Embed Size (px)
Citation preview
1. VEHICULAR AD-HOC NETWORKS
A Vehicular Ad-Hoc Network, or VANET, is a technology that uses moving cars as nodes in a
network to create a mobile network. VANET turns every participating car into a wireless router
or node, allowing cars approximately 100 to 300 metres of each other to connect and, in turn,
create a network with a wide range. As cars fall out of the signal range and drop out of the
network, other cars can join in, connecting vehicles to one another so that a mobile Internet is
created. It is estimated that the first systems that will integrate this technology are police and fire
vehicles to communicate with each other for safety purposes.
Vehicular Ad-Hoc Networks (VANET) are becoming an integral technology for connecting daily
life to computer networks. They could greatly improve the driving experience both in terms of
safety and efficiency. As shown in Figure 1.1, when multi-hop communication is implemented,
VANET enables a vehicle to communicate with other vehicles which are out of sight or even out
of radio transmission range. It also enables vehicles to communicate with roadside infrastructure.
Figure 1: Vehicular Communication
There has been a significant improvement in the Intelligent Transportation Systems (ITS) in the
recent years mainly due to the problems caused by traffic congestion in this developing world.
The various applications of ITS range from basic management systems such as car navigation,
1 | P a g e
automatic number plate navigation to more advanced applications that integrate live data and
feedback from a number of other sources, such as parking guidance and information systems,
weather information and the like. The Dedicated Short Range Communications (DSRC) band at
5.9GHz with a spectrum of 75MHz has been allocated in the US for ITS. The vehicles on the
road use this band for V2V (vehicle to vehicle) and for V2R (vehicle to road equipments)
communications. These vehicles create a Vehicular Ad-hoc Network (VANET) dynamically. In
this, a special electronic device will be placed inside each vehicle which will provide Ad-Hoc
Network connectivity for the passengers. This network tends to operate without any infra-
structure and server communication. Each vehicle equipped with VANET device will be a node
in the Ad-Hoc network and can receive and relay other’s messages through the wireless network.
To determine its own position, the vehicles are equipped with Global Positioning System (GPS).
It is a space based navigation satellite system that provides reliable location and time information
in all weather and at all times. In this, a number of Medium Earth Orbit (MEO) satellites are
involved which broadcasts signals from space and the GPS receiver then uses it to calculate its
location and time. These positions act as the address of a vehicle (node) in the network.
Vehicular Networks are an envision of the Intelligent Transportation Systems (ITS). Vehicles
communicate with each other via Inter-Vehicle Communication (IVC) as well as with roadside
base stations via Roadside-to-Vehicle Communication (RVC). The optimal goal is that vehicular
networks will contribute to safer and more efficient roads in the future by providing timely
information to drivers and concerned authorities.
2. THREATS AND SECURITY ASPECTS
2 | P a g e
Introduction
Before proposing security solutions for IVC (Inter Vehicle Communications), it is important
to construct a threat model able to encompass all possible attacks on vehicular networks. In
addition, describing specific attacks on these networks would enable us to choose the right set
of tools in order to counter these attacks.
2.1 Threats
We categorize security threats into three groups according to the application type that they
target:
2.1.1 Attacks on safety-related applications: Safety-related applications are the major
incentive behind the development of IVC. As they are required to provide a high level of
liability, their security should be no less important. The results of an attack on these
applications can be not only annoying (e.g., causing traffic congestion) but also disastrous
leading to accidents and losses of lives.
2.1.2 Attacks on payment-based applications: A considerable number of IVC applications
will involve financial transactions, e.g., for toll collection, payment for location-based
services, and insurance. This will inevitably create a set of corresponding financial frauds that
leverage on the open nature of wireless communications.
2.1.3 Attacks on privacy: One of the major concerns in future vehicular networks is the
question of privacy. In fact, enabling vehicles to communicate with each other will allow
tracking their drivers. This can be used by adversaries for unauthorized location tracking of
vehicles. Protecting the location privacy of vehicles is important because the lack of privacy
may hinder the future growth of this technology.
