Professional Documents
Culture Documents
PUBLISHED BY THE IEEE COMPUTER SOCIETY ■ 1540-7993/04/$20.00 © 2004 IEEE ■ IEEE SECURITY & PRIVACY 49
Making Wireless Work
Event data recorder (EDR) wheel, for example. Moreover, if an accident occurs, res-
Positioning system cue teams will have immediate access to relevant infor-
Forward radar
mation; a posteriori data will also help determine driver
Communication liability. With smart cars and roads, traffic monitoring it-
facility
self will improve because it relies on much more accurate
data. Ideally, traffic monitoring will eventually provide
personalized advice to each driver via a personal naviga-
tion system. Ultimately, smart cars’ benefits will range
Rear radar from simplifying the payment process for the driver (tolls,
Display Computing platform parking, and fuel), to helping the driver find an available
parking place, to assisting authorities in fighting crime
Figure 1. A smart vehicle’s onboard instrumentation. The computing and terrorism. (Because terrorist activities often involve
platform supervises protocol execution, including those related to car bombs, automatic identification can help stop suspi-
security. The communication facility supports wireless data cious vehicles before they can access sensitive areas.)
exchange with other vehicles or fixed stations. However, a major hurdle in moving forward is that,
for a lengthy time period, only a small subset of vehicles
will be smart, yet the safety mechanisms we’ve described,
important features, particularly in the area of crash pre- especially those involving wireless authentication, require
vention (for example, by informing vehicles about traffic most—if not all—vehicles to be smart. As a result, boot-
congestion).3 A set of communicating vehicles is an ex- strapping the authentication mechanism’s deployment is
ample of a mobile ad hoc network. The research com- a formidable business challenge. An additional obstacle is
munity has devoted much attention to the security and the negative perception that the population might have
privacy of such networks in the past few years,4–6 but about such mechanisms—especially the feeling of being
none of these contributions considers any such network permanently monitored by some arbitrary authority.
for smart vehicles, which is what we’ll study here. Devising an appropriate production and marketing
In this article, we call a vehicle smart if it is equipped with strategy is beyond this article’s scope, but we believe the
recording, processing, positioning, and location capabilities solution is to deploy new features gradually, beginning
and if it can run wireless security protocols (see Figure 1). with those that are operational even if only a small subset
Roads can be made smart, too. Fixed communication de- of vehicles can handle them—examples include access
vices installed along a road can inform passing vehicles about control to specific areas, wireless toll collection, personal-
the road’s precise topology (see the PATH project, ized information about traffic congestion, and theft pre-
www.path.berkeley.edu). However, this approach’s draw- vention. Another possibility for gradually deploying such
back is that it requires an enormous financial investment, systems without generating much resistance is to equip
which, at first, would benefit a small minority of drivers. professional vehicles first—commercial trucks, buses,
The observation of what happens on roads is called taxis, ambulances, and police cars, for example (in fact,
traffic monitoring,7 which has a primary purpose of detect- many trucks already have EDRs).
ing anomalous situations, such as those generated by an
accident or difficult driving conditions. It also optimizes Security and privacy
traffic flow, most notably by synchronizing traffic lights Surprisingly, most people overlook the security and pri-
with each other and with observed traffic, and civil engi- vacy questions that vehicular technology’s evolution
neers often use it to help plan construction of new roads. raises. Currently, every vehicle is registered with its na-
Traffic monitoring is based on different traffic measure- tional or regional authority, which allocates a unique
ment techniques; one of the most conventional (and identifier to it, but in parts of the US and the EU, registra-
popular) consists of inductive loop detectors buried in as- tion authorities have made substantial progress toward
phalt. Less “intrusive” techniques include video image electronically identifying vehicles and similar progress is
processors, microwave radar, infrared laser radar, and being made toward machine-readable driving licenses. To
acoustic/ultrasonic devices. allow the wireless authentification of vehicles, these au-
With more smart cars and roads, we can expect many thorities must provide each vehicle with a private/public
changes. First, the number and severity of accidents key pair, along with a shared symmetric key, and a digital
should decrease: by integrating information about posi- certificate of its identity and public key. Such authorities
tion and mutual distance with other vehicles, a given ve- will most likely be cross certified, making it possible for
hicle will be able to permanently assess the level of danger any vehicle to check any other vehicle’s certificates.
