Embedded OS Hardening -Safeguard Embedded Linux and Android Systems

Android is built on the Linux kernel, but the farther away it gets from the core of the original operating system, the more overhead it takes for Google to maintain its codebase and protect devices from threats. The Linux kernel itself has several security features, but since it’s open-source, it can be altered to create an alternative distribution. Any embedded Linux or Android device manufacturer (OEM) that offers embedded systems based on Android or the core Linux kernel must harden their system to safeguard mobile and IoT devices.

Security Risks with Embedded Linux

The biggest risk to user security is an unpatched kernel after a vulnerability is made public. The most difficult part is that not every Linux security patch gets a CVE, so it’s up to administrators and developers to know when a new patch is available. Third-party patch management systems will scan systems for vulnerabilities and install security patches automatically, but embedded Linux and Android systems run mobile devices and IoT that aren’t openly available to vulnerability scanners. This means that embedded Linux systems are a major target for attackers.

An example of the severity of vulnerable embedded systems is CVE-2019-17666. The vulnerability affects any system that uses the Realtek Wi-Fi chip and device driver. Although a patch was released, it’s estimated that numerous Smart TVs, door locks, and thousands of personal Wi-Fi access points are left unpatched and vulnerable to a buffer overflow that could lead to denial-of-service or possible shell access. With shell access, an attacker could install their own malware (e.g. botnet code), change settings, and potentially eavesdrop on user data leading to a severe data breach.

Securing Android and Other Embedded Linux Devices

Modifying Linux to fit a third-party vendor distribution takes not only the right developers but the right security experts who understand the potential for vulnerabilities should the wrong change be made to the operating system. Google announced that it will move Android to a closer version of the original Linux kernel to reduce developer overhead and limit direct kernel access by custom device drivers made by third-party device developers.

To better secure embedded Linux, it’s essential that manufacturers use vendors that understand how to deliver optimized Linux operating systems that support custom boards and proprietary hardware. At L4B Software, we have experience since 2004 developing safe and secure embedded Linux solutions for mobile devices and IoT. We consider embedded Linux security a priority in our development lifecycle to ensure that our customers have a system that not only optimizes for performance but also stays secure. We do this in a few ways:

  • Custom APIs: We provide an interface with APIs so that customers can run a predefined set of commands.
  • Hardware Abstraction Layer (HAL): Similar to the way Android handles device interface with the kernel, our HAL lets drivers interface with the upper-layer of Linux without directly interacting with the kernel.
  • SDKs and wrappers: Documentation and wrappers give your developers a secure and easy way to work with the system.