Professional Documents
Culture Documents
FULLTEXT01
FULLTEXT01
GRUNDNIVÅ, 15 HP
STOCKHOLM, SVERIGE 2021
ALEXANDER PALM
BENJAMIN GAFVELIN
KTH
SKOLAN FÖR ELEKTROTEKNIK OCH DATAVETENSKAP
© 2021 Alexander Palm and Benjamin Gafvelin
Abstract | i
Abstract
With a more than ever increasing demand to interconnect smartphones
with infotainment systems, Android Auto has risen in popularity with
its services used in modern vehicles worldwide. However, as users
progressively connect their smartphones to in-vehicle infotainment systems,
the opportunity for malicious actors to endanger and access private
data of Android Auto users advances as well. The goal with this
thesis is to determine how secure Android Auto is for road use. The
main research question is to figure out if Android Auto is susceptible
to attacks that exploit certain vulnerabilities in the Android operating
system.The research question was answered by creating several proof-of-
concept attacks on Android Auto using an emulated infotainment system
with mobile devices. An investigation was also conducted regarding
the application’s communication channel between the mobile device and
infotainment display. Results of this thesis demonstrate that several
attacks are substantially severe to endanger drivers on the road. There
is a great risk of successful exploits when running Android Auto locally
on the phone without a connection to the infotainment system, and a
lesser risk when connected to the infotainment system. Intercepting
communication in the USB channel revealed an encryption algorithm
whose version has published exploits and can be cracked to potentially
exploit Android Auto.
Keywords
Android Auto Security; Infotainment System; Road Safety; Penetration
Testing; Malicious Apps; Android Security;
ii | Abstract
Sammanfattning | iii
Sammanfattning
I takt med en evigt ökande efterfrågan på att sammankoppla smart-
telefoner med infotainmentsystem, har allt fler börjat använda Android
Auto i sina fordon världen över. En bieffekt av att allt fler sammankopplar
sina mobiler till infotainmentsystem, är att det leder till fler möjligheter
för illvilliga parter att stjäla privat data och sätta Android Auto-
användares liv i fara. Målet med denna avhandling är att fastställa hur
säkert Android Auto är i avseende till vägsäkerhet. Den huvudsakliga
forskningsfrågan är att lista ut om Android Auto kan attackeras av
attacker som utnyttjar sårbarheter i Android operativsystemet. Forsknings-
frågan besvarades genom att skapa flertal konceptattacker mot Android
Auto användandes av ett emulerat infotainmentsystem och mobiltelefoner.
En utredning utfördes även gällande applikationens kommunikationskanal
mellan telefonen och infotainmentskärmen. Resultatet från denna av-
handling demonstrerade att många attacker är tillräckligt allvarliga för
att äventyra trafikanternas säkerhet. Det finns en avsevärd risk för
framgångsrika attacker när Android Auto körs lokalt på telefonen utan
en USB koppling till infotainmentsystemet, och en liten risk när telefonen
är kopplad till infotainmentsystemet. Avlyssning och uppfångning av
kommunikationen i USB kanalen visade att en krypteringsalgoritm vars
version har existerande sårbarheter kan avkrypteras och utnyttjas för att
potentiellt attackera Android Auto.
