Enhancing the Security of Android-Based Infotainment Systems

Abstract

Modern infotainment systems are highly integrated with both the vehicle’s Controller Area Network (CAN) bus and external internet services. Such connectivity capabilities make the infotainment system a viable entry point for adversaries targeting the vehicle’s internal components and subsystems. Therefore, this thesis investigates how to implement a granular access control mechanism for the CAN bus, guided by the Principle of Least Privilege (PoLP). The objective is to create a more secure infotainment system that incorporates multiple layers of protection. In addition to adhering to the PoLP, the proposed solution aims to comply with two important cybersecurity standards and regulations: EN 18031-1:2024, part of the Radio Equipment Directive (RED), and ISO/SAE 21434. The latter providing a framework for Threat Modeling, the process of analyzing a system, identifying threats, and deciding on appropriate mitigation. A key component of the access control system is the use of Android permissions, which provide enhanced granularity in managing application access. In addition to Android permissions, the configuration scheme of the infotainment system was extended with application level whitelisting for CAN data. Benchmarking tests were conducted to evaluate the performance impact of the proposed solution, and the results did not show any significant additional overhead. The final implementation provides effective and scalable protection of the CAN bus, with granular access control, improving security in the infotainment system.