Your Car Tells Me Where You Drove: A Novel Path Inference Attack via CAN Bus and OBD-II Data

During police investigations, the possibility of extracting coordinates data of a vehicle without relying on GPS is vital because the targets may know about possible bugs using this technology and take action against them. To this aim, extracting non-encrypted data from the Controller Area Network (CAN) provides a valid solution for officers. Indeed, CAN exchanges non-encrypted data, including physical information about the car's movement. In this paper, we present On Path Diagnostic - Intrusion & Inference (OPD-II), a novel path inference attack leveraging a physical car model and a map matching algorithm to infer the path driven by a car based on CAN bus data. Unlike available attacks, our approach only requires the attacker to know the initial location and heading of the victim's car and is not limited by the availability of training data, road configurations, or the need to access other victim's devices (e.g., smartphones). We implement our attack on a set of four different cars and a total number of 59 tracks in different road and traffic scenarios. We achieve an average 95.75% accuracy in reconstructing the coordinates of the recorded path by leveraging a dynamic map matching algorithm that outperforms other state-of-the-art proposals while removing their set of assumptions.