Presentation on theme: "Challenges in Securing Vehicular Networks"— Presentation transcript:
1Challenges in Securing Vehicular Networks Bryan Parno Adrian PerrigCarnegie Mellon University
2Emergence of Vehicular Networks In 1999, FCC allocated GHz band to promote safe and efficient highwaysIntended for vehicle-to-vehicle and vehicle-to-infrastructure communicationEmerging radio standard for Dedicated Short-Range Communications (DSRC)Based on an extension ofCar2Car Consortium expects prototypes in March 2006Must consider security, or these networks will create more problems than they solveNeed to consider security or these networks will create more problems than they solve
3Why Vehicular Networks? SafetyOn US highways (2004):42,800 Fatalities, 2.8 Million Injuries~$230.6 Billion cost to societyEfficiencyTraffic jams waste time and fuelIn 2003, US drivers lost a total of 3.5 billion hours and 5.7 billion gallons of fuel to traffic congestionProfitSafety features and high-tech devices have become product differentiatorsThose of you who drove here know that drivers need all the help they can getDepartment of Transportation’s National Highway Traffic Safety Administration (NHTSA) (http://www.nhtsa.dot.gov/portal/site/nhtsa/template.MAXIMIZE/menuitem.f2217bee37fb302f6d7c a0c/;jsessionid=DzE5L51M8ZhtD4PeDC5S2F0Nq3B7ntffwGYesxud1nf0kVfnXA0y! ?javax.portlet.tpst=1e51531b2220b0f8ea a0c_ws_MX&javax.portlet.prp_1e51531b2220b0f8ea a0c_viewID=detail_view&javax.portlet.begCacheTok=token&javax.portlet.endCacheTok=token&itemID=d3a VgnVCM c567798RCRD&viewType=standard&pressReleaseYearSelect=2005)
4Outline Introduction Applications Adversaries and Attacks Vehicular Network ChallengesProperties Supporting SecuritySecurity PrimitivesRelated Work & Conclusions
12Attacks Denial of Service (DoS) Message Suppression Attacks Overwhelm computational or network capacityDangerous if users rely on the serviceMessage Suppression AttacksDrop congestion alertsFabricationLie about congestion ahead or lie about identityAlteration AttacksReplay transmissions to simulate congestion
13Outline Introduction Applications Adversaries and Attacks Vehicular Network ChallengesAuthentication vs. PrivacyAvailabilityMobilityKey DistributionLow Tolerance for ErrorsBootstrapProperties Supporting SecuritySecurity PrimitivesRelated Work & Conclusions
14Challenges: Authentication vs. Privacy Each vehicle should only have one identityPrevents Sybil attacks (e.g., spoofed congestion)Allows use of external mechanisms (e.g. law enforcement)Drivers value their privacyLegal requirements vary from country to countryVehicles today are only partially anonymousLack of privacy may lead to lack of securityPeople already leery of speedpass. Court cases that have subpoenaed these records for divorce proceedings.Photographing license plates quite feasible
15Challenges: Availability Applications will require real-time responsesIncreases vulnerability to DoSUnreliable communication mediumStudies show only 50-60% of vehicles in range will receive a vehicle’s broadcast
16Challenges: MobilityMobility patterns will exhibit strong correlationsTransient neighborhoodMany neighbors will only be encountered once, everMakes reputation-based systems difficultBrief periods of connectivityVehicles may only be in range for secondsLimits interaction between sender and receiver
17Challenges: Key Distribution ManufacturersRequires cooperation and interoperabilityUsers must trust all manufacturersGovernmentDMV distributionHandled at the state level, so also requires cooperation and interoperabilityRunning a Certificate Authority is non-trivialIf a single manufacturer makes a mistake, then the entire system is open to attacks.Problems not insurmountable, but they need to be considered.
18Challenges: Low Tolerance for Errors Strong need for resiliencyWith 200 million cars in the US, if 5% use an application that works % of the time, still more likely to fail on some carLife-and-death applications must be resilient to occasional failuresFocus on prevention, rather than detection & recoverySafety-related applications may not have margin for driver reaction time
19Challenges: Bootstrap Initially, only a small number of vehicles will have DSRCLimited support deployment of infrastructureAd hoc network protocols allow manufacturers to incorporate security without deviating from their business model
20Outline Introduction Applications Adversaries and Attacks Vehicular Network ChallengesProperties Supporting SecuritySecurity PrimitivesRelated Work & Conclusions
21Some Vehicular Properties Support Security Regular InspectionsMost states require annual inspectionDownload updates, CRLs, new certificatesUse software attestation to verify vehicleHonest MajorityMost drivers prefer not to tinker with their carsMay void warranty or violate the lawMust protect against wormsLeverage existing work for PCsTrusted hardware (e.g., TPMs) may help eventuallyWorm work like TaintCheck by Newsome et al.
22Some Vehicular Properties Support Security Additional inputPresumed intelligent operator at each nodeCannot distract driver, but can still gather or infer dataE.g., ignored deceleration warning may indicate a false positiveExisting enforcement mechanismsFor many attacks, attacker must be in close physical proximityMay be sufficient to identify the attacker
23Outline Introduction Applications Adversaries and Attacks Vehicular Network ChallengesProperties Supporting SecuritySecurity PrimitivesRelated Work & Conclusions
25Security Primitives: Secure Message Origin Alternately, use entanglementEach vehicle broadcasts:Its IDOrdered list of vehicles it has passedEstablishes relative orderingAdd resiliency by evaluating consistency of reports
26Security Primitives: Anonymization Service Many applications only need to connect information to a vehicle, not to a specific identityAuthenticate to anonymization service with permanent IDAnonymization service issues temporary IDOptionally include escrow for legal enforcementIdeal environment: toll roadsControlled access pointsAll temporary IDs issued by the same authorityID
27Security Primitives: Anonymization Service To provide finer granularity, use reanonymizersAnonymization service issues short-lived certificatesReanonymizer will provide a fresh ID in response to a valid certificateIDID’
28Additional Security Primitives Secure AggregationSecurely count vehicles to report congestionKey EstablishmentTemporary session keys for platooning or automatic cruise controlMessage Authentication and FreshnessPrevent alteration and replay attacks
29Outline Introduction Applications Adversaries and Attacks Vehicular Network ChallengesProperties Supporting SecuritySecurity PrimitivesRelated Work & Conclusions
30Related WorkDriver Ad Hoc Networking Infrastructure (DAHNI) [Zarki et al., 2002]Potential attacks and secure localization [Hubaux et al., 2004]Key management and anonymous keys [Raya & Hubaux, 2005]Secure localization = Base stations can determine a vehicle’s position.
31ConclusionsWe have proposed several security primitives, but more are needed.Vehicular networks pose interesting, open security research questions.Vehicular networks will soon be deployed, and their success and safety will depend on the secure solutions we develop.Research on security in vehicular networks will have an impact in the real world.