and trigger a warning to the driver, if necessary. In the To guard against misuse, the overall organization for
more distant future, it could even override the driver— such a system’s security architecture must be very care-
activating the brakes or taking control of the steering fully designed, especially if it’s deployed worldwide and
Tamper-proof GPS
11 12 1
Each vehicle should have a tamper-proof GPS receiver that
10 2
9
8 4
3 registers its location at all times and provides this data to fixed
7 6 5
stations or other vehicles in an authentic manner. Fortu-
The vehicle rolls nately, this doesn’t require any additional infrastructure and
over a pedestrian.
can be implemented independently in each vehicle. How-
10
11 12 1
2 ever, one drawback is its availability in urban environments:
9 3
8
7 6 5
4 buildings, bridges, or tunnels often block GPS signals. An-
other disadvantage is that this option relies on tamper-
A parked vehicle records
the fleeing culprit vehicle that passes by. resistant hardware, which has well-known weaknesses.9
The most serious problem with this approach is that
GPS-based systems are vulnerable to several different
Figure 3. A parked vehicle recording a fleeing one. The recorded kinds of attack, including blocking, jamming, spoofing,
data can help the police identify the culprit. and physical attacks. Moreover, relatively unsophisticated
adversaries can successfully execute them. The most dan-
gerous attack involves fooling the GPS receiver with a
try to protect the EDR physically, or trigger an alarm or GPS satellite simulator, which produces fake satellite
alert law enforcement. radio signals that are stronger than legitimate ones. Such
A second threat is the impersonation attack: a vehicle simulators are routinely used to test new GPS products
owner deliberately stealing another vehicle’s identity and and cost US$10,000 to $50,000. Some simple software
attributing it to his or her own car, or vice versa. We can changes to most GPS receivers would let them detect rel-
prevent this type of attack by storing the vehicle’s identity atively unsophisticated spoofing attacks,10 but more so-
in tamper-resistant hardware, having it properly certified, phisticated ones would still be hard to detect.
and using modern authentication protocols. Electronic li-
cense plates are much more resistant to this sort of attack Verifiable multilateration
than physical ones. A second solution for verifying vehicle location is based
A more dangerous attack is denial of service: an at- on roadside infrastructure and uses distance bounding
tacker systematically or selectively jamming the signals and multilateration. (Distance bounding guarantees that
that vehicles exchange. There is no purely technical solu- the distance is no greater than a certain value; multilater-
tion to such attacks, which is one of the reasons why we ation is the same operation in several dimensions.) This
won’t see a car overriding its driver in the near future. approach removes the need for tamper-proof hardware,
To make the use of radio-transmitted information to but requires the installation of a set of base stations con-
track a given car’s location (and therefore its driver) so- trolled by a central authority. The infrastructure covers an
cially acceptable, it should protect driver privacy, at least area of interest, such as specific roads or city blocks, and
as long as no collisions occur. For this reason, the broad- can verify vehicle locations in two or three dimensions.
casted certified identity must be a pseudonym that Verifiable multilateration works as follows: Four veri-
changes over time; only the regional or national authori- fying base stations with known locations perform distance
ties should be able to determine the relationship between bounding to the vehicle, the results of which give them
a pseudonym and its real identity. (Because the car’s pub- four upper bounds on distance from the vehicle. If the ver-
lic key is broadcasted as well, it must also change periodi- ifiers can uniquely compute the vehicle’s location using
cally.) In this way, any personal information the electronic these distance bounds, and if this location falls into the tri-
license plate transmits would be negligible when com- angular pyramid formed between the verifiers, then they
pared to that provided by its physical counterpart. The conclude that the vehicle’s location is correct. Equiva-
scheme’s quality can be expressed by the degree of lently, only three verifiers are needed to verify the vehicle’s
anonymity we defined earlier. location in two dimensions; the verifiers still consider the
car’s location correct if they can be uniquely computed
Location verification and if it falls in the triangle formed between them.
