Department of Computer Science and Engineering

Sungkyunkwan University 2066 Seobu-Ro, Jangan-Gu Suwon Gyeonggi-Do 16419 Republic of Korea +82 31 299 4957 +82 31 290 7996 pauljeong@skku.edu http://iotlab.skku.edu/people-jaehoon-jeong.php

Department of Computer Science and Engineering

Sungkyunkwan University 2066 Seobu-Ro, Jangan-Gu Suwon Gyeonggi-Do 16419 Republic of Korea +82 31 299 4106 +82 31 290 7996 chrisshen@skku.edu http://iotlab.skku.edu/people-chris-shen.php

Electronics and Telecommunications Research Institute

218 Gajeong-Ro, Yuseong-Gu Daejeon 34129 Republic of Korea +82 42 860 6514 pjs@etri.re.kr

Internet IPWAVE Working Group Internet-Draft This document describes possible attacks of security and privacy in IP Wireless Access in Vehicular Environments (IPWAVE). It also proposes countermeasures for those attacks.

Vehicular networking has become popular by the enhancement of Intelligent Transportation Systems (ITS) . The vehicular networking can work based on Dedicated Short-Range Communications (DSRC) . This DSRC is realized by the IEEE Wireless Access in Vehicular Environments (WAVE) . Especially, IEEE 802.11-OCB (Outside the Context of Basic Support Set) provides the Media Access Control (MAC) for vehicles in vehicular networks. IP-based vehicular networking can be supported with IPv6 over IEEE 802.11-OCB , which defines the IPv6 Neighbor Discovery (ND), Maximum Transmission Unit (MTU), and MAC layer adaptation. Vehicles can construct Vehicular Ad Hoc Networks (VANET) by themselves without any infrastructure node such as a Road-Side Unit (RSU). Cooperative Adaptive Cruise Control and Autonomous Driving (i.e., Self-Driving) services can take advantage of this vehicular networking for safe driving through the wireless communications among vehicles. When using IP-based vehicular networks in self-driving environments, the information exchange among self-driving vehicles are critical to the safety of vehicles since the information received from other vehicles may be used as inputs for vehicle maneuvers. Thus, identifying potential loopholes in the IP-based vehicular networks becomes crucial. This document describes possible attacks on security and vulnerabilities of privacy in IP Wireless Access in Vehicular Environments (IPWAVE). It also proposes countermeasures for those attacks and vulnerabilities.

This document uses the definitions defined in the IPWAVE problem statement document .

This section explains possible attacks of security and vulnerabilities of privacy in IP-based vehicular networks. Security and privacy are very important in V2I, V2V, and V2X communications in vehicular networks. Only identified and authorized vehicles should be allowed to be involved in vehicular networking. Furthermore, in-vehicle devices in a vehicle and mobile devices of a driver and passengers are required to communicate with other devices in VANET or the Internet in a secure and reliable way. In reality, there are many possible security attacks in vehicular networks. The exemplary security attacks are false information attack, impersonation attack, denial-of-service attack, message suspension attack, tampering attack, and tracking. By these attacks, the vehicles can be put into dangerous situations by false information and information loss. For those attacks, security countermeasures are required to protect vehicles. With these countermeasures, vehicles can exchange their driving data with neighboring vehicles and infrastructure nodes (e.g., edge computing device and cloud server) for safe driving as well as efficient navigation in road networks.

Malicious vehicles may intentionally disseminate false driving information (e.g., location, speed, and direction) to deceive other vehicles, which may put those vehicles in danger. Especially, a representative example is Sybil attack. This Sybil attack makes multiple false identities of non-existing vehicles (i.e., virtual bogus vehicles) in order to confuse other real vehicles in safe driving, and possibly make these real vehicles to make wrong maneuver decisions, leading to fatalities. A malicious vehicle can also create multiple virtual bogus vehicles, and generate global IPv6 addresses and register them with a Mobility Anchor (MA) via an RSU. This IP address autoconfiguration and registration procedure from many virtual vehicles can occupy the computation power and storage resources of a RSU and an MA and even paralyze the two entities. Thus, the RSU and MA need to determine whether a vehicle is genuine or bogus in the IP address autoconfiguration and mobility management.

