Wireless Location Privacy
In Vehicular Ad-hoc
A grim Nigam
( B a s e d o n r e s e a r c h w o r k o f J o o - H a n S o n g , V i n c e n t W. S . Wo n g , a n d V i c t o r
What Is VANET?
Modern day vehicles are “ Networks on the Wheel”.
Vehicular Communication System (VCS )
V2V and V2I are “ad-hoc" in nature.
Advantages of VCS: Information sharing, Co -operative driving,
Navigation, Internet access etc.
Significant progress has been made in Intelligent Transportation
System(ITS) which makes driving environment safe and efficient .
For ITS, each vehicle needs to periodically broadcast an
authenticated safety message, which includes its veriﬁable identity,
its current location, speed, and acceleration.
This Dedicated Short Range Communication System is Vehicular Ad-
WHY LOCATION PRIVACY PROTECTION?
Broadcast messages may be used by the adversaries for
unauthorized location tracking.
Broadcast messages can be used by attackers to determine the
locations visited by the vehicles over a period of time using an
external Wi-Fi network.
Protecting the location privacy of vehicles is important.
Lack of privacy may hinder the wide acceptance of VANET
PRIVACY PROTECTION SCHEMES
Vehicles specify their location privacy preferences as policies and
trust that the third party location-based service (LBS) providers
adhere to these policies.
Vehicle mitigates by using a randomly chosen and changing
identiﬁer, called the pseudonym.
Pseudonyms may be a set of public keys, network layer addresses
or link layer addresses and has a predeﬁned generation scheme.
A solution to protecting the privacy of VANET.
Changing pseudonym at only one layer pose as an attacker can
link pseudonyms using the unchanged address at the other layer.
AMOEBA is a location privacy enhancement scheme.
Adds random silent period between update of pseudonyms for V2V
Road networks are classified into Observed Zones & Unobserved
Zones or Mix Zones.
Mix Zones are predetermined locations where the vehicles vary
their directions, speeds and their pseudonyms.
Difﬁculty to trace the vehicles that emerge from the mix zone.
CMIX (Cryptographic MIX-zone), each vehicle obtains a
public/private key pair from certiﬁcate authority (CA) via the road-
side unit (RSU), to encrypt all messages while they are within the
K-anonymity is the proposed location privacy enhancement
Protects location information through spatial and temporal
Considers the neighboring vehicle density as the triggering factor
for updating the pseudonym.
Vehicle updates its pseudonym only when there are at least k−1
distinct neighboring vehicles.
The beacon message will not be broadcast by the vehicle until a
certain number of other vehicles have visited the same location.
The goal is to minimize the probability of successful location
tracking of a target vehicle by an adversary.
The density zone consists of M
ports and N intersections .
All vehicles can enter and exit the
density zone only via these ports.
An intersection is a road junction
where two or more roads either
meet or cross.
k-density zone of vehicle v is the
area where at least k−1 distinct
neighboring vehicles always exist .
GLOBAL PASSIVE ADVERSARY
GPA aims to locate and track the target vehicles by
eavesdropping on their authenticated safety broadcast.
GPA leverages the deployed infrastructure and utilizes the
adversarial RSU deployed to track the movement of the target.
GPA cannot distinguish the target vehicle from other vehicles
within the density zone due to the change of pseudonym.
GPA can observe entering and exiting events of vehicles where
an event is a pair consisting of a port number and a time stamp
by installing radio receivers at opportune location.
GPA can attempt to link an entering vehicle and an exiting
vehicle with certain success probability using delay distribution.
ROAD TRAFFIC & DELAY MODEL
After entering the density zone via port i, each vehicle
travels at a distance di with constant speed Si which is
chosen independently from a normal distribution.
From an empirical study on the real freeway traffic can
can determine inter-arrival time of vehicles to port.
At the intersection, each vehicle chooses the output
port j with a probability, which can also be estimated.
Similarly, using mathematical models the average signal
delay can also be determined.
DENSITY-BASED LOCATION PRIVACY
Vehicles share information by broadcasting local beacon
A beacon message is a short packet with the current pseudonym
and location information of the vehicle.
The default beacon interval in 802.11-based networks is 100 ms.
Δt is a configurable parameter for various speed of vehicles.
Each vehicle v determines its or neighboring vehicle count by
listening for beacon messages from its neighbors.
This ensures that each vehicle triggers a pseudonym change only
if there are at least k−1 neighboring vehicles.
Failure to detect transmission within a predefined timeout value,
result in decrement of neighboring vehicle count.
OPERATIONS OF ADVERSARY
Adversary can observe the entering and exit events
corresponding to vehicles entering and exiting the density zones
An entering event consists of the port where the vehicle entered
the density zone, and the time when it happened.
An exit event consists of the port where the vehicle left the
density zone, and the time when it happened.
The objective of an adversary is to relate exit events to entering
The adversary may select a target vehicle v and tracks its
movement until it enters the density zone.
Within the density zone, the target vehicle may change its
pseudonym if it satisfies the criteria in the DLP scheme.
The metric used in proposed model is the probability of
successful tracking of a target vehicle by an adversary when
making its decision.
If the success probability is large, the density zone and changing
pseudonyms are ineffective
If the success probability is small, then tracking is difficult and
the system ensures location privacy.
The probability of successful tracking cannot be determined
analytically due to the complexity of the model.
Simulated runs has been used to determine its empirical value in
TOPOLOGY AND MOBILITY MODEL FOR THE
Network Topology: A density zone is composed of one intersection
and four road segments in each direction.
Mobility Pattern: All vehicles within the density zone are assumed to
travel at a constant speed given at each segment. At the
intersection, all vehicles experience the delay based on the signal
logic of intersection.
For each exiting vehicle, the adversary chooses a vehicle which can
minimize the time difference between the average delay.
Total delay is inversely proportional to the speed of vehicles.
With an increase in variance of vehicles speed increases, the
variance of total delay decreases.
This makes it difficult to find a target vehicle with the highest
probability as the variance of vehicles’ speed increases.
Effectiveness of changing pseudonyms to provide location privacy in
Delay model of vehicles in the density zone to demonstrate the
effectiveness of changing pseudonyms.
For evalution, an assumption was made that the adversary has sufficient
knowledge of delay in density zone.
Based on this information, an adversary may try to select a vehicle which
exits the density zone to the target vehicle that entered it earlier.
Extensive simulation result study shows the probability of successful
tracking of a target vehicle by an adversary under different scenarios.
Proposed DLP scheme has a better performance than both Mix-Zone and
AMOEBA with random silent period in terms of a lower probability of
successful tracking by an adversary.
DLP scheme can mitigate the location tracking of vehicles by changing
pseudonyms based on a threshold in neighboring vehicle count within a
Based on research work of Joo-Han Song, Vincent W.S. Wong, and Victor C.M.