Nyckelord
Android Auto Säkerhet; Infotainment-system; Vägsäkerhet; Penetrationstest;
Skadliga Appar; Android Säkerhet;
iv | Sammanfattning
CONTENTS | v
Contents
1 Introduction 1
1.1 Similar Platforms and Competitors . . . . . . . . . . . . 3
1.2 Motivation . . . . . . . . . . . . . . . . . . . . . . . . . . 3
1.3 Problem Statement . . . . . . . . . . . . . . . . . . . . . 4
1.4 Purpose . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.5 Goals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.6 Scope of Research . . . . . . . . . . . . . . . . . . . . . . 5
1.7 Contributions . . . . . . . . . . . . . . . . . . . . . . . . 5
1.8 Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
1.9 Vulnerabilities in the USB Connection . . . . . . . . . . 6
1.10 Thesis structure . . . . . . . . . . . . . . . . . . . . . . . 7
2 Method of research 9
2.1 Research Methodology . . . . . . . . . . . . . . . . . . . 9
2.1.1 Problem Identification and Motivation . . . . . . 9
2.1.2 Define the Objectives for a Solution . . . . . . . . 11
2.1.3 Design and Development . . . . . . . . . . . . . . 11
2.1.4 Demonstration . . . . . . . . . . . . . . . . . . . 11
2.1.5 Evaluation . . . . . . . . . . . . . . . . . . . . . . 11
2.1.6 Communication and Contribution . . . . . . . . . 12
2.2 Ethical Approach . . . . . . . . . . . . . . . . . . . . . . 12
2.2.1 Authorization . . . . . . . . . . . . . . . . . . . . 12
2.2.2 Non-disclosure . . . . . . . . . . . . . . . . . . . . 13
2.2.3 Confidentiality . . . . . . . . . . . . . . . . . . . 13
2.2.4 Boundaries . . . . . . . . . . . . . . . . . . . . . 13
3 Related Research 15
vi | Contents
5 Results 23
5.1 Task hijacking . . . . . . . . . . . . . . . . . . . . . . . . 23
5.2 Intent Storm . . . . . . . . . . . . . . . . . . . . . . . . . 24
5.3 SoundBlast . . . . . . . . . . . . . . . . . . . . . . . . . 24
6 Discussion 25
6.1 Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
6.1.1 Task Hijacking . . . . . . . . . . . . . . . . . . . 25
6.1.2 Intent Storm . . . . . . . . . . . . . . . . . . . . 26
6.1.3 SoundBlast . . . . . . . . . . . . . . . . . . . . . 27
6.1.4 CVSS 3.0 . . . . . . . . . . . . . . . . . . . . . . 28
6.2 Delimitations . . . . . . . . . . . . . . . . . . . . . . . . 28
6.3 Research Methodology . . . . . . . . . . . . . . . . . . . 29
7 USB Investigation 31
7.1 Raw Packet Analysis . . . . . . . . . . . . . . . . . . . . 31
7.2 Android LogCat Analysis . . . . . . . . . . . . . . . . . . 32
7.3 TLS Decryption . . . . . . . . . . . . . . . . . . . . . . . 33
8 Future work 35
9 Conclusion 37
References 39
DOS Denial-of-Service
MitM Man-in-the-Middle
Listings
Chapter 1
Introduction
1.2 Motivation
Creating a complex ecosystem that is impenetrable and secure from all
types of attacks is a daunting task, and a project that is never complete.
Vulnerabilities and exploits are found over time, and it is impossible for
a group of developers at a company to find and patch them all, which
is why many of the large technology companies use bounty programs,
where independent hackers can submit vulnerabilities in exchange for a
payout [4]. Not all hackers are ethical. Unethical hackers that encounter
vulnerabilities and choose not to disclose the information to the company
leave the attack vector open for other malicious actors. In the case of
Android Auto, high security is of great significance since the application
is to be used when operating a motor vehicle. If a malicious actor is
able to distract, scare or annoy a driver, the driving performance may
be greatly reduced [5, 6] and could thus lead to a dangerous situation.
A study found that drivers that were annoyed by urgent sounds showed
a tendency to increase the throttle, and drivers that were shocked by a
sound tended to release the throttle [7]. This effect may harm the traffic
rhythm and endanger the road users.
Penetration testing systems and platforms that integrate with an
automotive interface is poorly researched, as most of the focus lies on
finding vulnerabilities directly in the automotive interface or the platform
connecting to it. However, research methods for evaluating automotive
1
“Carplay a way to connect a smart device to a vehicle.” [Online]. Available:
https://www.apple.com/ios/carplay/ Accessed 2021-04-14.
2
“Mirrorlink the most ingenious way to bring smartphone content to the dash.”
[Online]. Available: https://www.mirrorlink.com Accessed 2021-04-14
4 | Introduction
1.4 Purpose
The purpose of the thesis is to test if Android Auto targeted attacks
are able to endanger a driver and access private data. The thesis aims
to bring light to possible attack vectors that are relatively unexplored
for Android Auto specific attacks in order for these vulnerabilities to be
closed or mitigated. With the acquired knowledge, Android and Android
Auto can be informed about the findings, which ultimately leads to an
improved development of their security. Consequently, users will become
more protected in terms of driver safety.
