Downloaded from SAE International by Mert D. Pese, Thursday, April 02, 2020 2020-01-1295 Published 14 Apr 2020 Security Analysis of Android Automotive Mert Pese and Kang Shin University of Michigan Josiah Bruner Georgia Institute of Technology Amy Chu Harman International Citation: Pese, M., Shin, K., Bruner, J., and Chu, A., “Security Analysis of Android Automotive,” SAE Technical Paper 2020-01-1295, 2020, doi:10.4271/2020-01-1295. Abstract car manufacturer as well as third-party businesses, but also n-vehicle infotainment (IVI) platforms are getting increas- introduces a new attack surface on the vehicle. Therefore, ingly connected. Besides OEM apps and services, the next Android Automotive must have a secure system architecture Igeneration of IVI platforms are expected to offer integra- to prevent any potential attacks that might compromise the tion of third-party apps. Under this anticipated business security and privacy of the vehicle and the driver. In partic- model, vehicular sensor and event data can be collected and ular, malicious third-party entities could remotely compro- shared with selected third-party apps. To accommodate this mise a vehicle’s functionalities and impact the vehicle safety, trend, Google has been pushing towards standardization causing financial and operational damage to the vehicle, as among proprietary IVI operating systems with their Android well as compromise the driver’s privacy and safety. Automotive platform which runs natively on the vehicle’s IVI This paper presents an Android Automotive system archi- platform. Unlike Android Auto’s limited functionality of tecture and provides guidelines for conducting a high-level display-projecting certain smartphone apps to the IVI screen, security analysis. It also describes what countermeasures have Android Automotive will have access to the in-vehicle already been taken by Google to prevent potential attacks, and network (IVN), and will be able to read and share various discusses what still needs to be done in order to offer a secure vehicular sensor data with third-party apps. This increased and privacy-preserving Android experience for next-genera- connectivity opens new business opportunities for both the tion IVI platforms. Introduction AdSense and the applications that enable these two. In the ndroid was launched in late 2008 as a mobile oper- case of Android there is also revenue from app sales (Google ating system by Google. While this open-source Play Store), licensing fees (Google Play Services) as well as ALinux-based platform was initially designed for touch Google Play’s multimedia contents (e.g., Music) [7]. For the screen-equipped mobile phones - dubbed as smartphones - the automotive use-case, this is not entirely possible with Android success of this versatile operating system on widely popular Auto since no additional data can be leveraged. phones led Google to develop Android versions for TVs and This is a reason why Google introduced Android smartwatches in the early 2010s. Android’s penetration into Automotive at Google I/O 2018. They announced a partner- different markets culminated in the launch of Android Auto ship with a massive car-making alliance of Renault-Nissan- in 2015, which was also due partially to the introduction of Mitsubishi to run Android Automotive powered infotainment touch screens for in-vehicle infotainment (IVI) systems. systems in millions of cars beginning 2021 [9]. Although car- Android Auto is an app that runs on mobile handsets and makers have been hesitant to share valuable vehicle data with once connected to the IVI (over USB, WiFi or Bluetooth Google, the latter’s efforts in creating a clean, powerful oper- AVRCP) projects certain select apps to the IVI screen. The focus ating system tailored to run stand-alone on IVIs has convinced of Android Auto is to offer multimedia and navigation apps car-makers to adopt this new technology. A vehicle-specific with an enhanced UX to reduce distraction of the driver. Google Play Store will allow third-party apps to be deployed Despite its support by all major OEMs (and Apple Carplay) for in numerous vehicles independent of OEM [27] and can most of their models as of 2019, the major drawback of Android possibly allow car-makers to easily access a share of revenue Auto is the lack of having access to any data generated inside with Google. Third-party applications that require IVN access the vehicle. It solely relies on the handset’s sensors and does not can range from smart home apps for optimizing customers’ read nor write any data to the in-vehicle network (IVN). As a charging management in their home garage to usage-based result, a full car integration was not possible with Android Auto. insurance (UBI) apps. The latter compute the driving behavior Android’s business model is an extension of the existing from a set of sensors, such as speed or braking, to automati- Google business