2.2 Specific Attacks
In this section we describe several example attacks on vehicular networks.
2.2.1 Bogus information attack: In this case, the attacker disseminates false information in
the vehicular network in order to affect the decisions of other drivers. For example, as Figure
2.2.1 shows, several drivers may collude in order to help each other arrive to their
3 | P a g e
destinations faster. Vehicle A2 sends messages indicating to all following vehicles that the
road they are taking is congested after a short distance. As a result, the drivers of these
vehicles may change their routes in order to avoid congestion by following different roads.
The result is that the road is freed in front of vehicle A1 that can go faster. Although this
example attack is rational, the same mechanism can be used to create congestions on specific
roads for malicious reasons. This attack belongs to the first category of threats.
Figure 2.2.1: Bogus information attack
2.2.2 Disruption of network operation: The aim of this attack is to prevent the network
from carrying out safety-related functions. There are many ways to perform this attack, either
by sending messages that would lead to improper results or by jamming the wireless channel
(this is called a Denial of Service, or DoS, attack) so that vehicles cannot exchange safety
messages. The example in Figure 2 illustrates the first case: a malicious attacker sends
contradictory messages to two vehicles, one behind the other, during a night drive. As one
vehicle receives a message warning it of congestion ahead and slows down, the following
vehicle receives a message saying that the road ahead is clear and hence it speeds up. The
worst-case scenario is when an accident results because of this manipulation. The DoS attack
consists in jamming the wireless channel thus interrupting all communications. It can be used
against both safety-related and payment-based applications and is one of the hardest security
problems in IVC.
4 | P a g e
Figure 2.2.2: Description of network operation attack
2.2.3 Cheating with identity, speed, or positioning information: In cases where liability is
involved, drivers may be tempted to cheat with some information that can determine the
location of their car at a given time. For example, as Figure 3 illustrates, a vehicle may be
involved in an accident and then claim that it was not on the spot when the accident
happened. This can be done by tweaking the reported speed or location information.
Although this example applied to safety-related applications, cheating with identity by
impersonation can also be very useful in attacks on payment-based applications.
Figure 2.2.3: Cheating attack
2.2.4 Identity disclosure attack: This is the Big Brother scenario, where a global observer
can monitor trajectories of targeted vehicles and use this data for a range of purposes (e.g.,
the way freight companies track their trucks). To monitor, the global observer can leverage
on the roadside infrastructure or the vehicles around its target (e.g., by using a virus that
infects neighbours of the target and collects the required data!). The attacker can be only
5 | P a g e
passive in this case (listening to the wireless transmissions of surrounding vehicles as Figure
4 shows), thus making the attack impossible to detect. We assume that the attacker does not
make use of cameras, physical pursuit, or onboard tracking devices to track his target;
otherwise, the tracking problem becomes simpler but also more expensive and tied to few
specific targets, and it can be done anyhow based on existing license plates. This attack
exemplifies the last category of threats.
Figure 2.2.4: Identity disclosure attack
3. Position-Based Routing Protocols
Introduction 6 | P a g e
Vehicles are equipped with GPS by which they know their positions in a network. A node, when
transmitting information to other nodes will transmit based on their positions. This forms the
basis of position based routing protocols. In this, routing decision is based on the location of
destination and neighbouring nodes. Every node determines its own position and broadcasts it in
periodic beacon messages. So, each vehicle in the transmission range is able to maintain a
neighbouring location table. The technique used here is greedy forwarding.
As mentioned above, a node has a neighbouring location table. In greedy forwarding algorithm, a
forwarding node looks at the table and finds out the node which is geographically closest to the
packet’s destination. It then sends the packet to that particular node.