This paper will use a method for evaluating the impact of certain
exploitable vulnerabilities called Common Vulnerability Scoring System
(CVSS)1 and argue for its implications in the context of driving
experience.
1.5 Goals
The goal of this study is to conduct multiple penetration tests in order to
gather an adequate amount of data to establish if Android and Android
1
Common Vulnerability Scoring System Version 3.0 Calculator [Online] Available:
https://www.first.org/cvss/calculator/3.0
Introduction | 5
1.7 Contributions
The findings from this study will contribute to the benefit of the Android
Auto- and road users, since navigation, media and telephony are widely
used in infotainment systems inside modern vehicles daily. Continued
development of 3rd party apps justifies the demand to pen-test and insure
that systems that are used on the road worldwide are safe. Discovering
and learning about possible exploits and their potential negative use cases
may lead to patches that eliminate the attack-vectors, thus creating a
safer environment on the road for all.
Research on the subject of Android Auto security is lacking, therefore
this report will help build a foundation and bring breadth to the topic.
6 | Introduction
The thesis provides a foundation for further research into the topic and
suggests attack vectors to investigate.
1.8 Attacks
In order to conduct research on potential exploits relevant to Android
Auto it is crucial to analyze the attack surface 3rd party apps have access
to. Since Android Auto functionality is separate from the car functions,
potential targets for malicious apps are other mobile applications and
the car’s infotainment system itself. The infotainment display could
potentially crash or change brightness, app data could be leaked and
the infotainment system volume could be tampered with. The report
will closer examine these attack vectors through various exploits.
One harmful exploit is Task hijacking that regards when a malicious
application takes over the execution from a legitimate application.
Instead of the phone opening a user’s authentic banking application,
a visually similar application could be opened instead, extracting user
credentials to a hacker’s server1 [8].
SoundBlast is an attack that targets the driver directly. The attack
involuntarily modifies the volume to max volume as media is played in
the background. This attack does not require any special permissions
and can easily be exploited by an application [9].
The purpose of an Intent Storm is to deplete the system resources,
rendering the Android system unusable until it ultimately crashes. It
is achieved by continually sending intents to reopen the application on
several threads. Since opening applications is resource intensive, this will
quickly use up all available resources [9].
is significant since control of the flow of data between the device and the
DHU/IHU could be an attack vector with serious implications.
Chapter 2
Method of research
research about security and app exploits, it cannot be presumed that the
application is safe for users.
2.1.4 Demonstration
After the exploits had been developed they were adapted to the attack
environment to experiment with the identified attack vectors. Distraction
related exploits were conducted to discover if they had any significance
on the device, which ultimately may affect the driver and road safety in
general. Additionally, an exploit was utilized to find a procedure that
enables the opportunity to extract sensitive user data through phishing.
Resources required for the demonstration have been listed in chapter 4.
2.1.5 Evaluation
The attacks were evaluated by first making sure that the attack was
successfully executed, and subsequently rated based on their complexity
12 | Method of research
and how easy they were to exploit. These scores have been generated
using the CVSS Version 3.0. Attack scores establish the severity of the
software vulnerabilities in relation to other vulnerabilities. Unsuccessful
attacks attain the severity score of zero and extremely severe attacks are
rated a score of 10.
2.2.1 Authorization
Always gain the authorization of a system owner before pen-testing.
Some vendors use bug bounty programs where they outline the rules
and the scope of allowed pen-testing, without requiring every pen-tester
to explicitly ask for permission. The bug bounty program that Google
runs also includes Android Auto and the Android operating system.
Method of research | 13
2.2.2 Non-disclosure
Most pen-testers sign a non-disclosure agreement to ensure that no
confidential information is released before during or after the testing.
Android Auto runs by Google, whose bug bounty program states that
any research conducted on their products should be disclosed to Google
and the results should not be posted publicly until after their 90-day
disclosure deadline1 .
