Downloaded form http://iranpaper.

ir

2015 IEEE Conference on Communications and Network Security (CNS)

Emerging Attacks on VANET Security based on

GPS Time Spoofing
Sebastian Bittl, Arturo A. Gonzalez, Matthias Myrtus

Hanno Beckmann, Stefan Sailer, Bernd Eissfeller

Fraunhofer ESK
Munich, Germany
{sebastian.bittl, arturo.gonzalez, matthias.myrtus}
@esk.fraunhofer.de

Institute of Space Technology and Space Applications

University FAF Munich, Germany
{hanno.beckmann, stefan.sailer, bernd.eissfeller}@unibw.de

Prior work on attacks on VANETs, based on global

positioning system (GPS) signal spoofing, have focused on
modifying the position recognized by the attacked ITS-Station
(ITS-S). Thereby, mostly on-board units (OBUs), as deployed
in mobile vehicles, have been considered. However, current
VANET implementations also use the time component of the
GPS signal to determine their own system time.

AbstractCar2X communication is about to enter the mass

market in upcoming years. So far all realization proposals
heavily depend on the global positioning system for providing
location information and time synchronization. However, studies
on security impact of this kind of data input have focused on
the possibility to spoof location information. In contrast, attacks
on time synchronization have not received much attention so
far. Thus, an analysis of the attack potential on vehicular adhoc network (VANET) realizations in regard to spoofed time
information is provided in this work. Thereby, we show that
this kind of attack allows for severe denial of service attacks.
Moreover, by such attacks one can violate the non-repudiation
feature of the security system by offering the possibility to
misuse authentication features. Additionally, a sybil attack can
be performed and reliability of the basic data sets of time
and position inside VANET messages is highly questionable
considering the outlined attacks. Mechanisms to avoid or limit
the impact of outlined security flaws are discussed. An evaluation
of the possibility to carry out the described attacks in practice
using a current Car2X hardware solution is provided.

I.

We show that by spoofing the GPS time signal, an attacker

can break the non-repudiation property specified in current
VANET standards. Furthermore, he can force targeted ITS-Ss
to accept outdated messages and PSCs. Moreover, the attacker
can perform a denial of service attack on parts of a VANET.
These attacks are not limited to OBUs, but affect all kind
of ITS-Ss (e.g., also road side units (RSUs)). Furthermore,
we show that vehicles used by multiple people and only
temporarily used by an attacker (e.g., within car sharing or
car lenders fleets) are particularly vulnerable to the attacks.
Different proposals to overcome or at least limit the impact
of the described attacks are discussed. Thereby, it is found that
short lived and just in time delivered pseudonym certificates
can significantly limit the impact of some of the discovered
attacks. However, a redundant secured time source is required
for ITS-Ss to avoid the attacks completely. An evaluation using
current standard ITS-S hardware shows its susceptibility to the
obtained attacks. Thus, we find that the outlined attacks can
be carried out in practice and have to be overcome to allow
the introduction of VANET based future ADAS.

I NTRODUCTION

Car2X communication systems, often called vehicular adhoc networks (VANETs), are about to enter the mass market
in upcoming years. Thereby, similar approaches are taken in
Europe with ETSI Intelligent Transport Systems (ITS) [1] and
in the USA with Wireless Access in Vehicular Environments
(WAVE) [2]. The core issue addressed by VANETs is traffic
safety. Thus, all of the so called day one use cases are closely
related to safety critical advanced driver assistance systems
(ADAS). As the used wireless channel is prone to attacks,
security is a core concern for the design of VANET systems.

The remainder of this work is outlined as follows. Firstly,

related work is reviewed in Section II. Section III describes
the attacks on non-repudiation and acceptance of outdated
messages and PSCs. Afterwards, the DOS attack is outlined
in Section IV. Countermeasures to the found weakness are
discussed in Section V. An evaluation of the possibility to
carry out the outlined attacks in practice is provided in Section
VI. Finally, a conclusion about achieved results is given in
Section VII alongside with possible topics of future work.

To achieve authenticity as well as privacy of vehicles and

integrity of exchanged messages a digital signature scheme
has been designed, which utilizes so called pseudonym certificates (PSCs). Thereby, each vehicle signs all of its broadcast
messages using asymmetric cryptography. To minimize signature length, the Elliptic Curve Digital Signature Algorithm
(ECDSA) is used to generate the signatures. The required public keys are contained in PSCs, which are changed frequently
to avoid tracking of vehicles [3], [4].

II.

In this section, an overview of related work is provided.

At first, a general introduction about GPS is given. This is
followed by a review of work in the area of security related
to GPS, usage of GPS in ITS-Ss and the assumed attacker
model. Finally, mechanisms for secure time synchronization
are looked at.

Furthermore, to achieve the intended increase in traffic

safety VANETs should be robust, i.e., it should be hard to put
the system out of operation on a larger scale [3]. Such kind of
attacks are typically known as denial of service (DOS) attacks.
Apart from well known jamming, also other possibilities for
DOS attacks exist in VANETs, an overview is provided in [5].

978-1-4673-7876-5/15/$31.00 2015 IEEE

R ELATED W ORK

344

Downloaded form http://iranpaper.ir

2015 IEEE Conference on Communications and Network Security (CNS)

this particular protocol layer should be equal to the acquisition

time of the last position update [15]. However, large scale field
operational tests of Car-to-X systems like Drive C2X have used
GPS as their primary time source [16], [17]. Additionally, up
to date standard prototyping hardware for Car-to-X use cases
like the Cohda Mk4a or Mk5 [18], [19] also follow this line.
Thus, similar approaches can be assumed to be considered for
systems entering the mass market.

A. Global Positioning System

The Global Positioning System (GPS) provides high precision timing information by broadcast of timing signals from
satellites to enable receivers to determine their position [6]
[8]. Thereby, the transmitters are very well synchronized to
the system time using atomic clocks. Moreover, transmitted
signals are chosen to have high auto correlation and low cross
correlation enabling the receivers to separate them well.

Standard solutions for GPS based time synchronization

can be found in most operating systems. For example, Unix
environments provide a combination of the tools gpsd [20],
for obtaining the GPS data, and ntpd [21] or chrony [22].
The latter systems adjust the local system time to the supplied
GPS reference time. A typical feature of such systems is to
ensure a monotonically increasing time step counter. To do so,
ntpd uses a scheme in which the method of synchronization
is dependent on the current difference between local time and
reference time. Thereby, it increases or decreases the length of
the interval between time stamp increments or even performs
hard resets of the current system time depending of dedicated
thresholds [23]. In contrast, chrony totally avoids resetting the
time stamp and thus, just relies in shortening and enlarging
the time between time stamp counter increments [22].