Position-based routing protocols are prone to various security threats. Vehicles can
intentionally lie about their positions. By manipulating its own position information, a
malicious vehicle can be selected as an intermediate relay node. It can then either drop the
data packets or modify the content of the packets. This is called as position-spoofing attack
and is one of the most destructive threat faced by ITS and VANETs. The location information
can also be used to cause a so-called intelligent collision attack. Drivers may also cheat with
the location information of their vehicles at a given time, such as after an accident. The
location information of vehicles can also be used in adaptive cruise control and lane control
in a fully automated system without human intervention. Therefore, accurate information on
position is crucial in ITS and VANETs.
Fig. 3 shows an example of position-spoofing attack against position-based routing protocols
in VANET. Source vehicle S may select a neighbouring vehicle H, which is nearest to the
destination D, as the forwarder to the destination D. However, M can attract the traffic from S
to D by broadcasting False Location (FL) information periodically. After receiving data
packets, M can either drop or manipulate the received packets.
7 | P a g e
Figure 3: Position-spoofing attack in VANET
3.1 Position Verification Schemes
One of the techniques that can be utilized to prevent position-spoofing attack is in-region
verification. It is used to verify whether vehicles are actually located in their claimed region.
Position Verification Schemes are classified as:
Infrastructure-based (special hardware required) and
Infrastructure-less (no special hardware required).
These two can again be sub-divided into two classes: autonomous and cooperative
verification schemes. In autonomous verification scheme, each node individually verifies the
claimed position of another neighbouring node whereas in the case of cooperative verification
scheme, a node can overhear the transmission of location information of other nodes and
informs its view to the verifier cooperatively.
There are a number of verification schemes proposed in the literature. Some of those are:
3.2 Verifiable Multilateration (VM)
This is proposed to determine the position of a node from a set of reference points whose
positions are known in advance, based on the distances measured between the reference
points and the device. This utilizes distance bounding and multilateration techniques.
3.2.1 Distance bounding protocols enables a verifier to establish an upper bound on the
physical distance to a prover. It is based on timing the delay between sending out challenge
bits and receiving back the response bits. This delay time enables verifier to compute an
upper bound on the distance, as the round trip delay time divided into twice the speed of
light. It also says that a vehicle can only pretend that it is further from the verifier than it
really is but it can’t prove itself to be closer.
8 | P a g e
3.2.2 Multilateration is the process of locating an object by computing the Time Difference
of Arrival (TDoA) of a signal emitted from that object to three or more receiver. It is based
on the simple fact that if a pulse is emitted from a platform, it will arrive at slightly different
times at two spatially separated receiver sites, the TDoA being due to the different distances
of each receiver from the platform.
3.2.3 Verifiable multilateration works as follows: Four verifying base stations with known
locations perform distance bounding to the vehicle, the results of which give them four upper
bounds on distance from the vehicle. If the verifiers can uniquely compute the vehicle’s
location using these distance bounds, and if this location falls into the triangular pyramid
formed between the verifiers, then they conclude that the vehicle’s location is correct.
Equivalently, only three verifiers are needed to verify the vehicle’s location in two
dimensions; the verifiers still consider the car’s location correct if they can be uniquely
computed and if it falls in the triangle formed between them.
Figure 3.2.3: Example of verifiable multilateration
Figure 3.2.3 shows an example of verifiable multilateration. The intuition behind the
technique is that a vehicle might try to cheat about its location. As we mentioned earlier, the
vehicle can only pretend that it is further from the verifier than it really is because of the
distance bounding property. However, if it increases the measured distance to one of the
verifiers, it would need to prove that at least one of these distances is shorter than it actually
is, to keep its claimed location consistent with the increased distance. This property holds
9 | P a g e
only if the claimed location is within the triangular pyramid formed by the verifiers if an
object is located within the pyramid and it moves to a different location within the pyramid, it
will certainly reduce its distance to at least one of the pyramid vertices. The same holds in
two dimensions. Base stations v1, v2, v3, and v4 can verify a vehicle’s location in three
dimensions if the vehicle is located in the triangular pyramid that v1, v2, v3, and v4 forms.
