Security and privacy in vehicular communication
Security is important for V2X systems, as suppression, injection, or alteration of messages could have direct safety implications. In addition, new privacy challenges arise for two reasons: 1) Vehicles are often personal items that are used by a single person or a small group. 2) Where we go reveals a lot of personal information about ourselves.
Eckhoff and Sommer give a good introduction to the privacy challenges that might arise from the deployment of inter-vehicular communication systems .
Security and privacy requirements
V2X systems must be protected against different kinds of attacks [144, 154]: Manipulation of messages or injection of bogus warnings could lead to unwarranted warning messages or automated interventions, whereas suppression of messages could lead to missing warnings or interventions. The sybil attack, the impersonation of several different participants by a single vehicle, could be used to gain an unfair advantage, e.g., by creating the illusion of a traffic jam. At the same time, special care must be taken to avoid that security controls introduce new privacy problems: Participants can be uniquely identified and held accountable for abusive actions using certificate-based message authentication. But the certificates as unique identifiers also expose drivers to tracking attacks based on their messages, in particular the CAMs, which are broadcast at a frequency of 1 to 10 Hz. Availability of messages to all participants is crucial for safety functions, therefore, they are not encrypted and can be received by anybody within communication range, no matter if he is a legitimate participant of the V2X network or not. Of course, tracking vehicles has always been possible, e.g., by physically following them or by planting a GPS bug. In fact, each car’s license plate is a publicly available unique identifier, which is widely accepted today. Yet, V2X messages dramatically increase the exposure for tracking, because their reception does not require visual contact and due to their transmission range of up to several hundred meters. Unlike other communication devices like mobile phones, which can also be used for tracking attacks, drivers cannot simply switch of their car’s inter-vehicular communication system when they desire privacy, because it will be an important component of the vehicle’s safety system and might be required by law.
Schaub et al. describe security and privacy requirements for V2X systems :
- • Message authentication is required to ensure the correctness of information received. It comprises sender authentication and message integrity, and should include restriction of credential usage to prevent sybil attacks.
- • Revocation is required to remove misbehaving participants from the system.
- • Minimum disclosure of information should be applied. In particular, “the exposure of information to any authorities should be kept minimal”.
- • Sender anonymity is the first step for protecting drivers’ privacy. Additionally, unlinkability of messages is required to prevent long-term tracking.
- • Accountability (by the possibility to resolve the sender of any message) is given as a security requirement. While the suggestion of a distributed resolution authority offers some privacy protection, resolution obviously conflicts with the requirement of anonymity.
- • Additional constraints must be considered when implementing security
and privacy protection: Real-time constraints apply for safety-critical communication. Scalability is needed to cope with very large systems, both with regard to the number of participants and the geographical extend.
We will refer to these requirements throughout this dissertation. In particular, we will address the inherent conflict between privacy and control (by resolution of pseudonyms) in Chapter 4.