Overview

Security and Privacy in an Online Vehicle InfrastructureErhan J. Kartaltepe, MCPD

Lead Consultant, Denim Group Ltd.

July 23th, 2008

2

Overview• Intelligent Transportation Systems: A Primer

• Vehicle Infrastructure Communication Standards

• Embedded Commercial Fleet Vehicle Technology

• Vehicle Infrastructure Initiative

• Challenges and Security Primitives

• Conclusions

3

Overview

• Intelligent Transportation Systems: A Primer





• Conclusions

4

Intelligent Transportation Systems (ITS)

• ITS add information and communications technology to

– transportation infrastructure

– Individual and fleet vehicles

– traffic management centers (TMC)

• The Federal Highway Authority

– wanted ITS deployments in 75 major cities

– wanted them in 10 years (from January 2000)

– got what they wanted (over 100 “major” cities so far)

5

What are ITS Systems?

• To a civil engineer

• To an electrical engineer

• To a software engineer

6

ITS Hardware Components

• Sensors

– cameras (CCTV and VIVDS)

– inductor loops

– RFID antennas and tags

• Computing and Output Displays

– traffic lights

– dynamic message signs (DMS)

– servers, PCs, and laptops

7

ITS Software Components

• Software Applications Used by the Public– travel times– flow management– passive (informational) mapping

• Software Applications Used by the TMCs– incident management– data archiving– active (controller) mapping

• Plenty More on Both Sides

8






• Conclusions

9

Software Standards

• Communication between systems are generally proprietary

• Some standards exist under NTCIP (National Transportation Communications for ITS Protocol)

– DMS sign communication

– CCTV camera high-level control

– C2C applications

• Many NTCIP protocols use XML and HTTP-like communication

10

NTCIP Protocols• National Transportation Communications for ITS Protocol (NTCIP)

– Comprised of working groups to standardize protocols

– Both hardware and software protocols

– Working body for message format and markup

• Standardization

– Goal of NTCIP working groups is to get work ratified

– Protocols tend to be request or request-response

– Messages use simple proprietary markups

• Now tend to use XML

11

Example—Multi Message Format• [128][30][2][TRAVEL TIME TO][LF][CULEBRA RD]

[LF][5-7 MINUTES][EL]

• Not self-describing

• Request-only protocol

• No security built into the schema

12

Multi Message Format Hardware Attack• [1][30][2][LEFT LANE CLOSED][LF][NEXT TWO MILES]

[LF][CHANGE LANES][EL]

• Attack only works per sign

• Physical access control limits value of attack

• Proprietary manufacturer’s hardware prevents “scalability”

13

Multi Message Format Software Attack• <xml><token>A39F7ED2</token><message><mfr>Gideon

</mfr><dms>[1][30][2][LEFT LANE CLOSED][LF][NEXT

TWO MILES][LF][CHANGE LANES][EL]</dms></mfr>

</message></xml>

• Application layer generally builds in security

— authentication — authorization — encryption

• Attacks scale to a facility, city, or (soon) a state

• Is the attack too “expensive” to be worth it?

14

More than Just Informational Systems• Passive Informational Mapping

– traffic data

– lane closures

– weather sensor information

• Active Control

– TMS Map and main GUI

– CCTV Camera control

– DMS and LCS control

– Police/EMS deployment

15






• Conclusions

16

Embedded Technology

• Currently, ITS is mainly infrastructure-driven– CCTV cameras deployed on road– DMS and LCS over highways– inductor loops in ground– TMC centers as centralized hub

• Move ITS to be vehicle-driven– vehicle as mobile all-in-one sensor– cell phone or in-vehicle-navigation system as TMC– wireless communication to transmit data for analysis

17

Locational Technologies• Automated Vehicle Location systems

– geopositional systems (GPS)– inertia navigation systems (INS)– cell-phone positioning systems

• Convergent technologies in use today– Smart parking (Japan, San Francisco)– City transit and school buses– Police department and EMS vehicles– FedEx and UPS

18

Probe Data Platform• Probe data standards

– SAE J1939 (heavy-duty vehicles)

– SAE J1979 (“regular” vehicles)

• (a) Probe data is carried on CANbus• (b) An onboard unit extracts and send probe/GPS data to a roadside unit• (c) Roadside unit packages all messages to an ITS message for TMC• (d) TMC accepts the data from roadside units for processing• (e) Other applications compute relevant information for end user

— mapping — travel times — data archiving — env. systems• (f) Users get updates on internal screen display

19

Probe Data Platform Deployments• Integrated heavy-duty vehicle probe data into Texas Department of