Base stations v1, v3, and v5 can verify a vehicle’s location in two dimensions if the vehicle is
located in the triangle formed by v1, v3, and v5.
A major limitation of this could be the cost since we will have to use a number of base
stations to verify the location of a prover. Another could be the time required to verify the
position. This can be reduced by employing synchronous base stations that is transmitting the
challenge message at the same time to the prover. But, this could easily be defeated by the
malicious vehicle by making use of a sector antenna.
3.3 Triangulation
Triangulation (location determined using geometry) is used to determine the position of a device
from three reference points. Due to the upper bound of the distance between the reference points
and the device, attackers cannot decrease the distance between two neighbouring nodes.
In the network, some nodes equipped with GPS have their accurate positions. These nodes
periodically broadcast their location information to all other nodes in the network. Based on the
distance estimated from the nodes, position information is calculated.
An example is shown in Figure, where a node uses the estimate of its distance from 3 beacons
to compute its location.
10 | P a g e
Figure 3.3: Triangulation
3.4 Echo Protocol
In the Echo protocol, a prover sends its position information to the verifier. The verifier then
subsequently sends back a challenge message to the prover. When the prover receives the
challenge, it replies immediately to the verifier through an ultrasonic channel with a received
challenge message. The verifier then measures the total delay between two receptions of
challenge and response messages. It compares the measured delay to the delay estimated
according to the claimed position and the speed of light.
This protocol is quite simple as it eliminates the use of cryptographic keys to establish
communication between the devices. Even the hardware required for this is minimal. It does
not require time synchronization or any prior agreement between the prover and the verifier.
3.5 Stealth Nodes
In VANETs we have certain nodes that do no transmissions themselves. These nodes are
known as stealth nodes and can listen to the broadcasted information of the location and
distance-bounding communication and verify reported positions. If the claimant does not
know the positions of these nodes, it will not be able to cheat on its location.
11 | P a g e
In this concept, secure position verification is done with the help of road-side infrastructure.
This type of infrastructure can be created by using one active node that initiates distance
bounding challenges to passing vehicles and a passive stealth node that monitors distance
bounding communications and checks for inconsistencies. This passive node has to be
connected with the active node using a wired link.
During a distance bounding exchange an active node will send a ping to the vehicle and the
vehicle will reply. The passive node or the stealth node overhears the ping and the reply and
can measure the Time Difference of Arrival (TDoA) between the two messages. Since it
knows its own position and the position of verifier it can restrict the position of the prover to
an ellipse with the foci being the verifier and the stealth node. If the reported position of the
prover is not within a certain error distance of the ellipse, the stealth node can signal this
detected inconsistency to the verifier which will send out a warning to all other vehicles.
This concept is advantageous as long as the malicious vehicles are not able to detect the
position of the stealth node. It fails if the other vehicles are able to determine the positions of
stealth nodes.
Figure3.5: Stealth Nodes
From Fig.3.5, a stealth node S that overhears the exchange of challenge-response messages
between verifier V and prover P can measure the time difference of arrival (TDoA) between
two messages. Assuming that S knows its own position and the position of V, it can use the
measured TDoA to restrict the position of P to the ellipse with foci at both S and V.
12 | P a g e
3.6 Autonomous Position Verification
This type of verification is done with the help of autonomous sensors. It uses various
schemes:
3.6.1 Acceptance Range Threshold (ART) is based on the fact that all radio networks used
in VANETs have a limit on the maximum communication range. So by discarding position
beacons from nodes claiming to be at a distance greater than the maximum range, many types
of attack are avoided.
3.6.2 Mobility Grade Threshold (MGT) is based on the fact that nodes can move only at a
well-defined maximum speed. When receiving a beacon, nodes also receive a timestamp,
then, upon the reception of subsequent beacons from the same node, it is checked whether the
average speed of the node between the two positions exceeds the MGT. If yes, the beacon
and thus that node is discarded.
