Survey of Vehicular Network Survey of Vehicular Network SecuritySecurity

Jonathan Van Eenwyk

2

ContentsContentsDesign IssuesCertificate-Based SolutionPrivacy ConcernsData Validation

3

Design IssuesDesign Issues The Security and Privacy of Smart Vehicles

IEEE Security and Privacy, May/June 2004: Hubaux, Čapkun, Luo

Attacks on Inter-Vehicle Communication Systems-an Analysis Aijaz, et al (supported by industry)

Challenges in Securing Vehicular Networks HotNets-IV: Parno and Perrig

Security Issues in a Future Vehicular Network European Wireless, 2002: Zarki, et al

1 2 3 4

4

Design IssuesDesign IssuesThe Security and Privacy of Smart Vehicles

IEEE Security and Privacy, May/June 2004: Hubaux, Čapkun, Luo

System modelAd-hoc communication between vehicles and base

stationsBase stations provide servicesVehicles provide sensor dataVehicles have more resources than most ad-hoc networks

ApplicationsTraffic and safety alertsTravel tipsInfotainment (including Internet access)

1 2 3 4

5

Design IssuesDesign IssuesThe Security and Privacy of Smart Vehicles

IEEE Security and Privacy, May/June 2004: Hubaux, Čapkun, Luo

ChallengesAuthentication and data encryptionAuditing sensor dataPrivacy (avoid tracking)Infrastructure boot-strappingNegative perception of smart vehicles

1 2 3 4

6

Design IssuesDesign IssuesThe Security and Privacy of Smart Vehicles

IEEE Security and Privacy, May/June 2004: Hubaux, Čapkun, Luo

Key FeaturesContext sensors (front-end radar, ultra-sound, etc)Event data recorder (i.e., “black box”)Tamper-proof device to handle encrypted

transmissionsLocation detection (GPS or distance bounding)Communication with road-side base stations

1 2 3 4

7

Certificate-Based SolutionCertificate-Based SolutionThe Security of Vehicular Networks

EPFL Technical Report, March 2005: Raya, Hubaux

Certificate Revocation in Vehicular Networks LCA Report 2006: Raya, Jungels, Papadimitratos, Aad,

Hubaux

1 2 3 4

8

Certificate-Based SolutionCertificate-Based SolutionThe Security of Vehicular Networks

EPFL Technical Report, March 2005: Raya, Hubaux

AttacksBogus informationMessage tamperingCheating (data manipulation, impersonation)Identity disclosure for vehicle trackingDenial of service

1 2 3 4

9

Certificate-Based SolutionCertificate-Based SolutionThe Security of Vehicular Networks

EPFL Technical Report, March 2005: Raya, Hubaux

Security MechanismsElectronic License Plate (post-mortem auditing)Asymmetric encryption using public key infrastructure

Large number of anonymous keys (no identity information)Vehicles frequently change keys to avoid trackingKeys can be revoked (more later)

Physical layer protection against denial of serviceChannel switchingImplement more than one communication technology

1 2 3 4

10

Certificate-Based SolutionCertificate-Based SolutionCertificate Revocation in Vehicular Networks

LCA Report 2006: Raya, Jungels, Papadimitratos, Aad, Hubaux

Revocation using Compressed Certificate Revocation Lists (RC2RL)Large number of vehicles, so potentially huge

revocation listLossy compression using Bloom filter

Configurable rate of false positivesDefinitely no false negatives

Bit vector of length mHash a with k hashing functionsEach function sets one bitLater, verify membership if all k bits are set as

expected

1 2 3 4

11

Certificate-Based SolutionCertificate-Based SolutionCertificate Revocation in Vehicular Networks

LCA Report 2006: Raya, Jungels, Papadimitratos, Aad, Hubaux

Revocation of the Tamper-Proof Device (RTPD)Send message to vehicle’s TPD to revoke all

activitySend to base stations nearest last known locationBroadcast over low-bandwidth radio (AM/FM) or

satelliteLower overhead approach as long as TPD is

reachableSend localized revocation list to surrounding area

1 2 3 4

12

Certificate-Based SolutionCertificate-Based SolutionCertificate Revocation in Vehicular Networks