Usually four or more satellite signals are used to determine

the actual time and receivers position. In theory, the reception
of three GPS Signals would be enough, if the receiver would
be perfectly synchronized to the GPS time [6], [7].
For further details about GPS the reader is referred to [6].
B. Security and Spoofing of GPS
Attacks on integrity of GPS signals have been studied
extensively in prior work. Thereby, initial attacks on GPS
receivers concentrated on GPS jamming to simply ban receivers from acquiring time and location information [9]. A
much more powerful attack is given by GPS spoofing, which
is studied in detail in [7], [10]. This kind of attack allows
the attacker to manipulate the received GPS signal inside the
attacked area in an arbitrary way. Thus, receivers report time
and location information as controlled by the attacker.

There are many different security related use cases for the
time source of an ITS-S. The security entity uses its value
to generate the time stamp of signed messages and to check
the validity period of received certificates of other ITS-S. One
should note that, the validity period of an ETSI ITS certificate
is currently the only mandatory validity restriction of all kind
of certificates (root, authorization authority etc.) [4]. Other
kinds of restrictions, e.g., to geographical regions exist, but
are optional in usage.

An attacker can easily overpower the original GPS signal,

as it arrives at the earths surface with very low power (about
10-20 dB below the receivers noise floor). Thereby, GPS
receivers of attacked ITS-S will synchronize to the spoofed
time signal.
Studies on countermeasures to GPS spoofing concentrate
on detection of the attack. Thereby, usage of multi-antenna
systems [11] or antennas with well known micro movement
[12] have been suggested. However, both systems are currently
not used in the automotive domain. Instead, a fixed single
antenna is typically used in vehicles. Additionally, usage of
the proposed hardware supported detection systems would
significantly increase the costs of on VANET deployment as
every ITS-S has to be equipped with them.

Moreover, the currently used pseudonym certificate (e.g.,

for signing of outgoing messages) is selected from the set of
currently valid certificates [4]. Furthermore, proper functionality of higher level applications like geonetworking, facility
layer facilities (e.g., cooperative awareness basic service or
local dynamic map etc.) and probably also applications depend
on reasonably well time synchronization of ITS-S. Thus,
industry consortium CAR 2 CAR Communication Consortium
(C2C-CC) calls for time synchronization of individual ITS-S
local time to Universal Time Coordinated (UTC) with accuracy
of at most 20 ms in its basic system standards profile [24].

An attack on smart grid applications based on spoofed

GPS time is described in [8]. Countermeasures to avoid the
described security issues from [8] are given in [13]. Thereby,
the proposed mechanism combines classical GPS spoofing
detection on the physical layer, by using a multi antenna
system, with trustworthiness model on higher layers. This
model is based in the fact that a smart grid can be controlled
by a central entity, which is not the case for VANETs. Thus,
the proposed approach from [13] is not portable to VANETs.

There are also many proposals to use the system time as an

important parameter for performing pseudonym changes [25].
Thus, manipulation of a OBUs system time may also lead to
a lack of privacy, a topic not covered in detail in this work.
Moreover, protocols for ensuring Car-to-X application layer
security, like the ones described in [26], rely on accurate time
synchronization between cooperating vehicles.

To the best of the knowledge of the authors, attacks on

VANETs based on spoofed GPS time information have not
been considered in prior work. Thus, an introduction to the
typical usage of GPS time information in ITS-S as well as the
used attacker model is provided in the following two sections.

One should note that GPS spoofing with the intention to

fake location information will typically not affect RSUs, as
their position is fixed. Thus, it can be statically configured apriori to live operation of the ITS-S. However, an attack on
time synchronization affects RSUs as well, which makes them
a new target of GPS spoofing attacks. Due to typically absent
mobility of RSUs, a spoofing attack on them is technically less
challenging to carry out in practice in comparison to ITS-S
with higher mobility.

C. Usage of GPS Time in ITS-Ss

Specification of the time synchronization features of ETSI
ITS systems is still in an early stage [14]. Only the GeoNetworking standard especially states that the used time stamp on

345

Downloaded form http://iranpaper.ir

2015 IEEE Conference on Communications and Network Security (CNS)

Moreover, the attacker is able to isolate one or multiple

ITS-S from the rest of the VANET to perform attacks. For
example, he can use vehicles which are shared amount a group
of people, e.g., inside car sharing or car lender fleets. Thus,
different people are responsible for the vehicle and its actions
at different points in time. Thereby, the attacker can avoid an
unique mapping from one vehicle to one person (i.e., himself).

D. VANET Security Mechanisms

VANET security mechanisms are quite similar within the
ETSI ITS and WAVE frameworks [3], [4], [27]. Therefore, the
security properties and weaknesses described in the following
hold for both systems. Exceptions are noted explicitly.
Securing of VANET messages, like CAMs in ETSI ITS
or Basic Safety Messages (BSMs) in WAVE, is done by
embedding them into a security envelope. This happens at
the network layer. Apart from a set of dedicated header fields
containing meta data, like the senders current pseudonym ID,
also a digital signature is contained in the envelope [4].

F. Secure Time Synchronization

Secure time synchronization has not been considered an
issue in VANETs so far. Wireless time synchronization has
been studied for sensor networks, e.g., in [34], [35]. However,
mechanisms are hardly portable to VANETs due to high
mobility of ITS-S and massively varying traffic scenarios. For
example, there is no guarantee of an available communication
to ITS-Ss outside of the attacked area. Moreover, the attacker
can isolate stations and switch stations, which he controls, on
and off (see Section II-E). Such capabilities have not been
taken into regard so far.

The sender is either identified via his full pseudonym

certificate (PSC) or a part of its SHA-256 hash value (last
eight bytes). For sender authentication the receiver is required
to receive the senders full certificate at least once to obtain the
contained public key. To obtain the digital signature, the sender
uses the Elliptic Curve Digital Signature Algorithm (ECDSA)
with the private key corresponding to the public key contained
in the currently used PSC [4]. For details about ECDSA the
reader is referred to [28].

A number of dedicated time synchronization mechanisms

for wireless networks has been developed [6]. These include
usage of terrestrial time broadcast like from DCF77 in Germany or decentralized time synchronization in ad hoc networks, e.g., for bluetooth [6], [36]. However, most considered
time synchronization mechanisms due either not provide a
security mechanism (e.g., DCF77) or require an (almost) static
network making them unusable for quickly changing VANETs.
For WAVE a so called timing advertisement service has been
developed [37]. However, it cannot avoid the developed attacks
as described in Section V-A2b.

