Ethical Hacking of Android Auto in the Context of Road Safety
Total Page:16
File Type:pdf, Size:1020Kb
EXAMENSARBETE INOM DATATEKNIK, GRUNDNIVÅ, 15 HP STOCKHOLM, SVERIGE 2021 Ethical Hacking of Android Auto in the Context of Road Safety ALEXANDER PALM BENJAMIN GAFVELIN KTH SKOLAN FÖR ELEKTROTEKNIK OCH DATAVETENSKAP © 2021 Alexander Palm and Benjamin Gafvelin Abstract | i Abstract With a more than ever increasing demand to interconnect smartphones with infotainment systems, Android Auto has risen in popularity with its services used in modern vehicles worldwide. However, as users progressively connect their smartphones to in-vehicle infotainment systems, the opportunity for malicious actors to endanger and access private data of Android Auto users advances as well. The goal with this thesis is to determine how secure Android Auto is for road use. The main research question is to figure out if Android Auto is susceptible to attacks that exploit certain vulnerabilities in the Android operating system.The research question was answered by creating several proof-of- concept attacks on Android Auto using an emulated infotainment system with mobile devices. An investigation was also conducted regarding the application’s communication channel between the mobile device and infotainment display. Results of this thesis demonstrate that several attacks are substantially severe to endanger drivers on the road. There is a great risk of successful exploits when running Android Auto locally on the phone without a connection to the infotainment system, and a lesser risk when connected to the infotainment system. Intercepting communication in the USB channel revealed an encryption algorithm whose version has published exploits and can be cracked to potentially exploit Android Auto. Keywords Android Auto Security; Infotainment System; Road Safety; Penetration Testing; Malicious Apps; Android Security; ii | Abstract Sammanfattning | iii Sammanfattning I takt med en evigt ökande efterfrågan på att sammankoppla smart- telefoner med infotainmentsystem, har allt fler börjat använda Android Auto i sina fordon världen över. En bieffekt av att allt fler sammankopplar sina mobiler till infotainmentsystem, är att det leder till fler möjligheter för illvilliga parter att stjäla privat data och sätta Android Auto- användares liv i fara. Målet med denna avhandling är att fastställa hur säkert Android Auto är i avseende till vägsäkerhet. Den huvudsakliga forskningsfrågan är att lista ut om Android Auto kan attackeras av attacker som utnyttjar sårbarheter i Android operativsystemet. Forsknings- frågan besvarades genom att skapa flertal konceptattacker mot Android Auto användandes av ett emulerat infotainmentsystem och mobiltelefoner. En utredning utfördes även gällande applikationens kommunikationskanal mellan telefonen och infotainmentskärmen. Resultatet från denna av- handling demonstrerade att många attacker är tillräckligt allvarliga för att äventyra trafikanternas säkerhet. Det finns en avsevärd risk för framgångsrika attacker när Android Auto körs lokalt på telefonen utan en USB koppling till infotainmentsystemet, och en liten risk när telefonen är kopplad till infotainmentsystemet. Avlyssning och uppfångning av kommunikationen i USB kanalen visade att en krypteringsalgoritm vars version har existerande sårbarheter kan avkrypteras och utnyttjas för att potentiellt attackera Android Auto. Nyckelord Android Auto Säkerhet; Infotainment-system; Vägsäkerhet; Penetrationstest; Skadliga Appar; Android Säkerhet; iv | Sammanfattning CONTENTS | v Contents 1 Introduction1 1.1 Similar Platforms and Competitors............3 1.2 Motivation..........................3 1.3 Problem Statement.....................4 1.4 Purpose...........................4 1.5 Goals.............................4 1.6 Scope of Research......................5 1.7 Contributions........................5 1.8 Attacks...........................6 1.9 Vulnerabilities in the USB Connection..........6 1.10 Thesis structure.......................7 2 Method of research9 2.1 Research Methodology...................9 2.1.1 Problem Identification and Motivation......9 2.1.2 Define the Objectives for a Solution........ 11 2.1.3 Design and Development.............. 11 2.1.4 Demonstration................... 11 2.1.5 Evaluation...................... 11 2.1.6 Communication and Contribution......... 12 2.2 Ethical Approach...................... 12 2.2.1 Authorization.................... 12 2.2.2 Non-disclosure.................... 13 2.2.3 Confidentiality................... 13 2.2.4 Boundaries..................... 13 3 Related Research 15 vi | Contents 4 Attacks and Attack Environment 17 4.1 Attack Environment.................... 17 4.2 Attacks........................... 19 4.2.1 Task Hijacking................... 19 4.2.2 Intent Storm.................... 