Uncovering Security and Privacy Threats in the Automotive Sector

Modern vehicles have evolved into complex cyber-physical systems, often referred to as “computers on wheels.” This evolution has enabled significant improvements in safety, comfort, and efficiency, but has also introduced a wide range of security and privacy challenges. Internal vehicle networks, such as the Controlled Area Network (CAN) Bus, were designed with robustness in mind but lack built-in security mechanisms, making them vulnerable to unauthorized access. Similarly, external communication channels, such as Bluetooth, cellular networks, and emerging infrastructure for Electric Vehicle (EV)s charging, expose vehicles to new attack vectors. Exploiting these vulnerabilities can compromise both vehicle functionality and sensitive personal information, such as driver location and travel patterns, highlighting the critical intersection between security and safety in modern automotive systems. This dissertation investigates these challenges from two complementary perspectives: intra-vehicle communication and inter-vehicle communication in the context of Dynamic Wireless Power Transfer (DWPT) for EVs. In the first part, we analyze how attackers can gain unauthorized access to a vehicle and exploit seemingly benign CAN Bus and OBD-II data to infer the path taken by the vehicle, thus threatening driver privacy. We collected and analyzed real vehicle data to validate our novel path inference attack, demonstrating that even minimal information can be leveraged to track a vehicle accurately. In the second part, we examine the authentication processes in DWPT systems, which enable EVs to charge while moving. Through a systematic review of state-of-the-art protocols, we identify vulnerabilities that expose vehicles to identity and location privacy risks, as well as billing fraud. Building on this analysis, we propose a series of progressively secure protocols: first, an improved protocol that mitigates known vulnerabilities. Second, an identity-based authentication scheme that preserves privacy while maintaining efficiency, and finally, a post-quantum resistant protocol designed for constrained automotive environments. Each protocol is accompanied by detailed security and performance analyses to demonstrate feasibility and resilience against current and future threats. Overall, this dissertation provides a comprehensive examination of automotive security and privacy, offering practical solutions to real-world vulnerabilities while anticipating emerging challenges. By combining attack analysis, experimental validation, and protocol design, the dissertation contributes to advancing both the understanding and the protection of modern vehicular systems, ultimately supporting safer, more secure, and privacy-preserving vehicles and intelligent transportation infrastructures.