Most of the Automotive OEMs have been offering for the last years infotainment and IC systems based on Android or Linux kernel-based systems. However, the farther away it gets from the core of the original operating system, the more overhead it takes for Google and other OS vendors to maintain its codebase and protect Android and Linux kernel from threats. Therefore, OS hardening must take place. The Linux kernel itself has several security features, but it can be altered to create an alternative distribution since it’s open-source. Any embedded Linux or Android device manufacturer (OEM) that offers embedded systems based on Android or the core Linux kernel must harden their system to safeguard devices.
Security Risks with Embedded Linux
The biggest risk to end-user security is an unpatched kernel after a vulnerability is made public. The most difficult part is that not every Linux security patch gets a CVE, so it’s up to system architects and developers to know when a new patch is available. Third-party patch management systems will scan systems for vulnerabilities and install security patches automatically. Still, embedded Linux and Android systems that run on dedicated ECUs are not openly available to vulnerability scanners. It means that custom embedded Linux and Android systems are a major target for attackers.
An example of the severity of vulnerable embedded systems is CVE-2019-17666. The vulnerability affects any system that uses the Realtek Wi-Fi chip and device driver. Although a patch was released, it’s estimated that numerous devices and thousands of Wi-Fi access points were left unpatched and vulnerable to a buffer overflow that could lead to denial-of-service or possible shell access. With shell access, an attacker could install their own malware (e.g., botnet code), change settings, and potentially eavesdrop on user data, leading to a severe data breach.
Securing Android and Other Embedded Linux Devices
Modifying Linux kernel to fit a third-party vendor distribution leads both developers and security experts to understand the potential for vulnerabilities, if the wrong change is made to the operating system. Lately, Google announced that it would move Android to a closer version of the original Linux kernel to reduce developer overhead and limit direct kernel access by custom device drivers made by third-party device developers.
Secure Linux and Android OS – Automotive OS Hardening
To better secure Android and Linux kernel-based systems, manufacturers must use vendors that understand how to deliver optimized Linux operating systems that support custom boards and proprietary hardware.
At L4B Software, we have experience since 2004 developing safe and secure embedded Linux solutions and, since 2009, secure and custom Android systems. We consider embedded Linux security a priority in our development lifecycle to ensure that our customers have a system that not only optimizes for performance but also stays secure. We do this in a few ways:
- Custom APIs: We provide an interface with APIs so that customers can run a predefined set of commands.
- Hardware Abstraction Layer (HAL): Similar to the way Android handles device interface with the kernel, our HAL lets drivers interface with the upper-layer of Linux without directly interacting with the kernel.
- SDKs and wrappers: Documentation and wrappers give your developers a secure and easy way to work with the system.
- GAS – Google Automotive Services integration and customization.