Академический Документы
Профессиональный Документы
Культура Документы
ir
Fraunhofer ESK
Munich, Germany
{sebastian.bittl, arturo.gonzalez, matthias.myrtus}
@esk.fraunhofer.de
I.
I NTRODUCTION
Car2X communication systems, often called vehicular adhoc networks (VANETs), are about to enter the mass market
in upcoming years. Thereby, similar approaches are taken in
Europe with ETSI Intelligent Transport Systems (ITS) [1] and
in the USA with Wireless Access in Vehicular Environments
(WAVE) [2]. The core issue addressed by VANETs is traffic
safety. Thus, all of the so called day one use cases are closely
related to safety critical advanced driver assistance systems
(ADAS). As the used wireless channel is prone to attacks,
security is a core concern for the design of VANET systems.
II.
R ELATED W ORK
344
There are many different security related use cases for the
time source of an ITS-S. The security entity uses its value
to generate the time stamp of signed messages and to check
the validity period of received certificates of other ITS-S. One
should note that, the validity period of an ETSI ITS certificate
is currently the only mandatory validity restriction of all kind
of certificates (root, authorization authority etc.) [4]. Other
kinds of restrictions, e.g., to geographical regions exist, but
are optional in usage.
345
E. Attacker Model
The attacker is assumed to be able to spoof GPS signals in
a limited geographical area by using various techniques, like
the ones described in [7]. Inside this area, there is at least one
vehicle which is a legitimate VANET member. The VANET is
based on ETSI ITS. Thus, ITS-S have an OBU containing a
set of PSCs for sending signed beacons, CAMs and DENMs
as specified in relevant standards [14], [29], [30].
III.
1)
2)
3)
346
In case an attacker targets only a single ITS-S, the neighborhood table of this ITS-S will be empty. Thus, the station
will not send CAMs but only beacons. The attacker can easily
change this, by transmitting own beacons to the targeted ITS-S.
Current standard do not require beacons to be signed by the
security entity. Therefore, the attacker does not need access
to valid key material to generate the required beacons. This
is clearly not required in case the attacker can target at least
two vehicles, which will mutually initiate the transmission of
CAMs once they recognized each others beacons.
Each OBU has access to a multitude of different certificates to avoid tracking of vehicles. While there are differing
strategies on how and when to switch from one PSC to another
one, probably all kind of currently suggested strategies can be
used by an attacker, who has physical access to the vehicle, to
get indirect access to the different certificates in the set stored
inside the OBU. For example, the used certificate is typically
changed after a restart of the vehicle.
[7] mentions the quite high delay between reception of
the original GPS signal and the sending of the manipulated
signal introduced by the time shifting attack. However, this
delay does typically not limit the usability of the attack.
An attacker who has somehow obtained valid ITS credentials can use GPS time spoofing attacks to be able to use this
material forever. If he is able to (re-)set the system time of
attacked ITS-Ss to one within the lifetime of the obtained
credentials, the attacked ITS-S will accept these credentials.
Thus, the attacker can send arbitrary content to higher level
services of attacked ITS-S, as their security entities will regard
the attackers messages as being properly signed.
The point in time most far in the future the attacker can
use is the end of live time of the certificate being valid for
the longest time from current time on. This time is denoted
by tf,max tf .
If tf is sufficiently far in the future (i.e., the attacker has
enough time for carrying out the attack) the attacker can repeat
the procedure described above again and again until he has
obtained fakes messages signed by all certificates contained in
the OBU, which are valid at tf . Thereby, a successful sybil
attack [41] can be performed, as the attacker can use multiple
well signed sets of messages in parallel.
347
In case of a standard ntpd being used for time synchronization, the attacker can disable the time synchronization from
remote by using a big time offset compared to the current
system time (being the real current time). This is possible
as ntpd terminates itself in case the difference between the
current system time and the reference time exceeds a specific
threshold [23]. Without a reference time, the system time
will be subject to drifting and thus will either fall behind or
advance in comparison to the real time. Thus, other ITS-S will
probably disregard the information received from the attacked
ITS-S, due to failed plausibility checks. This also holds for
the attacked ITS-S as it either regards the received messages
from its surrounding to be outdated or from the future. Thus,
a successful DOS attack can be performed by an attacker.
2)
V.
C OUNTERMEASURES
It could stop sending out any messages, as the security entity refuses to sign them due to the lack of
valid PSCs. Moreover, the ITS-S will not receive any
data any more on any layer above the security check
of incoming messages. The reason for this is that all
received PSCs will be regarded as invalid, as they are
regarded as being used after their end of lifetime.