PSCs may contain a number of validity restrictions limiting

their usage, e.g., to a dedicated time span or location area.
Current standards require PSCs to at least limit their lifetime to
a time span defined by a start and end validity time stamp [4].
However, no general limits on this have been proposed within
ETSI ITS. Current plans within the Car2Car Communication
Consortiums (C2C-CC) Working Group Security are to have
lifetimes in the area of months to limit the costs for certificate
distribution and operation of certificate authorities. In contrary,
[2] suggests lifetimes in the area of somewhat more than ten
minutes for WAVE to increase privacy of driving. Additionally,
WAVE yields to introduce certificate revocation lists while this
feature has not been standardized within ETSI ITS.

For dedicated time synchronization infrastructures, such as

used for the Internet based network time protocol (NTP) with
servers providing reference time, secured time dissemination
has been studied. Thereby, NTP supports secure reference
time broadcast since version four of the protocol [38]. Digital
signatures are typically used to provide authenticity as well
as integrity of distributed time stamps. However, such mechanisms have not been deployed for the GPS L1 C/A signals.

E. Attacker Model
The attacker is assumed to be able to spoof GPS signals in
a limited geographical area by using various techniques, like
the ones described in [7]. Inside this area, there is at least one
vehicle which is a legitimate VANET member. The VANET is
based on ETSI ITS. Thus, ITS-S have an OBU containing a
set of PSCs for sending signed beacons, CAMs and DENMs
as specified in relevant standards [14], [29], [30].

III.

ATTACKS ON VANET S ECURITY F EATURES

Based on GPS spoofing, an attacker can perform mainly

three different kinds of attacks on security features of messages
in ETSI ITS networks. These are given by:

The primary aim of the attacker is to manipulate the time

used by the OBUs of vehicles under attack. As the typically
used civil GPS L1 C/A signal does not carry authentication
data, only basic RF equipment like, e.g., a common software
defined radio is required by the attacker [31], [32]. According
to [33] simple attacks can be detected, but advanced ones have
a high chance to go unnoticed by the attack GPS receiver. We
show that this kind of attack can lead to serious denial of
service capabilities of even a single attacker (see Section IV).

1)
2)

3)

Additionally, the attacker is assumed to not have access to

sensitive cryptographic key material stored in one (or many)
OBUs. This means we assume the hardware supported implementation of the ETSI ITS security entity bans the attacker
from such low level access into the system. However, we show
that even with such an assumed restriction of the attacker he
can still perform very serious attacks on vehicles in a VANET.

A replay attack by using recorded (outdated) GPS

signals together with corresponding ITS messages.
A sybil attack by used artificially generated GPS
signals containing future time stamps. These will
allow the attacker to obtain messages from targeted
vehicles being valid in the future.
Using a recorded or generated outdated GPS signal
to enable usage of outdated cryptographic material
without the receiver detecting that it is outdated.

The common property of all three attacks is that their usability

renders the content of VANET messages unreliable, causing
their usage in safety critical ADAS to be highly questionable.
These attacks are described in greater detail in the following.
Possibilities for performing DOS attacks based on GPS
spoofing are discussed in Section IV later on.

346

Downloaded form http://iranpaper.ir

2015 IEEE Conference on Communications and Network Security (CNS)

Even in case the attacker can not directly control a cars

start up, he can still use the described attack once on every
car within the range of his manipulated GPS signal to obtain
properly signed messages from the future. This clearly violate
the ITS system security requirement of non-repudiation. In
case a fresh start up of a targeted car is required, the attacker
can target places with high numbers of such procedures
happening, like car parks.

A. Replay Attack: Forced Acceptance of Outdated Messages

A very simple kind of GPS spoofing is to perform a record
and replay attack as outlined in, e.g., [39]. When sending the
recorded GPS data to the attacked vehicles, these will also
receive the contained outdated time information. In case the
systems time synchronization algorithms allow resetting of
the internal time stamp to the past, an attacker can make the
ITS-S accept outdated (e.g., recorded) ITS messages.

One should note that is especially tough to protect an ITS-S

against this kind of attack. Even in case the attacker cannot
force a time stamp jump to occur inside the ITS-S, all common
time synchronization mechanisms (e.g., [20], [21]) try to adjust
the current local time to the (manipulated) reference time.
Therefore, they will decrease the interval between time stamp
counter increments. This will lead to a local time being in
the future and thus, the targeted ITS-S will generate messages
from the future.

Thus, by recording the GPS signal and ITS messages (e.g.,

CAMs) in common and transmitting them later, an attacker can
fool the ITS-Ss input validation. Both, the security mechanisms checking for the time stamp within the security envelope
and also higher level entities (like the CAM facility using
the CAMs own time stamp) cannot identify the received data
as being outdated. Therefore, an attacker can manipulate the
information an ITS-S obtains about its surrounding, possibly
leading to inappropriate reactions of a vehicles ADAS.

In case an attacker targets only a single ITS-S, the neighborhood table of this ITS-S will be empty. Thus, the station
will not send CAMs but only beacons. The attacker can easily
change this, by transmitting own beacons to the targeted ITS-S.
Current standard do not require beacons to be signed by the
security entity. Therefore, the attacker does not need access
to valid key material to generate the required beacons. This
is clearly not required in case the attacker can target at least
two vehicles, which will mutually initiate the transmission of
CAMs once they recognized each others beacons.

B. Sybil Attack: Generating Messages From the Future

There are several possibilities for an attacker to obtain a
GPS signal containing a future time stamp as required for this
attack. One approach is to record received real GPS data and
adding a fixed time constant, e.g. one day, to the contained
time stamps before sending it to the attackers target(s). This
is similar to the approach described in [7]. Moreover, one can
just generate GPS messages with arbitrary time and position
information by ready to use commercial hardware, e.g., [40].

One should note that this kind of attack is especially

serious for vehicles with rapidly changing users, e.g., within
car sharing or car lenders fleets. The attacker can temporarily
use a car from the fleet and generate future messages with
its PSCs. Afterwards, he uses the generated messages (e.g.,
CAMs and DENMs) significantly after he has returned the
vehicle. Even in case the ITS-Ss misbehavior is detected, the
vehicle user at the time the attacker used for his attack will
be suspected of having caused the misbehavior. This is due to
the expected non-repudiation property of the security system,
which was actually broken by the attacker.

Each OBU has access to a multitude of different certificates to avoid tracking of vehicles. While there are differing
strategies on how and when to switch from one PSC to another
one, probably all kind of currently suggested strategies can be
used by an attacker, who has physical access to the vehicle, to
get indirect access to the different certificates in the set stored
inside the OBU. For example, the used certificate is typically
changed after a restart of the vehicle.
[7] mentions the quite high delay between reception of
the original GPS signal and the sending of the manipulated
signal introduced by the time shifting attack. However, this
delay does typically not limit the usability of the attack.