Transportation fleet vehicles

• Incorporated the system into commercial fleet management for sparse system deployments (truck stops) in Texas

• Applied automated vehicle location technology for municipal heavy-duty vehicles in Florida

• More advanced and expensive technologies and routing algorithms in use– shipping companies– large department stores– police and emergency vehicles

20






• Conclusions

21

Vehicle Infrastructure Integration• Federal Highway Administration (FHWA) Initiative

– fostering software and engineering research

– applications research and development

• Directly links road vehicles to their physical surroundings

– improve safety and efficiency

– Vehicle-to-infrastructure (V2I) communication

– later, vehicle-to-vehicle (V2V) communication

22

Why VII?• Safety

– On US highways (2006):• Nearly 43,000 fatalities, 3 million injuries• Over $230 billion cost to society

• Efficiency– Traffic jams waste time and fuel– In 2007, American drivers lost over four billion hours and six billion

gallons of fuel due to heavy traffic congestion

• Profit– Safety features and high-tech devices have become product

differentiators

23

Illustrated Deployment Example• Inexpensive to deploy and more accurate

• Security and privacy issues abound

• What are the consequences of opting out?

RSU

TMC

24

Security as an Afterthought

• Ubiquity and utility of V2I communication make them targets for attack

• Attacks may have deadly consequences

• VII working group

– Over one hundred VII applications

– Zero for security

25






• Conclusions

26

Adversaries

• Greedy drivers

• Snoops

• Pranksters

• Industrial insiders

• Malicious attackers

27

Known Attacks in a New Environment

• Distributed Denial of Service (DDoS)– Attempts to overwhelm network– Dangerous if users rely on the service

• Message Suppression Attacks– Drop congestion alerts

• Fabrication– Lie about congestion ahead or lie about identity

• Alteration Attacks– Replay transmissions to simulate congestion

28

Authentication and Privacy Challenges

• Each vehicle should only have one identity

– Prevents spoofed congestion or platoon rerouting

– Allows use of external mechanisms for emergency vehicles

• Drivers value their privacy

– Legal requirements vary from country to country

– …and from state to state

– …and from city to city

29

Availability and Key Distro Challenges

• Applications will require real-time responses

– Increases vulnerability to DDoS

– Unreliable communication medium, like the “old days”

• Key distribution: Manufacturers or Government

– Manufacturers requires cooperation, interoperability, user’s trust

– Government: Handled at the state level; also requires cooperation

and interoperability

30

Bootstrap and Resiliency Challenges

• Initially, only a small number of vehicles will have access

– Limited support deployment of infrastructure

• Low tolerance for errors implies strong need for resiliency

– With so many cars, even if the application works 99.99999% of the time,

it likely will fail on a car in motion

– Life-and-death applications must be resilient to this

– Focus on prevention, rather than detection and recovery

– Safety-related apps may not have margin for driver reaction time

31

Secure Message Origin

• Prevents attacks– Attackers on road cannot spoof vehicles– Attackers cannot modify messages to simulate congestion

• Alternately, use entanglement– Each vehicle broadcasts its ID and which vehicles it has passed– Establishes relative ordering– Evaluates report consistency using aggregation

32

Anonymization Service

• May only need to deliver content to any vehicle, rather than a specific one– Authenticate to anonymization service with permanent ID– Anonymization service can issue a temporary ID

• Example environments: toll roads, border facilities– Controlled entrance and exit points– All IDs are issued temporarily by the same authorit

33

Other Security Primitives

• Secure Aggregation– Count vehicles to report congestion– Disregard outliers

• Key Establishment– Session keys for vehicle platooning– Session keys for automatic cruise control

• Message Authentication and Expiration– Prevent replay attacks– Prevent Sybil attacks

34






• Conclusions

35

Conclusions• ITS systems add information and communications technology to

transportation infrastructure, individual and fleet vehicles, and TMCs

• ITS systems are distributed in nature, with internal and public-facing access points, and as demand grows, so does the attack surface area

• ITS and online vehicle infrastructure have security/privacy vulnerabilities

• Weaknesses in common with other web services and apps

• Unique weaknesses related to vehicular networks

• Potentially fatal losses due to insecure applications

36

Conclusions• Vehicle networks exist today and are moving from

– Fleet vehicles using proprietary and custom units

– Individuals’ vehicles using inexpensive, mass-produced on-board units

• Adversaries and attacks are rampant

— authentication — authorization — privacy

— availability — key management —initialization

• Security primitives exist and when applied can prevent attacks

– VII working group does not build security into standards

– Building security in early will prevent serious and possibly fatal attacks

37

Questions?

Documents

Overview