It could switch to an unsecured mode using unauthenticated messages. However, other ITS-S will probably
ignore this messages as they are not secured and
therefore not regarded as a reliable data source.
Additionally, if the time synchronization mechanism prevents backward time stamp jumps after a systems start-up,
the DOS attack will persist even after the vehicle left the area
which is subject to the manipulated GPS signal. Therefore,
only a re-start of the OBU (which will probably require a
348
increasing the costs of the HSM, this would also mean that a
re-parametrization of the HSM is required after each time its
power connection gets disconnected. This would probably lead
to significant overhead, e.g., during vehicle maintenance. Thus,
extra in-vehicle time sources seem infeasible to overcome the
described time synchronization weakness.
2) Multiple Independent Time Sources: A typical countermeasure to GPS time spoofing is the usage of a secondary
independent time source as suggested in [32]. Thereby, multiple realization approaches exist. These include usage of a local
time source as well as using a continuous or non-continuous
wireless input from an alternative reference time source.
a) Local Time Sources: A common feature of standard
PC hardware is to provide a hardware clock, which can be used
to determine the current time without assistance of external
entities. However, providing a reliable embedded absolute time
source into an OBU poses multiple challenges.
349
E VALUATION
One should note that the PSC usage system suggested for
the WAVE system in [2] already implements this kind of short
lived PSCs. Thereby, a validity usage time in the area of about
ten minutes is proposed. This clearly avoids the possibility of
a sybil attack from Section III-B, as the ITS-S does not need
to store multiple certificate being valid for the same time span.
Thus, the attack is avoided by system design.
However, one also has to make sure that OBUs may not
hold certificates for future usage except for a quite short time
span from the current real time on. Therefore, authorization
authorities need to have access to a secure time base (not GPS
time) and may not issue certificates for validity times which
are more than a short well defined time span in the future.
2)
350
first GPS signal (i.e., for the DUA this signal comes
from the future). The variants from Sections 1a and
1b are tested. Moreover, CAMs with a correct time
stamp are sent to the DUA and receiving of these
messages is checked at the facility layer.
The test from 2 is ran, however after some time of
receiving the new time stamp, again the older GPS
signal is provided to the DUA. It is checked whether
the DUA starts to send messages with correct time
stamps again, after it started to receive the older GPS
signal again. This resembles part of the DOS attack
from Section IV and evaluates whether time stamp
jumps in any direction are accepted by the DUA.
3)
Please note that the described security issues are not caused
by the used particular implementation of current standards.
Instead, they show a design problem of the current security
architecture of ETSI ITS and WAVE based VANETs.
VII.
The results of these tests are given in the next Section VI-B.
B. Test Results
An overview of the obtained test results are provided in
Table VI-B. As one can see from Table VI-B, all attacks
test case
1a
1b
1c
2
observed result
CAMs generated
no CAMs generated
CAMs generated with
different pseudonyms
CAMs generated with faster
increasing time stamps
security problem
reliability and non-repudiation
DOS
sybil
DOS
see above
TABLE I.
providing an incorrect time stamp to the DUA lead to the discovery of significant security problems. However, the attacks
were not able to force a real time stamp jump after the device
had already obtained the first GPS fix, i.e., after the initial time
stamp synchronization had been performed. Manipulation of
this first time synchronization was always possible.
Studied countermeasures show that introduction of various techniques like usage of pseudonym certificates with
short validity time can limit the impact of some kind of
attacks. However, a second independent and reliable/secured
time source, like the one provided by mobile communication
networks, is required to secure VANETs against all of the outlined attacks. Thus, hybrid communication setups using ad-hoc
VANET technologies as well as infrastructure based mobile
communication networks (e.g., LTE) should be considered for
securing future Car-to-X communication.
ACKNOWLEDGMENT
Presented results were obtained during the Moglichkeiten
und Grenzen des Multi-GNSS RAIM fur zukunftige Safetyof-Life Anwendungen (Multi RAIM II) project, funded by
the German Federal Ministry of Economics and Technology
(BMWi) and administered by the Project Management Agency
for Aeronautics Research of the German Space Agency (DLR)
in Bonn, Germany (grant no. 50NA1313).
R EFERENCES
[1]
351
[2]
[3]
[4]
[5]
[6]
[7]
[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]
[16]
[17]
[18]
[19]
[20]
[21]
[22]
[23]
[24]
[25]
[26]
[27]
[28]
[29]
[30]
[31]
[32]
[33]
[34]
[35]
[36]
[37]
[38]
[39]
[40]
[41]
[42]
[43]
[44]
[45]
[46]
352