Malicious vehicles can pretend to be other vehicles with forged IP addresses or MAC address as IP address spoofing and MAC address spoofing, respectively. This attack is called impersonation attack to masquerade a vehicle and user. To detect such an impersonation attack, an authentication scheme needs to check whether the MAC address and IPv6 address of a vehicle is associated with the vehicle's permanent identifier (e.g., a driver's certificate identifier) or not.

Malicious vehicles (or compromised vehicles) can generate bogus services requests to either a vehicle or a server in the vehicular cloud so that either the vehicle or the server is extremely busy with the requests, and cannot process valid request in a prompt way. This attack is called Denial-of-Service (DoS) attack. To detect and mitigate this DoS attack, the vehicles need to collaborate with each other to monitor a suspicious activity related to the DoS attack, that is, the generation of messages more than the expected threshold in a certain service.

Malicious vehicles can drop packets originated by other vehicles in multihop V2V or V2I communications, which is called a Message Suspension Attack. This packet dropping can hinder the data exchange for safe driving in cooperative driving environments. Also, in multihop V2V or V2I communications, this packet dropping can interfere with the reliable data forwarding among the communicating entities (e.g., vehicle, client, and server). For the reliable data transfer, a vehicle performing the message suspension attack needs to be detected by good vehicles and a good RSU, and it should be excluded in vehicular communications.

An authorized and legitimate vehicle may be compromised by a hacker so that it can run a malicious firmware or software (malware), which is called a tampering attack. This tampering attack may endanger the vehicle's computing system, steal the vehicle's information, and track the vehicle. Also, such a malware can generate bogus data traffic for DoS attack against other vehicles, and track other vehicles, and collect other vehicles' information. The forgery of firmware or software in a vehicle needs to be protected against hackers. The forgery prevention of firmware such as the bootloader of a vehicle's computing system can be performed by a secure booting scheme. The safe update of the firmware can be performed by a secure firmware update protocol. The abnormal behaviors by the forgery of firmware or software can be monitored by a remote attestation scheme.

The MAC address and IPv6 address of a vehicle's wireless interface can be used as an identifier. An hacker can track a moving vehicle by collecting and tracing the data traffic related to the MAC address or IPv6 address. To avoid the illegal tracking by a hacker, the MAC address and IPv6 address of a vehicle need to be periodically updated. However, the change of those addresses needs to minimize the impact of ongoing sessions on performance.

This section proposes countermeasures against the attacks of security and privacy in IP-based vehicular networks.

Good vehicles are ones having valid certificates (e.g., X.509 certificate), which can be validated by an authentication method through an authentication server . Along with an X.509 certificate, a Vehicle Identification Number (VIN) can be used as a vehicle's identifier to efficiently authenticate the vehicle and its driver through a road infrastructure node (e.g., RSU and MA), which is connected to an authentication server in vehicular cloud. X.509 certificates can be used as Transport Layer Security (TLS) certificates for the mutual authentication of a TCP connection between two vehicles or between a vehicle and a corresponding node (e.g., client and server) in the Internet. Good vehicles can also use a Decentralized Identifier (DID) with the help of a verifiable claim service. In this case, vehicles can their DID as a unique identifier, and then check the identity of any joining vehicle with its verifiable claim.

For secure V2I or V2V communications, a secure channel between two communicating entities (e.g., vehicle, RSU, client, and server) needs to be used to check the integrity of packets exchanged between them and support their confidentiality. For this secure channel, a pair of session keys between two entities (e.g., vehicle, RSU, MA, client, and server) needs to be set up. For the establishment of the session keys in V2V or V2I communications, an Internet Key Exchange Protocol version 2 (IKEv2) can be used . Also, for the session key generation, either an RSU or an MA can play a role of a Software-Defined Networking (SDN) Controller to make a pair of session keys and other session parameters (e.g., a hash algorithm and an encryption algorithm) between two communicating entities in vehicular networks .

