AuthentiCar – Biometric 2FA

Vehicle security will be one of the most challenging and interesting areas of the upcoming years and it brings together topics such as authentication, authorization, cloud computing, sensors, and artificial intelligence. The industry adopts a wide variety of processes and products in order to make the world a safer place.

In the last 2 days, I participated in a challenging Hackathon which was hosted by Harman development center in Hod Hasharon, and its purpose was of experiencing problems related to the real world.

Our group consisted of seven talented people, and our goal was to improve user experience and secure ‘ignition on’ with an innovative idea. We decided to prevent vehicle theft by adding a biometric two-factor authentication (2FA) to the car’s ignition. 

Authentication Factors consist of the following: Something you know, something you have and something you are. Our solution is based on the last one.

The high-level architecture and technical stack:

• Android application based on kotlin, with the implementation of fingerprint and face recognition libraries.
• AWS cloud server based on Linux with Elasticsearch cluster and Kibana for a live dashboard.  
• Raspberry-pi device with a PCAN-USB device on the vehicle.

*The communication between the smartphone and the vehicle can be done over the cloud or over Bluetooth/WiFi for ‘no-connectivity’ cases.

The process flow was as follows:

1. The end-user opens an Android application and chooses a biometric authentication option – Face recognition / Fingerprint.
2. After successful authentication – the application sends a request to the AWS cloud server including the application certificate and user metadata.
3. The cloud server logs the data in an Elasticsearch cluster and sends a request to the vehicle.
4. In the vehicle – A Raspberry-pi is running as the HTTP server and connected to a PCAN-USB device that is our entry point to the On-board diagnostics (OBD) in the vehicle.
5. When the Raspberry-pi receives the message it triggers a python code that cancels the noise in the CAN bus network and allows the engine to start.

Development process:

Creating the Android application was the easy part since Android has pretty good documentation and kotlin language is straightforward.

The authentication with the cloud demanded using the smartphone mac address as the identifier for the users (instead of sending the private fingerprint).

The tricky part was how to cancel the option to start the engine before the raspberry received the right message from the cloud. The approach we implemented was as follows:

1. First, we recorded the can bus activity when the engine is off, when the engine is on, and while starting the engine.
2. Then, we compared the messages that were running on the CAN network and succeeded to isolate specific messages that were discovered as requests to start the engine.

3. We created contradicting messages that stopped the engine, and created a script that broadcasted these messages every time it identified a request for ignition (by sniffing the CAN bus network).

4. When the device on the vehicle receives a message from the cloud to grant access to the user – we can stop ‘bothering’ the network, and the engine starts.

One of our (unsuccessful) tests to isolate the ‘start engine’ message:

We also created a Kibana dashboard in order to view statistics about the application use:

From the Business point of view – This solution can be integrated as part of OEM embedded solution for security and safety, or as an ‘After market’ solution with self-user management and great usability.

We had a great time learning a new and fascinating domain and experience with real-world challenges. We worked hard and enjoyed it, and even finished with a working prototype of our solution.

The Hackathon was well-organized, competitive and fun and our team won first place !!! We got the new DJI Tello quadcopter !

*The Project code can be found on Github.  

*Demo video can be found on Youtube

My great team:

?    Liat Ashkenazi

?    Moran Hen

?    Guy Bar Sinai

?    David Pilnik

?    Eli Yucht

?    Moaad Shbita

?    Tzvika Lipsky

See you in the next challenge,

Shmulik Willinger