This sensor detects rapid changes in a node’s claimed position but it cannot detect gradual
changes of a node’s position claim towards a wrong direction.
3.6.3 Maximum Density Threshold (MDT) is based on the assumption that only a limited
number of devices can reside in a given area. If this threshold is exceeded further position
beacons for that area are rejected.
3.6.4 Map Based Verification is based on the assumption that vehicles involved in the
network make use of navigation systems where street maps are accessible. Upon receiving
the beacon, the system can check whether a neighbouring vehicle pretends to be at a location
that is not likely. If so, the beacon is rejected.
3.6.5 Position Claim Overhearing is a concept in which the nodes make use of so-called
promiscuous mode to capture packets that are sent by nodes in reception range but are
addressed to other nodes. It gives only indications that position information may have been
forged. This overhearing sensor is not very effective and might only be used in conjunction
with other sensors described above.
13 | P a g e
3.7 Drawback
Drawback of this verification system is that it uses hard thresholds. A solution to this
problem is to use adaptive thresholds that are set according to the location conditions. The
major drawback is that each node only has a local view that might not be enough to reliably
identify all position faking nodes.
14 | P a g e
4. SECURE LOCATION VERIFICATION
Introduction
This verification scheme focuses on solving the problem of in-region verification where a
verifier V wants to verify whether a prover P is in a region of interest. To design this we
consider the following requirements. First, it should be an infrastructure-less cooperative
scheme. This is because we want to minimize the hardware requirements so as to reduce the
costs that may incur due to the infrastructure. We have seen in the previous discussion that
autonomous verification is inefficient so we make use of cooperative verification. Second, it
should be able to detect attacks that are launched without violating threshold values such as
transmission range, speed limit, road map etc. Third, no other special hardware is required
except both GPS receiver and Tamper Resistant Module (TRM) since we are considering an
infrastructure-less approach.
TRM is used to protect the routing module. It is a hardware/software entity in which data and
program cannot be modified by the user. Thus, routing module tampering attacks can be
prevented. It keeps all the necessary cryptographic keys inside, and is capable of
cryptographic processing. It also provides a secure storage of all critical data.
To guarantee a secure key management, Public Key Infrastructure (PKI) with certificate
authority is assumed. A PKI is an arrangement that binds public keys with respective user
identities by means of a certificate authority (CA). CA is an entity that issues digital
certificates. The digital certificate certifies the ownership of a public key by the named
subject of the certificate. A communication is enabled between two nodes with the help of
keys (public keys and private keys). Two types of algorithms are present for this aspect:
symmetric key and asymmetric key algorithms. In the first one there is a single key for both
encryption and decryption. In the second case, messages are encrypted with the recipient’s
public key and can only be decrypted with the corresponding private key.
The three main steps used to verify the location of the prover are:
Use of distance bounding technique to bound the minimum distance between verifier
V and prover P. As explained earlier we know that a prover can only cheat by
15 | P a g e
appearing further from verifier than its actual location. So, any attempt to reduce that
minimum distance will be detected by the verifier. While estimating the distance to V,
it also considers the non-zero processing delay. We assume that the prover can
provide an upper bound to its processing delay.
V conducts plausibility checks after it has received a response from P. The checks
include maximum transmission range (P cannot claim to be located further from the
maximum transmission range of V), acceptable speed limit (no vehicle can move
farther away than the maximum feasible distance between two consecutive beacon
messages), roadway map (to check if P’s claimed location is on the roadway or not).
If prover passes all these plausibility checks then the verifier selects a common
neighbor which gives an estimated location of the prover. If the estimated location of
P is not within some error distance of the ellipse then V can detect the distance
enlargement of P.
4.1 Distance bounding techniques
Distance bounding techniques are used to bound the minimum distance between two devices.
