For many years, car keys have been the sole mean of authentication in vehicles. Whether the access control process is physical or wireless, entrusting the ownership of a vehicle to a single token is prone to stealing attempts. For this reason, many researchers started developing behavior-based authentication systems. By collecting data in a moving vehicle, Deep Learning (DL) models can recognize patterns in the data and identify drivers based on their driving behavior. This can be used as an anti-theft system, as a thief would exhibit a different driving style compared to the vehicle owner's. However, the assumption that an attacker cannot replicate the legitimate driver behavior falls under certain conditions. In this paper, we propose GAN-CAN, the first attack capable of fooling state-of-the-art behavior-based driver authentication systems in a vehicle. Based on the adversary's knowledge, we propose different GAN-CAN implementations. Our attack leverages the lack of security in the Controller Area Network (CAN) to inject suitably designed time-series data to mimic the legitimate driver. Our design of the malicious time series results from the combination of different Generative Adversarial Networks (GANs) and our study on the safety importance of the injected values during the attack. We tested GAN-CAN in an improved version of the most efficient driver behavior-based authentication model in the literature. We prove that our attack can fool it with an attack success rate of up to 0.99. We show how an attacker, without prior knowledge of the authentication system, can steal a car by deploying GAN-CAN in an off-the-shelf system in under 22 minutes.

翻译：长期以来，车钥匙一直是车辆中唯一的身份认证手段。无论访问控制过程是物理方式还是无线方式，将车辆所有权委托给单一令牌都容易遭受盗窃企图。为此，众多研究人员开始开发基于行为的身份认证系统。通过在行驶车辆中采集数据，深度学习（DL）模型能够识别数据模式，并根据驾驶员的驾驶行为对其进行身份识别。该系统可用作防盗系统，因为盗贼的驾驶风格会与车主截然不同。然而，攻击者无法复制合法驾驶员行为的假设在某些条件下并不成立。本文提出GAN-CAN，这是首个能够欺骗车辆中最先进的基于行为的驾驶员身份认证系统的攻击方法。根据攻击者的知识水平，我们提出了不同的GAN-CAN实现方案。该攻击利用控制器局域网（CAN）缺乏安全性的特点，注入精心设计的时间序列数据以模仿合法驾驶员。恶意时间序列的设计源自不同生成对抗网络（GAN）的组合，以及我们对攻击过程中注入值安全重要性的研究。我们在文献中最高效的基于行为的驾驶员身份认证模型的改进版本上测试了GAN-CAN。实验证明，该攻击的最高成功率可达0.99。我们还展示了攻击者如何在不了解认证系统的情况下，通过在不到22分钟内将GAN-CAN部署到现成系统中来盗取车辆。