LCA Report 2006: Raya, Jungels, Papadimitratos, Aad, Hubaux

Distributed Revocation Protocol (DRP)Vehicles that detect malicious nodes can warn othersRequires an honest majorityWarnings have lower weight if sending node has also

been condemned by other nodes

Node 4 condemns node 2But this warning has less weight because node 4 has

itself been condemned by nodes 1 and 3

1

2 3

4

1 2 3 4

13

Privacy ConcernsPrivacy ConcernsBalancing Auditability and Privacy in Vehicular

Networks Q2SWinet '05: Choi, Jakobsson, Wetzel

CARAVAN: Providing Location Privacy for VANET ESCAR '05: Sampigethaya, Huang, Li, Poovendran, Matsuura,

Sezaki

1 2 3 4

14

Privacy ConcernsPrivacy ConcernsBalancing Auditability and Privacy in Vehicular

Networks Q2SWinet '05: Choi, Jakobsson, Wetzel

Provide privacyFrom peer-to-peer vehiclesFrom infrastructure authorities

Support auditabilityLinkability between anonymous handles and owner

identityRequires off-line permission granting (court order,

etc)

1 2 3 4

15

Privacy ConcernsPrivacy ConcernsBalancing Auditability and Privacy in Vehicular

Networks Q2SWinet '05: Choi, Jakobsson, Wetzel

Two-Level InfrastructureBack-end (ombudsman)

Creates long-term “handle” from node identitiesNodes initialized with set of handlesOff-line approval can grant identity from pseudonym

Front-end (road-side base stations)Uses short-term pseudonyms created from long-term

handlesPseudonym and shared key created from handle and

timestamp

1 2 3 4

16

Privacy ConcernsPrivacy ConcernsCARAVAN: Providing Location Privacy for

VANET ESCAR '05: Sampigethaya, Huang, Li, Poovendran, Matsuura,

Sezaki

Provide privacy from vehicle location trackingProposed Techniques

Update pseudonym after random silence periodFixed-interval updates can be tracked by estimating

trajectorySilence period obscures nodes if other nodes are present

Designate group leader to proxy communicationsAvoids redundant transmissionsExtends length of time to use each pseudonym

1 2 3 4

17

Data ValidationData ValidationProbabilistic Validation of Aggregated Data in

Vehicular Ad-hoc Networks VANET '06: Picconi, Ravi, Gruteser, Iftode

Detecting and Correcting Malicious Data in VANETs VANET '04: Golle, Grenne, Staddon

1 2 3 4

18

Data ValidationData ValidationProbabilistic Validation of Aggregated Data in

Vehicular Ad-hoc Networks VANET '06: Picconi, Ravi, Gruteser, Iftode

Allow sensor data to be aggregatedUse signing certificates to validate dataRandomly force one complete record to be

includedRelies heavily on tamper-proof device

1 2 3 4

19

Data ValidationData ValidationDetecting and Correcting Malicious Data in

VANETs VANET '04: Golle, Grenne, Staddon

Nodes attempt to identify malicious data via information sharingNodes detect neighbors and contribute to global databaseMalicious nodes may contribute invalid or spoofed data

May try to fake a traffic jamFriendly nodes build models to explain database observations

Is there one malicious node attempting to spoof three other nodes?

Are all four nodes malicious? Possible heuristic: choose scenario with fewest bad and spoofed

nodes

1 2 3 4

20

Data ValidationData ValidationDetecting and Correcting Malicious Data in

VANETs VANET '04: Golle, Grenne, Staddon

ExampleActual Scenario

Possible Explanations

1 2 3 4

21

Questions?Questions?

1 2 3 4

Design Issues Certificate-Based Solution

Privacy Concerns

Data Validation