When Authentication Is Not Enough: On the Security of Behavioral-Based Driver Authentication Systems
Emad Efatinasab, Francesco Marchiori, Denis Donadel, Alessandro Brighente, Mauro Conti
TL;DR
This work examines the security of behavioral-based driver authentication by formalizing a practical CAN-bus–centric system, proposing two lightweight in-vehicle authenticators (Random Forest and a single-layer GRU), and developing two evasion attacks (SMARTCAN and GANCAN). It shows that while high identification/authentication accuracy can be achieved in isolation ($\text{accuracy}$ up to $0.999$), practical deployment is vulnerable to adversarial manipulation of CAN messages, with perfect attack success rates observed for certain models. The authors provide a security-aware framework, attack methodologies, and deployable recommendations, including in-vehicle ECU deployment, local training, and the novel combinatorial accuracy concept to reduce false positives. They also release open-source code and datasets to enable ongoing security testing and defense development, underscoring the need for can-message authentication as a primary defense and a second-factor, continuous authentication approach for real-world use.
Abstract
Many research papers have recently focused on behavioral-based driver authentication systems in vehicles. Pushed by Artificial Intelligence (AI) advancements, these works propose powerful models to identify drivers through their unique biometric behavior. However, these models have never been scrutinized from a security point of view, rather focusing on the performance of the AI algorithms. Several limitations and oversights make implementing the state-of-the-art impractical, such as their secure connection to the vehicle's network and the management of security alerts. Furthermore, due to the extensive use of AI, these systems may be vulnerable to adversarial attacks. However, there is currently no discussion on the feasibility and impact of such attacks in this scenario. Driven by the significant gap between research and practical application, this paper seeks to connect these two domains. We propose the first security-aware system model for behavioral-based driver authentication. We develop two lightweight driver authentication systems based on Random Forest and Recurrent Neural Network architectures designed for our constrained environments. We formalize a realistic system and threat model reflecting a real-world vehicle's network for their implementation. When evaluated on real driving data, our models outclass the state-of-the-art with an accuracy of up to 0.999 in identification and authentication. Moreover, we are the first to propose attacks against these systems by developing two novel evasion attacks, SMARTCAN and GANCAN. We show how attackers can still exploit these systems with a perfect attack success rate (up to 1.000). Finally, we discuss requirements for deploying driver authentication systems securely. Through our contributions, we aid practitioners in safely adopting these systems, help reduce car thefts, and enhance driver security.