Any car’s location can be determined by using GPS or Verifiable multilateration relies on distance bounding; a
with the help of on-road infrastructure; IVC can also claimant can always pretend to be further from the verifier
help. Existing positioning and distance estimation tech- than it really is, but it can’t prove itself to be closer. Stefan
Brands and David Chaum first introduced the notion of C : generate random nonces NC, NC′
distance-bounding protocols;11 they proposed a technique : generate commitment commit = h(NC, NC′)
that lets a party (the verifier) determine an upper bound on C → v: C, commit
its physical distance to another party (the claimant). The
main idea is simple but powerful: it’s based on the fact that v : generate random nonce Nv
light travels at a finite speed, and with current technology, v → C: v, Nv
it’s possible to measure (local) time with nanosecond preci- C → v: Nv ⊕ NC
sion. Their protocol was recently extended to support v : measure the time tvC between sending Nv and
provable encounters in mobile wireless networks.12 receiving Nv ⊕ NC
Figure 4 shows an example of how the distance-
bounding protocol unfolds. The protocol is performed C → v: C, NC′, sigKC (C, NC′)
between a verifier v (a fixed base station) and a vehicle C
(which stands for claimant). After a mutual authentica- v : verify if the signature is correct and if commit = h(NC, NC′)
tion phase (not shown in the figure), the vehicle commits
to two random values NC and NC′ by hashing them with
a collision-resistant one-way hash function h and sending Figure 4. The distance-bounding protocol. The verifier (v) upper-
the result to v. The verifier then generates a challenge bounds its distance to an untrusted vehicle C.
nonce Nv and sends it to C. On receiving the challenge, C
is expected to respond immediately with Nv ⊕ NC. The
verifier measures the challenge-response time of f light tvC
and estimates the distance to C, but because C can’t send v3
the correct response before receiving the challenge, it ei- v4
ther delays the response or sends it immediately after re-
ceiving the challenge. In the last stage of the protocol, C
signs the second part of the commitment NC′. The veri-
fier then uses the signature of the second part of the com-
mitment to authenticate C and verify if the commitment Communication tower
corresponds to C’s response. v5
When it estimates the distance to C, the verifier also
takes into account C’s processing delay. Here, this time is v2
relatively short, given that C needs to perform only an
XOR operation and does not need to perform any cryp-
tographic operation until the end of the protocol.
Figure 5 shows an example of verifiable multilatera-
tion. The intuition behind the technique is that a vehicle v1
might try to cheat about its location. As we mentioned
earlier, the vehicle can only pretend that it is further from Figure 5. Two examples of verifiable multilateration. Base stations
the verifier than it really is because of the distance- v1, v2, v3, and v4 can verify a vehicle’s location in three dimensions if
bounding property. However, if it increases the measured the vehicle is located in the triangular pyramid that v1, v2, v3, and v4
distance to one of the verifiers, it would need to prove forms. Base stations v1, v3, and v5 can verify a vehicle’s location in
that at least one of these distances is shorter than it actually two dimensions if the vehicle is located in the triangle formed by v1,
is, to keep its claimed location consistent with the in- v3, and v5.