2.2.3 Confidentiality
Never release any confidential information about an individual, test or
company to any third-party. The tests conducted in this thesis will not
expose any personal information since all tests are run on emulators
or the authors’ personal mobile devices. At no point was the personal
information of other individuals or the intellectual property of Google at
risk of being disclosed, uncovered or shared.
2.2.4 Boundaries
Before pen-testing starts, it is important to know what is allowed and
what is not allowed. Overstepping these boundaries could either be
illegal or grounds for legal repercussions or other disciplinary action,
such as being banned from the platform and/or unable to continue with
the bug bounty program. The tests conducted in this thesis are within
the boundaries of the law and the guidelines provided by Google for their
bug bounty program.
1
“Application Security – Google.” [Online]. Available:
https://www.google.com/about/appsecurity/ Accessed 2021-05-18.
14 | Method of research
Related Research | 15
Chapter 3
Related Research
The most recent security research in the automotive area focus on on-
board computers and systems and study their impact on the driving
experience. The research often disregards Android Auto related attacks,
since these attacks do not directly impact the vehicle itself.
Android Auto apps are sometimes used as attack vectors. In an
analysis of Android Auto apps found on the Google play store, 80% of the
downloaded and tested apps showed warnings after static analysis, some
25% of apps were vulnerable to JavaScript attacks. The authors of the
study also found that GPS data could be extracted without permissions
and that media could be auto played, in contrast to Google’s Android
Auto security standard [12].
In 2015 1.4 million vehicles were recalled by the manufacturer due to a
serious security vulnerability where it was possible to remotely hack into
the infotainment system. From here they could access the engine control
unit to send other commands to similar car components. The exploit
made it possible to affect the steering and brakes of the unmodified
vehicle [13].
One study brings up the serious safety risk with allowing untrusted
third-party code on Autonomous Vehicles. Several companies allow
uncertified code on their platforms for the means of testing and development.
However this poses a security threat. Followingly the study proposes an
enhanced design of the Appified AV platform called AVGUARD to allow
third-party developers to safely test their applications, thus mitigating
the security issue [14].
Research conducted at the University of California, Berkeley concluded
that less than a quarter of users paid attention to permissions granted
16 | Related Research
Chapter 4
This chapter contains two parts. Part one regards the environment
setup for the exploits as the code environment and tools required for
the attacks. In the next section, the attacks’ objectives and production
methods are described in detail.
in, the device was only connected to a data transmitting device and
not running Android Auto. If the UI mode was correct without a USB
connection, the user had opened Android Auto but was not using the
DHU and possibly not driving. However, a delimitation with the attack
environment is that the USB connection could not differentiate between
being connected to the DHU or another computer since both transmit
data, (listing 4.1). Thus, the exploits could be launched in a scenario
where Android Auto is running and connected to a computer via USB.
/*
* Detects if the device is connected to
* a data transmitting device. Does not
* differentiate between DHU and computer.
*/
if(intent.getExtras().getBoolean("connected")){
//USB connected to data transmitter
}
/*
* Can only tell if Android auto is running or not
* Not if it is connected to a DHU or IHU
*/
if (uiModeManager.getCurrentModeType() == Configuration
.UI_MODE_TYPE_CAR) {
//Android Auto is running
}
Attacks and Attack Environment | 19
4.2 Attacks
In this section the exploits are described in technical detail, how they
function and the implemented approach to produce the exploits used in
this thesis.
1
https://promon.co/security-news/strandhogg/
20 | Attacks and Attack Environment
4.2.3 SoundBlast
SoundBlast is designed to distract a driver by unexpectedly altering the
volume playing on the infotainment system. The attack maximizes the
volume of the audio stream on the phone, which shocks the driver and
causes a distraction. By using Android’s built in Audio Manager, the
programmer can programmatically set the volume of the application
(listing 4.5). The desired outcome is a change in volume on the DHU as
the phone volume changes.
am.setStreamVolume(STREAM_MUSIC,
am.getStreamMaxVolume(STREAM_MUSIC),0);
22 | Attacks and Attack Environment
Results | 23
Chapter 5
Results
This section presents the results of the exploits. Each exploit’s result will
be presented in its subsequent sub-chapter.
