not the work of a malicious actor.

Consider Stagefright bugs. As I understand it, although it was published in 2015, it affected several earlier Android versions, including 4.2.2. See: https://en.wikipedia.org/wiki/Stagefright_(bug). As far as I know, my car was never patched against Stagefright bugs. All it takes is a bug in one library (such as for HD radio image processing) and a well-published Android for something like this to be a big problem.

It's complicated; I like jailbreaking. I also think Honda should ship higher-quality software with better security policies and update guarantees