Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Your Car Tells Me Where You Drove: A Novel Path Inference Attack via CAN Bus and OBD-II Data

Tommaso Bianchi, Alessandro Brighente, Mauro Conti, Andrea Valori

TL;DR

The paper presents OPD-II, a deterministic path inference attack that reconstructs a vehicle's traveled path using only CAN-Bus and OBD-II data, given the initial location and bearing. By combining a bicycle-kinematic model with dynamic map-matching (via Valhalla and OpenStreetMap), the approach yields GPX tracks without training data or GPS signals, achieving about 95% average accuracy across 41 tracks and four vehicles. The authors implement the attack with a low-resource setup and release open-source code, demonstrating substantial location privacy risks in modern vehicles. The work highlights the need for defensive measures to prevent unauthorized CAN/OBD data exfiltration and route inference in real-world deployments.

Abstract

Despite its well-known security issues, the Controller Area Network (CAN) is still the main technology for in-vehicle communications. Attackers posing as diagnostic services or accessing the CAN bus can threaten the drivers' location privacy to know the exact location at a certain point in time or to infer the visited areas. This represents a serious threat to users' privacy, but also an advantage for police investigations to gather location-based evidence. In this paper, we present On Path Diagnostic - Intrusion \& Inference (OPD-II), a novel path inference attack leveraging a physical car model and a map matching algorithm to infer the path driven by a car based on CAN bus data. Differently from available attacks, our approach only requires the attacker to know the initial location and heading of the victim's car and is not limited by the availability of training data, road configurations, or the need to access other victim's devices (e.g., smartphones). We implement our attack on a set of four different cars and a total number of 41 tracks in different road and traffic scenarios. We achieve an average of 95% accuracy on reconstructing the coordinates of the recorded path by leveraging a dynamic map-matching algorithm that outperforms the 75% and 89% accuracy values of other proposals while removing their set of assumptions.

Your Car Tells Me Where You Drove: A Novel Path Inference Attack via CAN Bus and OBD-II Data

TL;DR

The paper presents OPD-II, a deterministic path inference attack that reconstructs a vehicle's traveled path using only CAN-Bus and OBD-II data, given the initial location and bearing. By combining a bicycle-kinematic model with dynamic map-matching (via Valhalla and OpenStreetMap), the approach yields GPX tracks without training data or GPS signals, achieving about 95% average accuracy across 41 tracks and four vehicles. The authors implement the attack with a low-resource setup and release open-source code, demonstrating substantial location privacy risks in modern vehicles. The work highlights the need for defensive measures to prevent unauthorized CAN/OBD data exfiltration and route inference in real-world deployments.

Abstract

Despite its well-known security issues, the Controller Area Network (CAN) is still the main technology for in-vehicle communications. Attackers posing as diagnostic services or accessing the CAN bus can threaten the drivers' location privacy to know the exact location at a certain point in time or to infer the visited areas. This represents a serious threat to users' privacy, but also an advantage for police investigations to gather location-based evidence. In this paper, we present On Path Diagnostic - Intrusion \& Inference (OPD-II), a novel path inference attack leveraging a physical car model and a map matching algorithm to infer the path driven by a car based on CAN bus data. Differently from available attacks, our approach only requires the attacker to know the initial location and heading of the victim's car and is not limited by the availability of training data, road configurations, or the need to access other victim's devices (e.g., smartphones). We implement our attack on a set of four different cars and a total number of 41 tracks in different road and traffic scenarios. We achieve an average of 95% accuracy on reconstructing the coordinates of the recorded path by leveraging a dynamic map-matching algorithm that outperforms the 75% and 89% accuracy values of other proposals while removing their set of assumptions.
Paper Structure (22 sections, 8 equations, 14 figures, 2 tables, 1 algorithm)

This paper contains 22 sections, 8 equations, 14 figures, 2 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Background and Related Work
  3. Background
  4. CAN Bus and OBD-II
  5. Location Privacy
  6. Related Work
  7. Threat Model
  8. Attack and Technical Approach
  9. Physical Access
  10. Reverse engineering the Steering Wheel Angle Sensor
  11. Data Collection
  12. Data Retrieval
  13. Deterministic Path Inference
  14. Implementation
  15. Evaluation
  16. ...and 7 more sections

Figures (14)

  • Figure 1: The CAN frame uses the Identifier to perform medium contention. The data field contains information to use during diagnostic operations with the OBD protocol.
  • Figure 2: Example of OBD port connector on board a vehicle. It is usually located under the steering wheel, and it has easy access for diagnostic operations.
  • Figure 3: The threat model requires entering the vehicle and installing the malicious device to connect to the CAN Bus and exfiltrate data.
  • Figure 4: The six attack steps once the device is connected. The attacker needs to reverse the angle sensor, and two tools are available for this purpose in Step 2. After that, the attacker collects data and exfiltrates it to use the OPD-II tool for the dynamic map-matching algorithm and infer the path.
  • Figure 5: The impact of a parameter on the accuracy, fixing the other with the best value found through the grid search. The $t_{window}$ and $speed$ have the greater impact.
  • ...and 9 more figures