Edwin Yang (University of Oklahoma) and Song Fang (University of Oklahoma)
With the advent of the in-vehicle infotainment (IVI) systems (e.g., Android Automotive) and other portable devices (e.g., smartphones) that may be brought into a vehicle, it becomes crucial to establish a secure channel between the vehicle and an in-vehicle device or between two in-vehicle devices. Traditional pairing schemes are tedious, as they require user interaction (e.g., manually typing in a passcode or bringing the two devices close to each other). Modern vehicles, together with smartphones and many emerging Internet-of-things (IoT) devices (e.g., dashcam) are often equipped with built-in Global Positioning System (GPS) receivers. In this paper, we propose a GPS-based Key establishment technique, called GPSKey, by leveraging the inherent randomness of vehicle movement. Specifically, vehicle movement changes with road ground conditions, traffic situations, and pedal operations. It thus may have rich randomness. Meanwhile, two in-vehicle GPS receivers can observe the same vehicle movement and exploit it for key establishment without requiring user interaction. We implement a prototype of GPSKey on top of off-the-shelf devices. Experimental results show that legitimate devices in the same vehicle require 1.18-minute of driving on average to establish a 128-bit key. Meanwhile, the attacker who follows or leads the victim’s vehicle is unable to infer the key.