C. Usage of Outdated Certificates

A common practice to limit the consequences of an attacker
obtaining sensitive key material (e.g., certificates and their
private keys) is to limit its lifetime. For example, [4] specifies
this kind of limitation for ETSI ITS certificates. Moreover,
ETSI ITS has currently no mechanism to revoke certificates.

To generate signed messages for future times, the attacker

sends a spoofed GPS signal with target time tf to the OBU.
As he has physical access to the vehicle, he can start the attack
before starting up the car. Thereby, the GPS receiver receives
the manipulated signal from begin of its operation on. This
makes the attack more probable to succeed as the receivers
possibilities to detect the attack are greatly limited [7].

An attacker who has somehow obtained valid ITS credentials can use GPS time spoofing attacks to be able to use this
material forever. If he is able to (re-)set the system time of
attacked ITS-Ss to one within the lifetime of the obtained
credentials, the attacked ITS-S will accept these credentials.
Thus, the attacker can send arbitrary content to higher level
services of attacked ITS-S, as their security entities will regard
the attackers messages as being properly signed.

The point in time most far in the future the attacker can
use is the end of live time of the certificate being valid for
the longest time from current time on. This time is denoted
by tf,max tf .
If tf is sufficiently far in the future (i.e., the attacker has
enough time for carrying out the attack) the attacker can repeat
the procedure described above again and again until he has
obtained fakes messages signed by all certificates contained in
the OBU, which are valid at tf . Thereby, a successful sybil
attack [41] can be performed, as the attacker can use multiple
well signed sets of messages in parallel.

This attack is especially serious, because as outlined in

Section II-C validity time is the only mandatory validity
restriction of ITS certificates. Thus, the impact of this kind
of attack would not be limited to a certain region or point in
time. Instead, an attacker could perform the attack at arbitrary

347

Downloaded form http://iranpaper.ir

2015 IEEE Conference on Communications and Network Security (CNS)

positions and points in time in parallel in the whole VANET,

which could be worldwide.

restart of the whole vehicle) outside the area influenced by

the attacker is required to re-enable ITS services.

Moreover, higher level entities cannot easily filter out

this messages, as they seem to contain recent information.
Additionally, remaining data fields can be set up in a way
to make applications react on the provided information. Thus,
misbehavior of ADAS can be caused by this kind of attack.

The attack is also possible in case the attacker cannot

perform a big jump of the ITS-Ss local time. As outlined
above, he can move the local time into the future over time
(see also Section III-B). Current standards do not specify the to
be tolerated difference between the time stamp of a received
message and the local time at the receiver [4]. However, a
time span threshold in the area of at most some minutes can
be expected to be used from a semantic perspective. Once the
attacker has moved the local time further into the future than
the threshold permits, the ITS-Ss security system will reject
all received messages leading to a successful DOS attack.

The WAVE system supports to revoke certificates via

certificate revocation lists (CRLs). However, misbehavior of an
ITS-S has to be detected before active revocation will happen,
as normally there is no need to revoke outdated certificates.
Moreover, certificate revocation lists typically carry a validity
time, which may lead to the situation that an ITS-S rejects a
valid CRL while being under the influence of a GPS spoofing
attack. Thus, WAVE is also susceptible for this attack.
IV.

RSUs can be expected to be particularly susceptible to this

kind of attack due to their absent mobility. Thus, an attacker
can more easily target them over a significantly long time span
compared to ITS-Ss with higher mobility, e.g., inside vehicles.

D ENIAL OF S ERVICE ATTACK

In case of a standard ntpd being used for time synchronization, the attacker can disable the time synchronization from
remote by using a big time offset compared to the current
system time (being the real current time). This is possible
as ntpd terminates itself in case the difference between the
current system time and the reference time exceeds a specific
threshold [23]. Without a reference time, the system time
will be subject to drifting and thus will either fall behind or
advance in comparison to the real time. Thus, other ITS-S will
probably disregard the information received from the attacked
ITS-S, due to failed plausibility checks. This also holds for
the attacked ITS-S as it either regards the received messages
from its surrounding to be outdated or from the future. Thus,
a successful DOS attack can be performed by an attacker.

As mentioned above, successful attacks on the time base of

a GPS receiver are more likely when the attack already started
before the receiver started up. Knowing this an attacker can
try to perform a DOS attack on vehicles located at places
where there is regularly a high amount of such start-ups, e.g.,
in public parking areas. To do so, the attacker sets up an RSU
close to the intended target area sending out the spoofed GPS
signal. Thereby, the attacker chooses the time stamp to be
quite far in the future. A future time stamp is used, instead of
a past one, because typical time synchronization mechanisms
ensure that time is monotonically increasing (see also Section
II-C). Thus, standard time synchronization implementations
will accept the detected time jump into the future.
By GPS spoofing, the spoofed time can be selected to be
so far in the future that the ITS-S has no valid PSC to be used
at the detected time. Thus, the ITS-S has only two options left.
1)

2)

V.

C OUNTERMEASURES

Different kinds of countermeasures to the attacks outlined

in Sections III and IV can be thought of. In the following, it
is assumed that the attacked ITS-S cannot detect the attack.
Otherwise, it could clearly disable any time stamp synchronization to the GPS time signal as long as the attack persist.
However, even in this case operation of the ITS-S is limited
due to the lack of time synchronization. This may lead to
various problems on the different protocol layers, especially
in case the synchronization has to be turned off for a long
time span.

It could stop sending out any messages, as the security entity refuses to sign them due to the lack of
valid PSCs. Moreover, the ITS-S will not receive any
data any more on any layer above the security check
of incoming messages. The reason for this is that all
received PSCs will be regarded as invalid, as they are
regarded as being used after their end of lifetime.
It could switch to an unsecured mode using unauthenticated messages. However, other ITS-S will probably
ignore this messages as they are not secured and
therefore not regarded as a reliable data source.

The considered countermeasures can be categorized into

two different approaches, which are

Both options are clearly undesirable from an end users

perspective. Suspending ITS services will disable all safety
critical ADAS depending on this data source. However, using
an un-secured communication mode would allow the attacker
to carry out more dangerous attacks by inserting malicious
messages into the VANET. Thus, the only acceptable solution
is to disable sending of the ITS-S after the time stamp jump,
which makes the attacker achieve its aim of a successful DOS
attack.

preventing time step jumps to defend about both kind

of attacks,

limiting the live time of PSCs in combination with a

just in time delivery scheme to limit the impact of the
attack generating messages from the future.

Both approaches have the potential to limit or even prevent

the above described attack. However, one has to implement
the first strategy with great care to avoid other kinds of attacks
misusing the countermeasure as outlined in the next section.