These are used by the verifier V to verify that a prover P cannot claim to be at a distance
which is less than its actual distance. First, the verifier generates a random nonce, Nv and
sends a challenge message which is the Message Authentication Code (MAC). This can be
done only if there is a shared key between the two. So, before the data transmission starts
taking place the two vehicles can set up the secure symmetric key. The prover after receiving
the signal generates a response message with the current location, speed and direction
information and replies immediately with the MAC and the nonce Nv. The verifier then
checks if the nonce Nv and MAC are correct. In the last step, V checks the authenticity of the
response message. If both Nv and MAC are correct, the elapsed time is used to verify the
correctness of the location information of P in a response message (i.e., check whether the
elapsed time
∆t ≤ {2 d (V, P)/ c + ∂}).
16 | P a g e
4.2 Selection of the Best Common Neighbor
We discussed above that after the plausibility checks the verifier selects a common neighbor
to it and the prover, which helps in the verification of the claimed location. To select the best
common neighbor we follow a set of steps.
Consider Fig. 4.1, when the verifier sends a message to the prover, it sends a reply with an
additional delay that enlarges its position to P’. Due to the delay, the estimated location E and
the reported location P’ cannot alway be the same
Figure 4.1: Network topology for minimum distance guarantee
17 | P a g e
6. RESULT
In this report, we discussed the security aspects of VANETs like attacks on security, payment
based applications and attacks on privacy. Then we studied the various algorithms suggested
by different people to deal with these security threats. Later we discussed Secure Location
Verification (SLV) scheme which has the capability of detecting position spoofing attacks. It
is an infrastructure less cooperative scheme which uses techniques like distance bounding,
plausibility checks, TDoA, selecting a common neighbour so as to restrict the position of the
prover onto an ellipse. Mathematical results show that with the help of a common neighbor,
this scheme can efficiently show if any vehicle is enlarging its distance thereby protecting the
network from any kind of damage that could have occured.
18 | P a g e
REFERENCES
[1] Joo-Han Song, Vincent W.S. Wong, and Victor C.M. Leung, “Secure Location Verification
for Vehicular Ad-Hoc Networks”.
[2] B. Karp and H. Kung, “GPSR: Greedy perimeter stateless routing for wireless network,” in
Proc. of ACM Mobicom, Boston, MA, Aug. 2000.
[3] M. Raya and J.-P. Hubaux, “Security aspects of inter-vehicle communications in Proc. of
Swiss Transport Research Conference (STRC), Monte Verita, Ascona, Mar. 2005”.
[4] Jean-Pierre Hubaux, Srdjan C`apkun, Jun Luo “The security and privacy of smart vehicles”.
[5] K. Kang, N.Abu-Ghazaleh, and K. Liu, “Towards resilient routing in WSNs,” in Proc. of
ACM International Workshop on QoS and Security for Wireless and Mobile Networks
(Q2SWinet), Montreal, QC, Oct. 2005.
[6] N. Sastry, U. Shankar, and D. Wagner, “Secure verification of location claims,” in Proc. of
ACM Workshop on Wireless Security (WiSe), San Diego, CA, Sept. 2003.
[7] M.-Y. Iu, “Secure position verification through obfuscation,” in EPFL Mini Project, 2005.
[8] T. Leinmuller, C. Maihofer, E. Schoch, and F. Kargl, “Improved security in geographic ad
hoc routing through autonomous position verification,” in Proc. of ACM VANET, Los
Angeles, CA, Sept. 2006.
[9] Joo-Han Song, Vincent Wong and Victor Leung, “Poster: Secure Routing with Tamper
Resistant Module for Mobile Ad Hoc Networks”.
[10] W. Diffie, P. van Oorschot, and M. Wiener, “Authentication and authenticated key
exchanges,” Designs, Codes, and Cryptography, vol. 2, no. 2, pp. 107–125, June 1992.
19 | P a g e