model: Revenue is obtained from Search, cally adjust the insurance premium. Downloaded from SAE International by Mert D. Pese, Thursday, April 02, 2020 2 SECURITY ANALYSIS OF ANDROID AUTOMOTIVE In recent years, wireless connectivity in vehicles has claiming that this leaves the infotainment system at serious gained popularity. According to [6], 250M vehicles will risk. They did not analyze if the Android Auto client-side be connected to the Internet of Things (IoTs) by 2020. Existing software on the IVI can gain access to the IVN, so that third- connected vehicles’ (CVs’) functionalities comprise infotain- party Android Auto apps can actually access the car’s data. ment, safety, diagnostics efficiency, navigation and payments The Android Auto specification mandates a gap between the [29]. In the next phase of CVs - which is starting now - cars IVN and Android Auto, partially due to its media- and navi- will connect to third-party services using a built-in data gation-based functions, unlike Android Automotive which connection, introducing novel vehicular data-collection plat- needs access to the IVN. forms, such as BMW CarData [8]. Already 78M vehicles are As of now, there are only two major publications on connected to the web, with 98% of all new vehicles sold in the Android Automotive. [28] proposes a sensing model for vehic- US and Europe expected to have cellular connections by ular sensor data. It points out how its architecture can 2021 [26]. be embedded into the Android Automotive platform as a However, all these positive developments come at the proof-of-concept. [13] is a high-level description of Android expense of security and privacy risks. Third-parties (and the Automotive security. It focuses on malicious third-party apps platform provider Google) will have access to private/sensitive and their potential impact on safety, security and privacy. data which can be used by malicious entities to infer more Unlike our work, its focus lies on static and dynamic app information about the driver of the vehicle. Furthermore, analyses, not a security analysis of the framework. In fact, the CAN injection (write access to the IVN) has to be restricted authors developed a tool for vehicle-specific code analysis, to OEM apps. For instance, the HVAC app that Google offers called AutoTame. Their attacks focus on driver disturbance as a native application [1] usually requires to write to the CAN (by raising the volume of a media app) and availability (forking bus to change fan or temperature settings. Other third-party an app until it crashes). They also briefly discuss privacy, i.e., apps do not have a reason to write to the IVN, and hence leakage of sensitive information, through the use of two apps. should be limited to read-only mode. Only one app has permission to upload data to the Internet, The goal of this paper is to introduce Google’s Android whereas the other app can read sensitive sensor information. Automotive framework based on all of its available documents Through the means of inter-process communication (IPC), and point out both security and privacy threats that this useful the app that reads sensitive information can communicate the addition to the IVI world can cause. After describing three sensitive information to the other app that uploads it to the potential attacks on Android Automotive-equipped IVIs, malicious third-party. For this attack to succeed, the third- we will discuss possible countermeasures or precautions that party must have control over both apps, which makes this need to be taken by the OEM and Tier 1suppliers to mitigate attack harder to mount. the security and privacy risks. The paper is structured as follows. First, we would like to review some existing academic work done on Android IVI Security Automotive security, as well as point out how IVIs can The in-vehicle infotainment (IVI) system is a major point of be leveraged for automotive security attacks. Then, we will entry into the vehicle due to its connectivity provided by the introduce the Android Automotive architecture as defined by telematic control unit (TCU). As a result, it is a popular attack Google, as well as a primer of the CAN bus to provide insights vector since wireless surfaces, such as Bluetooth or WiFi, or into the impact of CAN injection attacks. This will be followed wired interfaces, such as the USB port, can be exploited. by an overview of how to analyze the security of Android Although manufacturers claim that the IVI usually has an air Automotive, including the EVITA’s methodology for classi- gap to the in-vehicle network (IVN), it has been shown in [25] fying potential attacks. As part of the security analysis, we will that this is not always true. Once access to the CAN bus - the show three different potential attacks that can be mounted on dominant IVN technology - has been obtained, it is possible an IVI running Android Automotive.