20 4.2.3 SoundBlast..................... 21 5 Results 23 5.1 Task hijacking........................ 23 5.2 Intent Storm......................... 24 5.3 SoundBlast......................... 24 6 Discussion 25 6.1 Attacks........................... 25 6.1.1 Task Hijacking................... 25 6.1.2 Intent Storm.................... 26 6.1.3 SoundBlast..................... 27 6.1.4 CVSS 3.0...................... 28 6.2 Delimitations........................ 28 6.3 Research Methodology................... 29 7 USB Investigation 31 7.1 Raw Packet Analysis.................... 31 7.2 Android LogCat Analysis.................. 32 7.3 TLS Decryption....................... 33 8 Future work 35 9 Conclusion 37 References 39 A CVSS3 Vector String 43 List of acronyms and abbreviations | vii List of acronyms and abbreviations ADB Android Debug Bridge CVSS Common Vulnerability Scoring System DHU Desktop Head Unit DOS Denial-of-Service IHU Infotainment Head Unit MitM Man-in-the-Middle SDK Software Development Kit viii | List of acronyms and abbreviations LISTINGS | ix Listings 4.1 Detect when USB is plugged in.............. 18 4.2 Detect when Android Auto is running........... 18 4.3 Task Hijacking manifest.xml................ 19 4.4 Intent Storm......................... 21 4.5 SoundBlast......................... 21 x | LISTINGS Introduction | 1 Chapter 1 Introduction Modern vehicles are increasingly manufactured with touchscreen-based infotainment systems. They are primarily intended for GPS navigation, playing music, making phone calls and sending text messages. Additionally, the infotainment system provides an optional hands-free experience through the use of voice control. With technological advancements comes the desire to integrate several smartphone applications into the car software. When talking about an Android powered infotainment system, two different types of systems exist. Android Auto is a platform that provides the opportunity to incorporate 3rd party apps into the infotainment system. Through the use of a USB or Bluetooth connection from an Android phone to the infotainment system Android Auto projects the app’s content onto the car touchscreen. Android Automotive is native to the vehicle’s operating system and is running directly inside of the infotainment system independently from any external device1. Android apps can easily be converted to a version compatible with Android Auto through simple manipulation of source files that regard app build tools and app design2. Viewing Android Auto compatible apps show a large supply available on the market3. Several 3rd party media and messaging apps, such as Spotify, Audible, various radio and 1 “What is Android Automotive? Android Open Source Project,”Oct 2020. [Online]. Available: https://source.android.com/devices/automotive/start/what_automotive Accessed 20201-04-16 2 Google, “Build media apps for cars,” 2021. [Online]. Available: https://developer.android.com/training/cars/media Accessed 2021-04-17 3 Apps for Android Auto.”[Online]. Available:https://play.google.com/store/apps/ collection/promotion_3001303_android_auto_all?hl=en&gl=SE Accessed 2021-05- 07 2 | Introduction podcast stations, Facebook Messenger and many more are ready to be downloaded and projected to infotainment system displays worldwide. Adding apps to the app store is a beneficial way of marketing the app and ensuring users that the application is safer for download compared to an external platform because of the mandatory review performed by experts employed by the app store1. However, due to the human factor in the in the review stage, a slight security risk exists when analysing these apps. Research regarding manual threat modeling explain that the analysis process is prone to errors [1]. Consequently, bugs or exploits may remain in the published app that when downloaded potentially can lead to data breaches. Another issue with the review stage is how time-consuming manual threat modeling can be [2]. The Android app store is the official platform where Android applications are installed from. However, one study from 2020 reveals that these downloads may not be entirely safe. 87% of all app installs are made from the app store, but 67% of apps with malware also originate from the app store [3]. Additionally, the app store is not the single platform where apps are downloaded from. Downloading apps from external platforms that do not strive for user protection may consequently lead to user security becoming highly compromised. Due to the lack of research about Android Auto security it becomes a significant topic to explore in order to ensure user and road safety. Malicious apps may distract the driver, consequently endangering other drivers, cyclists or pedestrians. Android Auto requires extensive permissions in order to function properly, which means that if it were