Table 5.1 contains a structured breakdown of the name, severity and
category1 of the exploits. The CVSS values (calculated in A.1) displays
the severity of the exploit on a scale from 0 to 10, where 0 signifies a
harmless exploit and 10 means that the exploit is extremely severe.
Exploits
Name of exploit CVSS3 score Category
SoundBlast 3.3 Audio/distraction
IntentStorm 5.5 DOS/distraction
Task Hijacking 6.1 Phishing
and later navigating elsewhere with the malicious app running in the
background, it was possible to hijack Android Auto’s execution on the
mobile device. Android Auto started in the background as the malicious
application became the task in focus. However, attempting this exploit
on the DHU emulator on PC did not show definitive results regardless
of the SDK- and Android version. Despite running the exploit and
afterwards launching Android Auto did not show any sign of a successful
task hijack.
A modified exploit that attacked applications used by Android Auto
in the DHU, for instance Google Maps and telephony was unsuccessful
as well. The exploit was ignored and the applications running inside of
Android Auto started naturally.
5.3 SoundBlast
The SoundBlast attack was automatically executed when the user had
started the malicious app and the conditions (listings 4.1 & 4.2) were
met. The exploit showed the same result on all versions of Android that
were tested (see 4.1). This exploit was partly unsuccessful because the
change in volume was not detected on the DHU but rather on the phone
itself. The volume could be set programmatically, which could executed
in a loop to force the volume to always be increased to the maximum.
The test was inconclusive as to whether or not the volume would change
on an IHU. It was not possible to verify the change of volume on the
DHU, since the emulator lacks volume controls and a volume indicator.
Discussion | 25
Chapter 6
Discussion
This chapter will discuss the results of the exploits, the implications
of the thesis’ delimitations and the influence of the chosen research
methodology.
6.1 Attacks
In this section the results are discussed and evaluated in regards to their
success, issues and expansion possibilities. Additionally, weaknesses of
the exploits and potential countermeasures are considered.
target attacks on the apps inside Android Auto. The attempts to task
hijack Google Maps and the telephony service in Android Auto showed
unsuccessful results regardless if the phone was connected to the DHU or
not. Thus, it does not seem probable that access to an IHU would lead
to different results for this experiment.
Security researchers from Pennsylvania State University and Fire
Eye Incorporated showed how task hijacking could be accomplished and
proved that millions of apps were at risk [8]. This thesis has strengthened
their claim and shown that it is possible to task hijack Android Auto.
The exploit has a great weakness. When a malicious application with
the StrandHogg exploit is opened on the phone, two application windows
open. An innocent screen that represents a harmless application, and
a "hacked" screen that can be designed to mimic a legitimate app.
Opening the task manager on mobile after having started the StrandHogg
application made it apparent that the malicious application is functioning
out of the ordinary. Users that detect this anomaly can prevent the
exploit by uninstalling the malicious application.
greater risk.
An issue with the attack is the possibility that users can invoke the
attack when not driving. On all Android versions less than 28, Android
Auto is visible in the application menu. A user with the app installed
could open the application and connect their device to a computer or
other data transmitting device which would invoke the attack, since all
its criteria are met.
To extend the attack, the application could ask for permissions to
the location data, which could make speed a criteria for launching the
attack. The application could also create a background service that could
run indefinitely, waiting for the criteria to be met before launching the
attack. The background service would continue to run, even if the original
application were to be closed.
6.1.3 SoundBlast
Changing the volume unexpectedly could be dangerous for the driver
[7]. If a driver is traveling at a high velocity, a sudden, unexpected
loud sound could cause the driver to twitch and potentially lose control
of the vehicle. Decreasing the volume without the driver’s permission
could also result in road rage and distractions where the driver needs to
manage the volume control, thus increasing the risk of a traffic accident.
Lowering the volume as the driver expects to hear Google Maps directions
for instance, could result in indecisive behavior from the driver thus
endangering multiple road users. The potential risk could be increased
if the application requests location data, and executes only if the vehicle
is traveling faster than a certain speed where the driver’s attention is
crucial.
The exploit was successful in changing the volume, but due to the
experimental setup it only changed the volume on the mobile phone.
