OPD-II tool: "On Path Direction - Intrusion & Inference" provides Path Inference through speed and steering wheel angle sensor data exfiltration by OBD-II and CAN Bus.
The attack uses a dynamic map-matching algorithm to infer the path crossed by a vehicle using only the speed and steering wheel angle values.
The attacker needs to access the vehicle to install a device
able to collect the CAN-Bus packets from the OBD-II port (or, in the presence of a gateway, from the twisted CAN cables directly).
At this point, the inference is possible. The attack works with a 95% accuracy, on average.
In the scripts folder we provide all the tools developed for the attack. The README file in the folder briefly explains how to use them.
Additionally, here you can find the steering_wheel_angle_sensor_lookup.csv file, a collection of the reversed steering angle wheel sensor fields in the four vehicles used during the experiments. It is easy to manually reverse this data, but if it is already available, you can spare some time.
The examples folder is currently empty to preserve the privacy and anonymity of the submission. The .csv file of the experiments is available, describing the length and accuracy of each segment. When possible, we will update it with the log and GPX files to run the PoC without collecting additional data.
The attack needs Valhalla (https://valhalla.github.io/valhalla/) to work. A very nice docker is available to set it up. This example takes the OpenStreetMap roads from Andorra, you can download other maps at the dedicated page on geofabrik.
Following this guide: https://github.com/gis-ops/docker-valhalla#build-the-image
$mkdir custom_files
$wget -O custom_files/andorra-latest.osm.pbf https://download.geofabrik.de/europe/andorra-latest.osm.pbf
docker run -dt --name valhalla_gis-ops -p 8002:8002 -v $PWD/custom_files:/custom_files ghcr.io/gis-ops/docker-valhalla/valhalla:latest
or let the container download the file for you
$docker run -dt --name valhalla_gis-ops -p 8002:8002 -v $PWD/custom_files:/custom_files -e tile_urls=https://download.geofabrik.de/europe/andorra-latest.osm.pbf ghcr.io/gis-ops/docker-valhalla/valhalla:latest
To see the logs:
$docker logs -f docker_id
And check the available dockers:
$docker container ls -a
The code is in Python3, and the conda environment is available for import. Check the environment.yml file.
Now you are ready to go.
For example, The device can be a Raspberry Pi with WiFi Direct capabilities to connect after leaving it in the target vehicle. The RBPi contains a shield to connect to the CAN-Bus and use the can-utils linux tools. We used a laptop directly connected through the USB2CAN tool.
Enter the vehicle and attach the device to communicate with.
The first step requires logging packets while moving the steering wheel right and left to generate packets with changing values for the angle.
Leave the device inside the vehicle and connect it.
After logging the packets, use ReWheel tool to get the most probable CAN IDs that contain the steering wheel angle value.
The specific ID can be checked using the AngleChecker tool. This tool assists in the SWA ID's reverse, but we can assume it is already known in the model and scenario of the paper.
With this script, we want to allow you to test the algorithm with your vehicle and data.
After getting the steering wheel angle sensor ID, we can launch the OBDrop tool to start recording speed and angle packets. To do so, connect the device to launch the tool.
Also, remember to record the exact (longitude, latitude, heading) of the vehicle's starting point.
When the target finishes the drive, you can connect again to the RBPi and stop the OBDrop tool. After that, pull the log file generated during the trip. If you want, you can perform this task in real-time (not provided, but it is a matter of when to collect/perform the script).
This is the core of the attack. Having the log file, we can perform the path inference.
We need Valhalla running in the background and the knowledge of the wheelbase of the target vehicle (distance between the front and rear axes). The steering_wheel_angle_sensor_lookup.csv contains the values for the reversed vehicles.
Start the OPD-II tool to recover the path.
It outputs the result in a map using Folium.
In the OPD-II script, we also allow testing the result against a baseline registered as a GPX file.
An output example is in the Figure below. It highlights in red and orange the points that don't match the baseline and the result of the attack. To compare the traces, we use Cmpgpx tool (https://github.com/jonblack/cmpgpx).
Accepted for publication at IEEE Euro S&P 2025.
Arxiv: https://arxiv.org/abs/2407.00585
The maps and graphs used in this work are thankfully provided by ©OpenStreetMap (https://www.openstreetmap.org).
Meili map-matching algorithm provided by Valhalla.