Additionally, if the time synchronization mechanism prevents backward time stamp jumps after a systems start-up,
the DOS attack will persist even after the vehicle left the area
which is subject to the manipulated GPS signal. Therefore,
only a re-start of the OBU (which will probably require a

A. Prevention of Time Stamp Jumps

Two different concepts are considered for prevention of
time stamp jumps. The first one, stores former time stamp

348

Downloaded form http://iranpaper.ir

2015 IEEE Conference on Communications and Network Security (CNS)

increasing the costs of the HSM, this would also mean that a
re-parametrization of the HSM is required after each time its
power connection gets disconnected. This would probably lead
to significant overhead, e.g., during vehicle maintenance. Thus,
extra in-vehicle time sources seem infeasible to overcome the
described time synchronization weakness.

counter values allowing it to only change to higher values.

A more advanced scheme could use an extra time source for
detecting the GPS time spoofing attack described above.
1) One Directional Time Stamp Jumps: Many time synchronization systems, e.g., ntpd, follow the concept that jumps
can only occur in one direction, which is into the future.
Thereby, the system time can be ensured to be monotonically
increasing. Implementation of such a strategy is quite simple,
as one just has to store the highest value of the systems time
stamp counter. In ETSI ITS system the security functionality
is to be implemented in a temper proof way, e.g., inside a
smart card. Additionally, the security entity has access to the
system time for embedding the signature time stamp into the
security envelope [4]. Thus, the security entity could store the
highest used value of the time stamp inside its temper proof
memory.

b) Alternative Wireless Reference Time Sources: There

are some other sources for wireless time synchronization
than GPS. Other satellite based systems could be used, but
their security does not differ from the one of GPS. Another
alternative is official national time broadcast, like from DCF77
in Germany [36]. However, these systems typically do not
carry authentication information, too. Thus, an attacker could
spoof this signals as well. Hence, while usage of such extra
system inputs would increase the effort of an attack, it cannot
hold back an attacker with suitable resources. An attack on
DCF77 carried out with standard PC speakers is described in
[42], which puts the security gain from using this kind of extra
input in doubt. This holds especially for ITS-S which can be
well controlled by the attacker, e.g., standard vehicles.

However, such behavior would open the possibility of a

permanent DOS attack on vehicles in VANETs. One just has
to manipulate the time base of an OBU once (see Section IV),
setting its time tOBU very far into the future. Afterwards, the
OBU cannot send out any kind of messages, as its certificates
are all regarded invalid as they seem to have run out of live
time. Moreover, it will not be able to receive even valid
messages from other ITS-Ss as the time stamps of these
messages will be regarded as being from the far past. Thus the
security entity will disregard all of these messages. Moreover,
the certificates of other ITS-Ss will be regarded as invalid, as
they seem to be used after their live time had ended.

Moreover, different official time broadcast systems within

different areas use separate frequencies and data formats. Thus,
an ITS-S supporting wide range mobility, e.g., within all European countries, would have to support a multitude of secondary
time sources. This would increase costs of C2X deployment,
as one can either limit the usability of a particular ITS-S to
a certain a-priori defined area which leads to a multitude of
ITS-S hardware being specific to such areas. Otherwise, one
would have to integrate support for all broadcast systems in
every single ITS-S. Both cases are clearly sub-optimal and
would probably hinder future C2X deployment.

Therefore, this first simple way of securing time stamp

usage has to be regarded as not recommendable due to the
outlined permanent DOS attack possibility.

However, RSUs and OBUs with limited mobility (e.g.,

ITS-Ss mounted on road works trailers) could profit from
the redundant time synchronization mechanisms of GPS and
terrestrial time broadcast. Control of the attacker over these
kind of ITS-Ss can be typically limited, e.g., he cannot easily
switch such them on and of. Moreover, medium and large scale
spoofing of low frequency signals is technically challenging
and will hardly go unnoticed. While this clearly cannot hold
back an attacker with suitable resources, it will probably make
the attack harder to be carried out in practice.

2) Multiple Independent Time Sources: A typical countermeasure to GPS time spoofing is the usage of a secondary
independent time source as suggested in [32]. Thereby, multiple realization approaches exist. These include usage of a local
time source as well as using a continuous or non-continuous
wireless input from an alternative reference time source.
a) Local Time Sources: A common feature of standard
PC hardware is to provide a hardware clock, which can be used
to determine the current time without assistance of external
entities. However, providing a reliable embedded absolute time
source into an OBU poses multiple challenges.

Within WAVE a so called timing advertisement service

exists [37]. It can be used by ITS-Ss to synchronize themselves via management messages (i.e., timing advertisement
messages) to UTC. However, providing of time information
is optional for ITS-S. Thus, an ITS-S cannot rely on other
ITS-Ss to provide their time via such advertisement messages.
Therefore, this attack cannot hold back an attacker who is
able to control the wireless input to the attacked ITS-S.
Furthermore, a timing advertisement service has not been
considered within the ETSI ITS management entity in contrast
to its WAVE counterpart.

Automotive electronic control units (ECUs), like an OBU,

need to use a highly efficient power safe mode fast after an
engine shutdown, to avoid draining the vehicles main battery.
Moreover, power disruptions have to be tolerated, e.g., when
the main battery gets temporarily disconnected during vehicle
maintenance. Using an extra rechargeable battery inside the
OBU would significantly increase its price, as it has to be
able to run the time source for a period of at least some weeks
without recharging tolerating tough environmental conditions.

An alternative to GPS time exists in hybrid communication

scenarios, in which an OBU makes use of ITS-G5 as well as a
cellular communication system such as LTE-A. These systems
can provide a secured time source for their participating nodes.
One example for time synchronization via a cellular communication system is given by the Network Identity and Time Zone
(NITZ) message present in LTE-A and its predecessors [43].
However, distribution of this message is optional according to

Furthermore, local time sources are subject to drifting

issues. This is especially an issue for tough environmental
conditions, as they are to be found in the automotive domain.
Every possibility to reset the current state of the secondary
time source would allow the attacker to perform the attack
described in Section III. Thus, one would have to include the
time source into the high security module (HSM). Apart from

349

Downloaded form http://iranpaper.ir

2015 IEEE Conference on Communications and Network Security (CNS)

current standards. For more details about time synchronization

in cellular networks the reader is referred to [43][45].