A malicious vehicle can disseminate bogus messages to its neighboring vehicles as a Sybil attack. This Sybil attack announces wrong information of a vehicle's existence and mobility information to normal vehicles. This may cause accidents (e.g., vehicle collision and pedestrian damage). In the case of the occurrence of an accident, it is important to localize and identify the criminal vehicle with a non-repudiation method through the logged data during the navigation of vehicles. For non-repudiation, the messages generated by a vehicle can be logged by its neighboring vehicles. As an effective non-repudiation, a blockchain technology can be used. Each message can be treated as a transaction and the adjacent vehicles can play a role of peers in consensus methods such as Proof of Work (PoW) and Proof of Stake (PoS) .

To prevent a tampering attack by the forgery of firmware/software, a secure booting can be performed by Root of Trust (RoT) and a remote attestation can be performed through both the secure booting and RoT . The secure booting can make sure that the bootloader of the vehicle's computing system is a legitimate one with the digital signature of the boofloader by using the RoT of Trusted Platform Module (TPM) or Google Titan Chip . A firmware update service can be made in blockchain technologies . The validity of a brand-new firmware can be proven by a blockchain of the firmware, having the version history. Thus, This blockchain can manage a brand-new firmware or software and distribute it in a secure way. The remote attestation can monitor the behaviors of the vehicle's computing system such that the system is working correctly according to the policy and configuration of an administrator or user . For this remote attestation, a secure channel should be established between a verifier and a vehicle.

To avoid the tracking of a vehicle with its MAC address, a MAC address pseudonym can be used, which updates the MAC address periodically. This update triggers the update of the vehicle's IPv6 address because the IPv6 address of a network interface is generated with the interface's MAC address. The MAC address and IPv6 address can be updated by the guideline in and a method in , respectively. The update of the MAC address and the IPv6 address affects the on-going traffic flow because the source node or destination node of the packets of the flow are identified with the node's MAC address and IPv6 address. This update on a vehicle requires the update of the neighbor caches of the vehicle's neighboring vehicles for multihop V2V communications, as well as the neighbor caches of the vehicle's neighboring vehicles and the neighbor tables of an RSU, and an MA in multihop V2I communications. Without strong confidentiality, the update of the MAC address and IPv6 address can be observed by an adversary, so there is no privacy benefit in tracking prevention. The update needs to be notified to only the trustworthy vehicles, RSU, and MA. Also, for the continuity of an end-to-end (E2E) transport-layer (e.g., TCP, UDP, and SCTP) session, the new IP address for the transport-layer session can be notified to an appropriate end point through a mobility management scheme such as Mobile IP Protocols (e.g., Mobile IPv6 (MIPv6) and Proxy MIPv6 (PMIPv6) ). This mobility management overhead and impact of pseudonyms should be minimized on the performance of vehicular networking.

This document discussed security considerations for IPWAVE security and privacy in and .

This work was supported by Institute of Information & Communications Technology Planning & Evaluation (IITP) grant funded by the Ministry of Science and ICT (MSIT), Korea, (R-20160222-002755, Cloud based Security Intelligence Technology Development for the Customized Security Service Provisioning). This work was supported in part by the MSIT under the Information Technology Research Center (ITRC) support program (IITP-2020-2017-0-01633) supervised by the IITP.

ASTM International

The following changes are made from draft-jeong-ipwave-security-privacy-01: This version has a submission date update to maintain the active status of the draft. This version updates the version numbers of the referenced drafts. In , the paragraphs are updated to more clearly explain the false information attack. In , the 2nd paragraph is deleted for a better presentation. In , the "multi-hop" is changed to "multihop" for consistency. In , the "sybil attack" is changed to "Sybil attack" for consistency.