How to Model Privacy Threats in the Automotive Domain

Abstract: This paper questions how to approach threat modelling in the automotive domain at both an abstract level that features no domain-specific entities such as the CAN bus and, separately, at a detailed level. It addresses such questions by contributing a systematic method that is currently affected by the analyst's subjectivity because most of its inner operations are only defined informally. However, this potential limitation is overcome when candidate threats are identified and left to everyone's scrutiny. The systematic method is demonstrated on the established LINDDUN threat modelling methodology with respect to 4 pivotal works on privacy threat modelling in automotive. As a result, 8 threats that the authors deem not representable in LINDDUN are identified and suggested as possible candidate extensions to LINDDUN. Also, 56 threats are identified providing a detailed, automotive-specific model of threats.