Automotive Data Privacy: Attacks and Defenses

Vehicular data-collection platforms as part of OEM’s connected telematic services are on the rise. OEMs use these platforms to derive various telematics parameters from the in-vehicle network for connected services. OEMs also allow sharing of the collected data with third-party service providers upon request. We propose to investigate the broad field of automotive data privacy since it has been a rapidly rising concern. The European Union has established a privacy standard called General Data Protection Regulation (GDPR) in May 2018. Furthermore, the Facebook-Cambridge Analytica data incident made headlines in March 2018. OEMs’ data collection from vehicles is increasingly popular and may offer OEMs new businesses but it comes with the risk of privacy leakages. Vehicular sensor data shared with third-parties can lead to misuse of the requested data for other purposes than stated/intended.

In this project, we first provide an overview of existing privacy standards and regulations as well as ongoing efforts in the automotive domain and survey the landscape of automotive data-privacy attacks which can be classified into three categories: driver fingerprinting, location inferencing and driving-behavior analysis. After designing a threat model for third-party vehicular data sharing, we will then investigate an example location-inference attack using less obvious sensors since the thus-collected data can leak users’ location and traveled routes without explicitly using the GPS readings. We will also analyze the accuracy of inferring the user’s location from vehicle data and show the impact of this on the car owner’s privacy. Furthermore, we will show how this privacy vulnerability can be mitigated by designing a privacy-preserving data-collection architecture and schemes using differential privacy for vehicles.

Faculty

  • Kang G. Shin

Graduate Students

  • Mert D. Pesé


Publications

  • Mert D. Pesé and Kang G. Shin, Survey of Automotive Privacy Regulations and Privacy-Related Attacks, in the 2019 SAE World Conference Experience (WCX '19), Detroit, Michigan, USA, April 2019.
    <pdf>