C. Retrospective Attack Detection via Logging

The ETSI ITS security entity provides a mechanism to log
information about security related events. Currently, timing
and position information is not taken into regard for this
mechanism [4]. However, both information sets are clearly security related as outlined in sections above. Thus, the security
entity should monitor both inputs and try to detect abnormal
behavior.

c) Non-Continuous Updates from Secure Reference

Time Source: Even with sporadic secure time synchronization,
an ITS-Ss vulnerability to the attacks outlined in Section
III can be limited. To realize this approach, an alternative
reference time source to GPS (see Section V-A2b) is needed.
One has to securely store the last time value received from
the secure time source, e.g., inside the HSM and disable to
set the ITS-Ss time to any value before that stored value.
Especially, the impact of attacks using outdated information
(messages and/or cryptographic material) from Sections III-A
and III-C can be limited by this approach. To successfully carry
out the attack, the attacker has to use data sets which have
been created after the last secure time update of the attacked
ITS-S occurred. In case such updates happen with suitably low
periods, especially attacks on vehicles which are not physically
controlled by the attacker should be much harder to carry out.

Thereby, the security entitys logging mechanism could

be used to store information about jumps in the reference
time input as well as the internal clock exceeding a carefully
chosen threshold. In case misbehavior of an ITS-S is detected
by an external supervision authority, its system log can be
checked for multiply used time spans. This can clearly not
restore the non-repudiation property of the system, but it can
help to obtain a valid assumption on when the attack was
performed. However, the ambiguity regarding time stamps of
CAMs issued by an attacked ITS-S persist.
VI.

B. Short Lived Pseudonym Certificates

E VALUATION

In order to evaluate the practical usability of the attacks

outlined in Sections III and IV, real world measurements with
up to date ITS-S hardware have been performed. The test
systems setup and obtained results are given in the following.

As outlined above, misuse of ITS-S to generate messages

with future time stamps is possible due to the availability of
PSCs which are still valid during a significant time span into
the future. Limiting the live time of PSCs would be a first step
to resolve the issue.

A. Test System Setup

One should note that the PSC usage system suggested for
the WAVE system in [2] already implements this kind of short
lived PSCs. Thereby, a validity usage time in the area of about
ten minutes is proposed. This clearly avoids the possibility of
a sybil attack from Section III-B, as the ITS-S does not need
to store multiple certificate being valid for the same time span.
Thus, the attack is avoided by system design.

In order to test the feasibility of the attacks outlined in

Sections III and IV as well as the countermeasures from
Section V a special test setup is used. Thereby, an up to date
ITS-S hardware from company Cohda, the so called Cohda
Mk5 [18], is used as the device under attack (DUA). It has
wireless connection to a custom GPS replay unit based on the
USRP (Universal Software Radio Peripheral) platform [46].

However, one also has to make sure that OBUs may not
hold certificates for future usage except for a quite short time
span from the current real time on. Therefore, authorization
authorities need to have access to a secure time base (not GPS
time) and may not issue certificates for validity times which
are more than a short well defined time span in the future.

The following test cases are executed to resemble the

attacks outlined above:
1)

To determine this time span one probably has to make a

trade off between limiting the impact of the attack described
above and the reliability of delivering PSCs to using vehicles
before the ones store in OBUs reach the end of their live
time. The latter is required to ensure uninterrupted operation
of the used Car-to-X systems. Ideally, a new certificate is just
delivered before its predecessor runs out of live time and gets
used immediately. This would limit tf,max to the usage period
of one set of certificates, i.e., to their live time (assuming that
live time starts at the time of delivery to the OBU).
Thus, we propose to include the approach of short lived
PSCs known from WAVE into the ETSI ITS system. Additionally, an extension to the PSC distribution scheme to ensure
that the in advance storage period of certificates is as small as
possible should be included into WAVE as well as ETSI ITS.
While the mechanisms described in Section V-A try to
prevent the attacks from Sections III and IV by avoiding its
source (i.e., the time manipulation), the limitation of PSC
lifetime significantly limits the attacks impact potential.

2)

350

A GPS signal with a faked time stamp is provided to

the DUA from the begin of its operation on.
a) The DUA has pseudonym certificates being
valid at received time. It is checked whether
the DUA generates messages with the time
stamp being equal to the faked GPS time.
This resembles the attack from Section III-B.
b) The DUA has no pseudonym certificates being valid at the received time. It is checked
whether the DUA does not generate any
message. This resembles part of the DOS
attack from Section IV.
c) The same GPS signal is provided to the DUA
multiple times and resets of the DUA are
conducted before the GPS signal is provided
anew. It is checked whether the DUA generated multiple sets of CAMs signed with
different pseudonym certificates for the same
time span, which enables the attacker to perform a sybil attack (see also Section III-B).
A GPS signal is provided to the DUA at begin of operation and is replaced with a GPS signal containing
a time stamp significantly higher than the one in the

Downloaded form http://iranpaper.ir

2015 IEEE Conference on Communications and Network Security (CNS)

is left to chrony in cooperation with gpsd. Thus, this findings

clearly corroborate our experimental findings explained before.

first GPS signal (i.e., for the DUA this signal comes
from the future). The variants from Sections 1a and
1b are tested. Moreover, CAMs with a correct time
stamp are sent to the DUA and receiving of these
messages is checked at the facility layer.
The test from 2 is ran, however after some time of
receiving the new time stamp, again the older GPS
signal is provided to the DUA. It is checked whether
the DUA starts to send messages with correct time
stamps again, after it started to receive the older GPS
signal again. This resembles part of the DOS attack
from Section IV and evaluates whether time stamp
jumps in any direction are accepted by the DUA.

3)

Please note that the described security issues are not caused
by the used particular implementation of current standards.
Instead, they show a design problem of the current security
architecture of ETSI ITS and WAVE based VANETs.
VII.

Future Car2X systems require secure data exchange to

allow realization of safety critical driver assistance systems
being based on information distributed in such VANETs. Thus,
a reliable security system is required for these networks. In
this work, we showed that GPS spoofing is a major threat
to upcoming VANET technologies. Apart from faked location
information, also manipulated time information can lead to
serious security flaws in such networks.

The results of these tests are given in the next Section VI-B.
B. Test Results
An overview of the obtained test results are provided in
Table VI-B. As one can see from Table VI-B, all attacks
test case
1a
1b
1c
2

observed result
CAMs generated
no CAMs generated
CAMs generated with
different pseudonyms
CAMs generated with faster
increasing time stamps

security problem
reliability and non-repudiation
DOS
sybil

other CAMs accepted until time

diff. exceeds threshold
at first like for 2

DOS
see above

CAMs generated with slower

increasing time stamps

reliability and non-repudiation

until ITS-Ss time is correct

other CAMs accepted once time

diff. supersedes threshold

DOS until ITS-Ss time

is correct

TABLE I.