The emulated display played sound through the computer’s audio system,
which naturally is isolated from the phone’s audio. Therefore, tests could
not verify if the volume on the DHU was affected. However, it is possible
that using the volume keys on the mobile device affects the volume on
an IHU. This would mean that the attack would work on an IHU, but
this claim is unverifiable without the required hardware.
Developing the exploit is very simple and only requires a few lines
of code and it has a few countermeasures. The application can without
privileges set the volume of the device, and repeatedly setting the volume
28 | Discussion
will ensure that the user cannot mute or lower the volume. No effective
countermeasure was found except terminating the connection to the
DHU, which could prove to be difficult while driving.
6.2 Delimitations
The thesis was focused on security implications of vulnerabilities in a
vehicle setting. However, the vulnerabilities and exploits presented in
this thesis could also be used in other contexts. Task hijacking could be
used to steal usernames and passwords, read private messages or secretly
record the user by phishing legitimate applications. It could also be used
to request permissions to retrieve and manipulate otherwise inaccessible
data on the phone.
Since Android Automotive is part of the Android source code2 any
attack against Android that can be exploited in a vehicle setting could
also be exploited on Android Automotive. The Soundblast and Intent
Storm attacks were based on Android Automotive oriented attacks. Task
1
Common Vulnerability Scoring System Version 3.0 Calculator [Online] Available:
https://www.first.org/cvss/calculator/3.0
2
“What is Android Automotive? Android Open Source Project,”Oct 2020. [Online].
Available: https://source.android.com/devices/automotive/start/what_automotive
Accessed 20201-04-16
Discussion | 29
Chapter 7
USB Investigation
One potential attack vector in exploiting Android Auto and the DHU
is through the USB cable used for communication. By intercepting the
channel, it may be possible to interact with the USB interface to block
or alter communication sent from the mobile device to the DHU. The
chapter investigates the USB communication in three sections. The first
looking at the raw packets, the second at Android Logs and the third at
TLS decryption. Finally, the section presents the results that potentially
can be used for exploiting Android Auto via USB.
Chapter 8
Future work
Chapter 9
Conclusion
This thesis has investigated the security of the Android Auto application
in regards to road safety. By attacking and exploiting vulnerabilities in
the Android operating system, attacks were crafted that directly target
the user when driving. In various situations the findings demonstrate
that Android Auto is not secure for road safety depending on how the
application is used. Running Android Auto locally on the phone without
connecting it to a DHU or IHU showed a greater risk of successful exploits
that compromise driver safety and user data. Task hijacking was able
to take over execution, Intent Storm managed to crash the mobile and
SoundBlast could change the volume without user input. However, the
results from running Android Auto on the DHU indicated user security.
Intent Storm managed to completely freeze and crash the DHU, which
may endanger a driver by making them lose attention on the road and
instead focus on restarting the unresponsive infotainment system. The
USB investigation revealed details about the encrypted communication
between the device and DHU. It is possible to use existing exploits to
decrypt the encrypted data, where modification of the content may lead
to different exploits that manipulate information on the infotainment
display that reduces Android Auto security.
The relevancy of the thesis is apparent since a driver’s life could be put
at risk. Task hijacking could show a malicious version of a maps software
and lead the user to another location than the user did not intend.
SoundBlast could cause the driver to make uncontrolled movements,
leading to a loss of control of the vehicle, or create a distraction which
makes the driver less attentive to their surroundings. The USB findings
set the foundation to investigate the possibility of attacks that could put
38 | Conclusion
References
[9] B. Eriksson, J. Groth, and A. Sabelfeld, “On the Road with Third-
Party Apps: Security Analysis of an In-Vehicle App Platform,”
Master’s thesis, Gothenburg, Sweden, 2019.
[11] K. Graves, CEH: Certified Ethical Hacker Study Guide, 1st ed.
USA: SYBEX Inc., 2010. ISBN 1978-0-470-52520-3
Appendix A
Table A.1 contains the CVSS3 vector strings that were used to calculate
the CVSS value of the exploits.
Exploits
Name Vector String
SoundBlast CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:F
IntentStorm CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:F
Task Hijacking CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L/E:F
www.kth.se