Red Light for Security: Uncovering Auto Feature Check and Access Control Gaps in AAOS

Red Light for Security: Uncovering Auto Feature Check and Access Control Gaps in AAOS

연구 분야: Software Development

학회: International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment

The Android Automotive Operating System (AAOS) is a specialized version of the Android OS designed for in-vehicle infotainment and system control. Prominent automakers such as Honda, General Motors (GM), Volvo, and Ford have already adopted it in their latest vehicles. Despite its popularity, the security of AAOS integration has hardly been evaluated, particularly at the framework layer, where auto feature and access control anomalies are likely to arise. To bridge the gap, we perform the first security evaluation of automotive entry points in AAOS. Our study is enabled by AutoAcRaptor, an automated pipeline that leverages static analysis to identify automotive entry points, generate their access control and auto feature specifications, and analyze them for potential security risks. Our evaluation of AutoAcRaptor on two AOSP and eight automaker AAOS images demonstrates that it is able to identify 23 auto feature and access control anomalies, on average per ROM. We report ten cases to the corresponding automakers. At the time of writing, five have been acknowledged while the rest are pending verification.