C ONCLUSIONS AND F UTURE W ORK

The currently standardized way of time (and position)

management leads to a significant vulnerability to denial-ofservice attacks of ETSI ITS and WAVE conforming VANETs.
Moreover, the pseudonym certificate handling from ETSI
ITS allows an attacker to break currently standardized basic
security requirements, as he can perform a sybil attack and
break message non-repudiation, apart from manipulating data
(position and time) contained in signed messages. Especially,
the non-repudiation feature of the ETSI ITS security system
has be regarded as being broken based on the obtained
findings.

reliability and non-repudiation

Moreover, reliability of basic data sets time and position

received via VANET messages has to be questioned in both
ETSI ITS and WAVE. Thus, while this attacks are applicable,
VANET messages cannot be regarded as reliable data sources
for safety critical driver assistance systems.

OVERVIEW ABOUT TEST CASE RESULTS .

providing an incorrect time stamp to the DUA lead to the discovery of significant security problems. However, the attacks
were not able to force a real time stamp jump after the device
had already obtained the first GPS fix, i.e., after the initial time
stamp synchronization had been performed. Manipulation of
this first time synchronization was always possible.

Studied countermeasures show that introduction of various techniques like usage of pseudonym certificates with
short validity time can limit the impact of some kind of
attacks. However, a second independent and reliable/secured
time source, like the one provided by mobile communication
networks, is required to secure VANETs against all of the outlined attacks. Thus, hybrid communication setups using ad-hoc
VANET technologies as well as infrastructure based mobile
communication networks (e.g., LTE) should be considered for
securing future Car-to-X communication.

After a GPS signal with a time stamp significantly far in the

future compared to the ITS-Ss current system time (difference
greater than ten minutes) was received by the ITS-S, the
internal system time increased significantly faster than during
normal operation. Clearly, a time synchronization mechanism
tries to overcome the difference between the internal system
time and the time provided by the (spoofed) reference signal.

Future work can study requirements for supporting time

sources, like required update frequency, in greater detail.

In order to analyze the reason for this behavior a custom

time logger was implemented and run on the device during
experiments. Thereby, it was obtained that the system always
starts up with its internal time being equal to the start of Unix
time. Afterwards, exactly one time stamp jump is performed,
which is to the time of the first provided GPS fix.

ACKNOWLEDGMENT
Presented results were obtained during the Moglichkeiten
und Grenzen des Multi-GNSS RAIM fur zukunftige Safetyof-Life Anwendungen (Multi RAIM II) project, funded by
the German Federal Ministry of Economics and Technology
(BMWi) and administered by the Project Management Agency
for Aeronautics Research of the German Space Agency (DLR)
in Bonn, Germany (grant no. 50NA1313).

Further system analysis shows that the system uses gpsd to

provide the GPS information from the on-board NEO M8 GPS
sensor. Furthermore, the ntpd alternative chrony is present on
the system. Additionally, initial time synchronization is done
with the help of a custom start-up script, which simply listens
to the gpsd output (via the gpspipe tool) and performs a hard
reset of the system time to the time of the first GPS fix. Afterwards, this script terminates and further time synchronization

R EFERENCES
[1]

351

Memorandum of Understanding for OEMs within the CAR 2 CAR

Communication Consortium on Deployment Strategy for cooperative
ITS in Europe, June 2011, v 4.0102.

Downloaded form http://iranpaper.ir

[2]

[3]
[4]
[5]

[6]
[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]
[15]

[16]

[17]

[18]
[19]

[20]
[21]

[22]
[23]

[24]

2015 IEEE Conference on Communications and Network Security (CNS)

[25]

J. Harding et. al., Vehicle-to-Vehicle Communications: Readiness of

V2V Technology for Application, Washington, DC: National Highway
Traffic Safety Administration, Tech. Rep. DOT HS 812 014, Aug. 2014.
T. Schutze, Automotive Security: Cryptography for Car2X Communication, in Embedded World Conference, Mar. 2011.
Intelligent Transport Systems (ITS); Security; Security header and
certificate formats, ETSI TS 103 097, Rev. V1.1.1, 2013.
H. Hasbullah, I. A. Soomro, and J. A. Manan, Denial of Service
(DOS) Attack and Its Possible Solutions in VANET, World Academy of
Science, Engineering and Technology, vol. 4, no. 348-352, May 2010.
A. Bensky, Wireless Positioning Technologies and Applications, ser.
GNSS Technology and Applications Series. Artech House, 2007.
N. Tippenhauer, C. Popper and K. Rasmussen et al., On the Requirements for Successful GPS Spoofing Attacks, in 18th ACM conference on Computer and communications security, 2011, pp. 75 86.
Z. Zhang, S. Gong, A. D. Dimitrovski, and H. Li, Time Synchronization Attack in Smart Grid: Impact and Analysis, IEEE Transactions
on Smart Grid, vol. 4, no. 1, pp. 8798, 2013.
B. Iyidir and Y. Ozkazanc, Jamming of GPS receivers, in Proceedings
of the IEEE 12th Signal Processing and Communications Applications
Conference, 2004, pp. 747750.
T. E. Humphreys, B. M. Ledvina, M. L. Psiaki, B. W. OHanlon,
and P. M. Kintner, Assessing the Spoofing Threat: Development of
a Portable GPS Civilian Spoofer, in Proceedings of the 21st International Technical Meeting of the Satellite Division of The Institute of
Navigation, Sept. 2008, pp. 23172325.
P. Y. Montgomery, T. E. Humphreys, and B. M. Ledvina, ReceiverAutonomous Spoofing Detection: Experimental Results of a Multiantenna Receiver Defense Against a Portable Civil GPS Spoofer,
in Proceedings of the 2009 International Technical Meeting of The
Institute of Navigation, Jan. 2009, pp. 124 130.
M. L. Psiaki, S. P. Powell, and W. OHanlon, GNSS Spoofing
Detection - Correlating Carrier Phase with Rapid Antenna Motion,
GPS World, pp. 53 58, June 2013.
Z. Zhang, H. Trinkle, M. Li, and A. D. Dimitrovski, Combating
Time Synchronization Attack: A Cross Layer Defense Mechanism, in
Proceedings of the ACM/IEEE 4th International Conference on CyberPhysical Systems, 2013, pp. 141149.
Intelligent Transport Systems (ITS); Facilities layer function; Facility
Position and time management, ETSI TS 102 890-3, Rev. V0.0.2, 2013.
Intelligent Transport Systems (ITS); Vehicular Communications;
GeoNetworking; Part 4: Geographical Addressing and Forwarding for
Point-to-Point and Point-to-Multipoint Communications; Sub-part 1:
Media-Independent Functionality, ETSI TS 302 636-4-1, Rev. V0.5.1.
A. Hiller, C. Neumann, M. Matthe, A. Festag, H. Santos, W. Zhang,
C. Sorge, and M. Wiecker, Deliverable D21.4, Spezifikation der
Kommunikationsprotokolle, Sichere Intelligente Mobilitat Testfeld
Deutschland simTD, Tech. Rep., Sept. 2009.
A. Festag, L. Le, and M. Goleva, Field Operations Tests for Cooperative Systems: A Tussle Between Research, Standard and Deployment,
in 8th ACM International Workshop on Vehicular inter-networking,
Sept. 2011, pp. 73 78.
Cohda Wireless, online: http://cohdawireless.com/Products/Hardware.
aspx, 2015, accessed: 28.02.2015.
Cohda Wireless, MK4a V2X Evaluation Kit, online:
http://cohdawireless.com/Portals/0/PDFs/CohdaWirelessMK4a.pdf,
Jun. 2013, accessed: 28.02.2015.
gpsd a GPS service daemon, online: http://catb.org/gpsd/index.html,
2014, accessed: 19.11.2014.
ntpd - Network Time Protocol (NTP) Daemon, online: http://
www.eecis.udel.edu/mills/ntp/html/ntpd.html, Mar. 2014, accessed:
19.11.2014.
R. Curnow, User guide for the chrony suite, online: http://chrony.
tuxfamily.org/manual.html, Sep. 2014, retrieved: 03.2015.
The NTP FAQ and HOWTO: Understanding and using the Network Time Protocol, online: http://www.ntp.org/ntpfaq/NTP-s-algo.
htm, Mar. 2014, accessed: 10.03.2015.
C2C-CC Basic System Standards Profile, CAR 2 CAR Communication
Consortium Std. 000 042, Rev. 1.0.5, Jan. 2014.

