Despite its well-known security issues, the Controller Area Network (CAN) is still the main technology for in-vehicle communications. Attackers posing as diagnostic services or accessing the CAN bus can threaten the drivers' location privacy to know the exact location at a certain point in time or to infer the visited areas. This represents a serious threat to users' privacy, but also an advantage for police investigations to gather location-based evidence. In this paper, we present On Path Diagnostic - Intrusion \& Inference (OPD-II), a novel path inference attack leveraging a physical car model and a map matching algorithm to infer the path driven by a car based on CAN bus data. Differently from available attacks, our approach only requires the attacker to know the initial location and heading of the victim's car and is not limited by the availability of training data, road configurations, or the need to access other victim's devices (e.g., smartphones). We implement our attack on a set of four different cars and a total number of 41 tracks in different road and traffic scenarios. We achieve an average of 95% accuracy on reconstructing the coordinates of the recorded path by leveraging a dynamic map-matching algorithm that outperforms the 75% and 89% accuracy values of other proposals while removing their set of assumptions.

翻译：尽管控制器局域网（CAN）存在众所周知的安全问题，它仍然是车载通信的主要技术。攻击者伪装成诊断服务或访问CAN总线，可能威胁驾驶员的位置隐私，以获取特定时间点的精确位置或推断其访问过的区域。这不仅对用户隐私构成严重威胁，同时也为警方调查收集基于位置的证据提供了便利。本文提出一种名为“On Path Diagnostic - Intrusion & Inference（OPD-II）”的新型路径推断攻击，该方法利用物理汽车模型与地图匹配算法，基于CAN总线数据推断汽车的行驶路径。与现有攻击方法不同，我们的方法仅要求攻击者知晓受害汽车的初始位置与航向，且不受训练数据可用性、道路配置限制，也无需访问受害者的其他设备（如智能手机）。我们在四款不同汽车上实施了该攻击，共计在41条不同道路与交通场景的轨迹上进行测试。通过采用动态地图匹配算法，我们在重建记录路径坐标方面达到了平均95%的准确率，优于其他方案75%与89%的准确率，同时消除了它们的一系列假设条件。