creased distance. This property holds only if the claimed
location is within the triangular pyramid formed by the
verifiers: if an object is located within the pyramid and it delay its response, the verifiers detect this attack in the
moves to a different location within the pyramid, it will same way as if the vehicle itself performed the distance
certainly reduce its distance to at least one of the pyramid enlargement. The distance measurements’ precision is
vertices. The same holds in two dimensions. very important. Today’s technology based on time of
In a real deployment, the number of base stations flight and ultra wideband can achieve a precision of 15 cm
would of course be much larger than what we see in Fig- for distances up to 2 km.13
ure 5; as a result, a vehicle would always be within the
geometric shape that three or four stations form. An example application:
Verifiable multilateration also detects distance enlarge- Cooperative driving
ment attacks from outside attackers: If an attacker tries to Once we verify a vehicle’s identity (via its electronic li-
jam the signal that the vehicle sends to the verifiers and cense plate) and location (via the mechanisms we just de-
Figure 6. Cooperative driving. The red car holds the token that
lets it access the resource (a) at a blind crossing and (b) at a
highway entrance.
B ecause many safety features require some level of co-
operation between vehicles, bootstrapping the adop-
tion of the necessary hardware is a major business chal-
lenge. Of course, this push requires a substantial effort
from the standardization bodies before it can materialize.
scribed), we can implement several new functions, in- So far, the security and privacy challenges related to
cluding cooperative driving. this area have been overlooked,15 but the two solutions
Vehicles that pass through critical points such as high- we’ve sketched in this article are a good place to start. In
way entrances and blind crossings (those without light particular, electronic license plates have the potential
control) must coordinate to avoid collisions. With the benefit of allowing a much more accurate definition (and
IVC’s support, this coordination can be at least partially control) of what data law-enforcement agencies can ac-
automated. Coordination functions that share resources cess; this is likely to be one of the most relevant challenges
among a group of nodes are usually achieved by group in the area of wireless security. Location verification is the
communication primitives (such as mutual exclusion) in cornerstone of cooperative safety mechanisms, and the
computer networks, but the problem we face here is smarter vehicles become, the more their safety features
more challenging: human lives are concerned, the nodes will need to be secured.
are mobile, the groups are highly transient, and the com-
munications are wireless. Acknowledgments
˜
A potential solution to this challenge is a light- We are indebted to Mario Cagalj, Robert Dick, Markus Jakobsson,
weight group communication system managed by a Ken Laberteaux, Jean-Yves Le Boudec, Christof Paar, and Pravin
token (see Figure 6). Every vehicle sees the wireless link Varaiya for their comments on early versions of this article. Special thanks
with one of its neighbors (other vehicles within the also to Matthias Grossglauser and Alcherio Martinoli for their thought-
transmission range) as outgoing; the neighbors see this provoking discussions on this topic.
link as incoming. As a result, a directed acyclic graph
(DAG) forms to link the members of a contention References
group (those vehicles contending for a common point) 1. W. Jones, “Building Safer Cars,” IEEE Spectrum, vol. 39,
together. The sink (a node without an outgoing link) of no. 1, 2002, pp. 82–85.
the DAG is elected among the nodes closest to the crit- 2. R. Moebus, A. Joos, and M. Morari, “Multi-Object Adap-
ical point. This node then initiates a token (a small mes- tive Cruise Control,” Proc. Hybrid Systems: Computation and
sage that grants the right to access a resource) and goes Control, LNCS vol. 2623, Springer Verlag, 2003, pp.
across the point. The token then passes to one of the 359–376.
nodes that have outgoing links to the token holder, 3. W. Franz, R. Eberhardt, and T. Luckenbach, “FleetNet:
which lets that node move forward. Internet on the Road,” Proc. 8th World Congress on Intel-
We can apply different policies to control the behavior ligent Transport Systems, 2001.
of token passing; for example, the token can switch from 4. L. Zhou and Z. Haas, “Securing Ad Hoc Networks,”
vehicles on one road to those on the other one at a high- IEEE Network, vol. 13, no. 6, 1999, pp. 26–30.
way’s entrance (which merges the two flows of vehicles). 5. Y.-C. Hu, A. Perrig, and D.B. Johnson, “Ariadne: A
In any case, a policy would use each vehicle’s verified po- Secure On-Demand Routing Protocol for Ad Hoc Net-
sition and identity to fine-tune the token’s circulation and works,” Proc. 8th ACM Int’l Conf. Mobile Computing and
provide each driver with appropriate information. Networking (Mobicom), ACM Press, 2002, pp. 12–23.
