May 26, 2016 -
Researchers from the University of Washington and the University of California at San Diego have discovered a way to identify drivers based solely on data gathered from the internal computer network, or CAN bus, of the vehicle their subjects were driving, according to a report by Wired.
The researchers plan to present these findings in a study at the Privacy Enhancing Technology Symposium in Germany this July.
The team found that the data gathered from just the car’s brake pedal could help them accurately identify the correct driver out of 15 individuals approximately nine times out of 10, after only 15 minutes of driving.
When the researchers used 90 minutes of driving data or monitored more car components, they could identify the correct driver 100 percent of the time.
“With very limited amounts of driving data we can enable very powerful and accurate inferences about the driver’s identity,” said Miro Enev, a former University of Washington researcher who worked on the study.
For the study, the researchers called on 15 individual test subjects to drive a vehicle from a University of Washington campus parking lot in Seattle, initially to the Space Needle about five miles away, then to a final destination a further 50 miles away.
During the entire journey, a laptop was plugged into the dashboard of the vehicle to gather its CAN network data.
The researchers then used a machine learning algorithm to analyze each part of the drivers’ routes for all 15 drivers. In each case, the algorithm would use 90% of the driving data as “learning” material, and then use the remaining data to determine which driver that 10% matched with.
The team eventually found that they didn’t even require the longest portion of the driving test to accurately identify each of the 15 drivers.
Using all data taken from the car’s sensors–such as how the driver braked, accelerated and angled the steering wheel—the team found that the algorithm could 100% accurately distinguish each of the drivers based on just 15 minutes of driving data. And with the data from the brake pedal alone, the researchers were able to guess the correct driver with 87 percent accuracy.
The researchers say that the ability to identify the driver could have potential privacy implications, such as insurance companies penalizing drivers who lend their vehicle to their teenage kids, to confirming the identity of a driver who broke a traffic law or caused an accident.
Enev said that the research points out an inherent issue with automotive security, asserting that instead of making all of a vehicle’s data and sensitive systems available to any device connected to their CAN bus, vehicles should be equipped with permission systems, similar to the way operating systems like iOS or Android do.
“There should be a permission structure built around every sensor stream,” Enev said. “You should approach every new application that you expose your data to on a need-to-know basis.”