Many research papers have recently focused on behavioral-based driver authentication systems in vehicles. Pushed by Artificial Intelligence (AI) advancements, these works propose powerful models to identify drivers through their unique biometric behavior. However, practitioners have not yet shown any interest in the topic. Indeed, several limitations and oversights make implementing the state-of-the-art impractical, such as the computational resources required for training and the management of false positives. Furthermore, while being proposed as security measures, researchers neglect possible attacks on these systems that can make them counterproductive. Driven by the significant gap between research and practical application, this paper seeks to connect these two domains. We develop two lightweight behavioral-based driver authentication systems based on Machine Learning (ML) and Deep Learning (DL) architectures designed for our constrained environments. We formalize a realistic system and threat model reflecting a real-world vehicle's network for their implementation. When evaluated on real driving data, our models outclass the state-of-the-art with an accuracy of up to 0.999 in identification and authentication. Motivated by the inherent vulnerabilities of ML and DL models, we are the first to propose GAN-CAN, a class of novel evasion attacks, showing how attackers can still exploit these systems with a perfect attack success rate (up to 1.000). Our attacks are effective under different assumptions on the attacker's knowledge and allow stealing a vehicle in less than 22 minutes. Finally, we formalize requirements for deploying driver authentication systems securely and avoiding attacks such as GAN-CAN. Through our contributions, we aid practitioners in safely adopting these systems, help reduce car thefts, and enhance driver security.

翻译：近年来，许多研究论文聚焦于车辆中基于行为的驾驶员身份验证系统。受人工智能（AI）进展的推动，这些研究提出了强大模型，通过驾驶员独特的生物行为特征来识别身份。然而，从业者至今尚未对此主题展现出兴趣。实际上，多项局限性和疏忽使得现有最先进方法的实现不切实际，例如训练所需的计算资源以及误报管理问题。此外，尽管这些系统被提议作为安全措施，研究人员却忽视了可能使其适得其反的攻击手段。鉴于研究与实践应用之间的显著差距，本文旨在连接这两个领域。我们基于机器学习（ML）和深度学习（DL）架构，针对受限环境开发了两种轻量级基于行为的驾驶员身份验证系统。我们形式化了一个反映真实车辆网络的现实系统模型与威胁模型，以支持其实现。在真实驾驶数据上评估时，我们的模型在识别与身份验证任务中的准确率最高达0.999，超越了现有最先进方法。受ML与DL模型固有漏洞的驱动，我们首次提出GAN-CAN（一种新型规避攻击类别），展示了攻击者如何仍能以完美攻击成功率（最高达1.000）利用这些系统。我们的攻击在攻击者知识储备的不同假设下均有效，且能在不到22分钟内盗取车辆。最后，我们形式化了安全部署驾驶员身份验证系统并规避GAN-CAN等攻击所需的条件。通过我们的贡献，我们帮助从业者安全地采用这些系统，减少车辆盗窃，并增强驾驶员安全性。