[26]

[27]

[28]
[29]

[30]

[31]

[32]

[33]

[34]

[35]

[36]

[37]

[38]
[39]

[40]

[41]
[42]

[43]

[44]
[45]

[46]

352

D. Eckhoff, C. Sommer, T. Gansen, R. German, and F. Dressler, Strong

and Affordable Location Privacy in VANETs: Identity Diffusion Using
Time-Slots and Swapping, in IEEE Vehicular Networking Conference,
Dec. 2010, pp. 174181.
A. Studer, M. Luk, and A. Perrig, Efficient Mechanisms to Provide
Convoy Member and Vehicle Sequence Authentication in VANETs, in
Proceedings of the 3rd International conference on security and privacy
in communication networks (SecureComm), 2007, pp. 422432.
Draft Standard for Wireless Access in Vehicular Environments - Security Services for Applications and Management Messages, Intelligent
Transportation Systems Commitee of the IEEE Vehicular Technology
Society Std. P1609.2, Rev. D12, Jan. 2012, P1609.2, D12.
C. Paar and J. Pelzl, Understanding Cryptography, 2nd ed. Springer,
2010.
Intelligent Transport Systems (ITS); Vehicular Communications; Basic
Set of Applications; Part 2: Specification of Cooperative Awareness
Basic Service, ETSI ES 302 637-2, Rev. V1.3.0, Aug. 2013,
Intelligent Transport Systems (ITS); Vehicular Communications; Basic
Set of Applications; Part 3: Specifications of Decentralized Environmental Notification Basic Service, ETSI ES 302 637-3, Rev. V1.2.0,
Aug. 2013.
T. E. Humphreys, B. M. Ledvina, M. L. Psiaki, B. W. OHanlon, and
P. M. Kintner Jr, Assessing the Spoofing Threat, GPS World, vol. 20,
no. 1, pp. 2838, 2009.
M. J. Airst, GPS Network Timing Integrity, online: http://www.gps.
gov/governance/advisory/meetings/2012-08/airst.pdf, 2010, c3I Integration and Interoperability CAPSTONE program.
J. P. Hubaux, S. Capkun, and J. Lue, The Security and Privacy of
Smart Vehicles, IEEE SECURITY & PRIVACY, vol. 2, no. 3, pp. 49
55, Jun. 2004.
T. Mundt, Two Methods of Authenticated Positioning, in Proceedings
of the 2nd ACM International Workshop on Quality of service & security
for wireless and mobile Networks, 2006, pp. 2532.
S. Ganeriwal, C. Popper, S. Capkun, and M. B. Srivastava, Secure
Time Synchronization in Sensor Networks, ACM Transactions on
Information and System Security (TISSEC), vol. 11, no. 4, Jul. 2008.
Physikalisch-Technische Bundesanstalt (PTB), Dissemination of
legal time, online: http://www.ptb.de/cms/en/fachabteilungen/abt4/
fb-44/ag-442/dissemination-of-legal-time.html, Aug. 2011, accessed:
15.03.2015.
IEEE Standard for Wireless Access in Vehicular Environments (WAVE)
- Networking Services, Intelligent Transportation Systems Commitee of
the IEEE Vehicular Technology Society Std. P1609.3, Rev. 2010, Dec.
2010, P1609.3-2010.
D. L. Mills, Network Time Protocol Version 4 Reference and Implementation Guide, NTP Working Group, Tech. Rep. 06-6-1, June 2006.
J. Chen, S. Zhang, H. Wang, and X. Zhang, Practicing a Record-andReplay System on USRP, in Proceedings of the second workshop on
Software radio implementation forum SRIF, 2013, pp. 6164.
SatGen GPS Simulation Software, online: http://www.labsat.co.
uk/index.php/en/products/satgen-simulator-software, 2014, accessed:
28.02.2014.
J. Douceur, The Sybil Attack, in First International Workshop on Peer
to Peer (P2P) System WISTP, ser. LNCS 5019, 2008, pp. 106116.
S. Born, How to manipulate a radio controlled clock via speaker,
online: http://bastianborn.de/radio-clock-hack, May 2014, retrieved:
04.2015.
Digital cellular telecommunications system (Phase 2+); Universal
Mobile Telecommunications System (UMTS); LTE; Network Identity
and TimeZone (NITZ); Service description; Stage 1 (3GPP TS 22.042
version 12.0.0 Release 12), ETSI TS 122 042, Rev. V12.0.0, Oct. 2014.
S. Sesia, I. Toufik, and M. Baker, Eds., LTE - The UMTS Long Term
Evolution: From Theory to Practice. John Wiley & Sons, 2009.
Y. Wang, S. Frattasi, T. Sorensen, and P. Mogensen, Network TimeSynchronization in TDD Based LTE-Advanced Systems, in IEEE 69th
Vehicular Technology Conference, Apr. 2009, pp. 1 5.
F. A. Hamza, The USRP under 1.5X Magnifying Lens! GNU Radio
project, Tech. Rep., Jun 2008, rev. 1.0.