6. J. Kong and X. Hong, “ANODR: Anonymous on 14. G. Ateniese, M. Steiner, and G. Tsudik, “New Multi-
Demand Routing with Untraceable Routes for Mobile Party Authentication Services and Key Agreement Pro-
Ad Hoc Networks,” Proc. 4th ACM Int’l Symp. on Mobile tocols,” IEEE J. Selected Areas in Comm., vol. 18, no. 4,
Ad Hoc Networking and Computing, ACM Press, 2003, 2000, pp. 628–639.
pp. 291–302. 15. J. Luo and J.-P. Hubaux, A Survey of Inter-Vehicle Com-
7. L. Klein, Sensor Technologies and Data Requirements for ITS, munications, tech. report IC/2004/04, EPFL, Mar. 2004.
Artech House, 2001.
8. A. Serjantov and G. Danezis, “Toward an Information
Jean-Pierre Hubaux is a professor at EPFL. His research inter-
Theoretic Metric for Anonymity,” Proc. Privacy Enhanc- ests are mobile networking and computing, with a special
ing Technologies (PET), Springer-Verlag, 2002. interest in fully self-organized wireless ad hoc networks. He
9. R. Anderson and M. Kuhn, “Tamper Resistance: A Cau- also serves as an associate editor on IEEE Transactions on
tionary Note,” Proc. 2nd Usenix Workshop on Electronic Mobile Computing and the Elsevier Journal on Ad Hoc Net-
works. He is a senior member of the IEEE and a member of
Commerce, Usenix Assoc., 1996, pp. 1–11. ACM. Contact him at jean-pierre.hubaux@epfl.ch; http://
10. J. Warner and R. Johnston, Think GPS Cargo Tracking = lcawww.epfl.ch/hubaux.
High Security? Think Again, tech. report, Los Alamos Nat’l
Lab., 2003. Srdjan Čapkun is working toward his PhD at EPFL. His current
research interests include security, privacy, and positioning in
11. S. Brands and D. Chaum, “Distance-Bounding Proto-
wireless networks. He received a BSc in electrical engineering
cols,” Theory and Application of Cryptographic Techniques, and computer science from the University of Split, Croatia. He
Springer-Verlag, 1993, pp. 344–359. is a member of the IEEE Communications and Computer Societies
12. S. Čapkun, L. Buttyan, and J.-P. Hubaux, “SECTOR: and the ACM. Contact him at srdan.capkun@epfl.ch; http://
lcawww.epfl.ch/capkun.
Secure Tracking of Node Encounters in Multi-Hop
Wireless Networks,” Proc. ACM Workshop on Security in Jun Luo is working toward a PhD in communication systems at
Ad Hoc and Sensor Networks (SASN), ACM Press, 2003. EPFL. His research interests include multicasting, mobile com-
13. J.-Y. Lee and R.A. Scholtz, “Ranging in a Dense Mul- puting (especially in ad hoc networks), reliable group commu-
tipath Environment Using a UWB Radio Link,” IEEE nication, and network security. He received a BS and MS, both
in electrical engineering, from Tsinghua University, Beijing, PRC.
J. Selected Areas in Comm., vol. 20, no. 9, 2002, pp. He is a student member of ACM. Contact him at jun.luo@epfl.ch;
1677–1683. http://lcawww.epfl.ch/luo.
Learn how others are achieving systems and networks design and develop-
ment that are dependable and secure to the desired
degree, without compromising performance.
This new journal provides original results in research, design, and develop-
ment of dependable, secure computing methodologies,
strategies, and systems including: