Identifying and Averting Security Threats to Android™ Automotive Based Systems

Identifying and Averting Security Threats to Android™ Automotive Based Systems

4.3.2021 | Author: Manu Kemppainen, Bittium Fellow

Connected car systems are increasingly becoming one of the decisive purchasing criteria for buyers. According to German industry association Bitkom[1], systems such as driver assistance and other digital services, are now more important to many consumers than engine performance or brands. This opens up a huge market potential for system designers and OEMs. But with the ubiquitous penetration of connected systems in cars, security threats find their way into the world of automotive technology such as in-vehicle infotainment (IVI) systems. As these systems are often connected to the user's mobile devices or applications and have access to private data, the security concerns affect various fields – from connectivity to confidentiality. In opposite to the strictly regulated automotive core technology, more and more IVIs are based on open operating systems such as Android Automotive.

Before going into the specific concerns for in-vehicle infotainment systems, let's have a quick recap on the fundamental security principles. There are three main aspects that need to be taken into account: Confidentiality, Integrity and Availability – the so-called CIA triad. Confidentiality in this context means that data should not be made available to parties that have not been approved. Integrity means that protected data could not be modified without approval – or at least the modifications will be detected. Last but not least, availability means that data needs to be accessible when needed.

 

The CIA Security Model in the Context of Android Based In-Vehicle Infotainment Systems

CIA – Confidentiality

The threats to user privacy in IVI systems include three main areas:

  • Unauthorized access primarily results in personal data being leaked to a third party via the device.

The Android operating system (OS) is designed to allow different users to gain access to certain systems. This is also true for the Android Automotive OS. To avoid unauthorized access, various login methods can be utilized. For vehicle systems, such as IVIs, some of the standard methods hinder usability, such as typing in a PIN number. Typing in a PIN would be difficult while driving and would also be visible to all the passengers in the car.

An alternative and highly secure authorization method is biometric identification. It is already used for automotive systems – e.g. for car access. First R&D teams are now implementing facial recognition to Android Automotive OS based IVI systems.

  • Man-in-the-middle attacks can result in personal user data being leaked to third parties via connectivity.

The man-in-the middle attack intercepts a communication between two systems, for example in TCP connection between client and server. Attacker acts as a proxy, being able to read, insert and modify the data in the intercepted communication resulting in leak of data.

VPN solutions can be used to build a secure IPSec tunnel between the client and the services to avoid interception. Bittium SafeMove® for example is such a solution already widely used in Windows and Android environments that has now made its way into automotive systems.

  • Eavesdropping refers to network hijacking methods by which personal user data is leaked to third parties.

Device wide encryption options for user data are available as part of the Android operating system. For most privately used mobile devices this is sufficient, but for automotive systems multi-user scenarios should be taken into account.

R&D teams are therefore working on methods to provide separate encryption for each user of the system, e.g. by using VPN solutions that have proven themselves in Android applications.

CIA – Integrity

This refers to a deliberate corruption of the IVI system with methods such as:

  • Fake configuration, which means the device configuration is altered to open attack vectors – for example by disabling the VPN.

A more advanced option for securing the system configuration is to employ a device management solution. Depending on the system device management capabilities, e.g. remote attestation, it is possible to implement device management enhancements to the Android operating system to improve the configuration integrity. The Bittium SafeMove device management for example is capable of taking ownership for the settings and allows remote configuration of changes and attestation securely.

  • Malware can gain access through modified applications offered to the system with integrated malware functionality.

With the Android OS application signatures, that check the basic integrity of the applications, security measures are available to avoid installing applications that have been modified after signing. However, this does not provide protection against signed malware.

Additional layers of protection can be added with management enhancements via a device management solution as described above. Whitelisting a specific application selection limits the applications that can be installed. Removing applications from the whitelist will then also remove these applications from the devices. This way threats can be handled centrally for all devices.

CIAAvailability

Availability problems include all interruptions in IVI systems. Threats in this area include:

  • Network interruptions can happen for numerous reasons, e.g. tunnels, rural areas and network congestion.

Network reconnect functionality comes as part of the Android OS. Network interruptions however disconnect all the existing live connections.  It is the responsibility of the application to recover the connection. Many applications require a new login after connection failure or reconnection.

A smarter approach is to add a compatible session persistent Mobile VPN solution to the Android OS that enables seamless reconnection without the need to sign-in again. Such a solution e.g. enables the device to switch the backhaul (e.g. from LTE to Wi-Fi or vice-versa) during a VoIP call without dropping the call. Mobile VPN can be seamlessly re-connected using a different or the same backhaul while maintaining the application sessions.

  • DoS - Denial of Service attacks are used to block the availability of the services in the system. VPN services may provide load balancing and high availability with geographically de-centralized termination points to avoid DoS attacks.

Connected cars are subjects to the same security threats as all connected devices. By recognizing the threats and selecting the right and proven countermeasures the overall vehicle safety and security can be enhanced significantly. For IVI suppliers it can be very beneficial to work together with a development partner who has experience and knowhow from both secure connectivity and Android Automotive to make the IVI as secure as possible.

For more information, please visit Automotive or contact us.

Android is trademark of Google LLC.



Manu Kemppainen, Bittium Fellow


Manu Kemppainen has over 30 years of experience in embedded software design and device development. He works as a Fellow at Bittium and has been with the company since 1999.