Embedded Info-Security Solutions for Vehicular
Huaqun Guo, Lek Heng Ngoh, Lian Hwa Liow, Feng Tao, Jun Jie Ang
Yongdong Wu Choon Hwee Kwek Department of Electrical & Computer
Institute for Infocomm Research School of Computer Engineering Engineering
21 Heng Mui Keng Terrace Nanyang Technological University National University of Singapore
Singapore 119613 50 Nanyang Avenue, 2 Engineering Drive 4,
Email: firstname.lastname@example.org Singapore 639798 Singapore 117576
Abstract—The emerging vehicular networks in the forms of intra- exchanged with-inside and with-outside car via vehicular
car, car-to-car, and car-to-infrastructure communications will networks. Fig. 1 shows the example of intra-car, C2C and C2I
enable a variety of applications for safety, traffic efficiency, communications.
driver assistance, as well as infotainment to be incorporated into
future automotive designs. However, the availability of these
exciting automotive applications can also lead to formidable set of
exploits and vulnerable to attacks, as more and more data is
being exchanged and communicated in and out of a car. In this
paper, we present our initial works on embedded info-security
solutions to protect the critical data for car communications via
vehicular networks. We describe an info-security framework,
system design, and the first solution prototype in this paper. The
initial prototype shows that the proposed solution is feasible.
Keywords: Info-Security, Vehicular Networks, Car
Communications, Tamper-resistance, Integrated Data Security
Information technology is the driving force behind
innovations in the automotive industry, with perhaps 90% of
all innovations in cars based on electronics and software .
Networked Electronic Control Units (ECUs) are increasingly
being deployed in cars to realize functions such as engine
management, air-bag deployment, and even in intelligent
brake systems. For example, at least 70 networked ECUs are
employed in a Mercedes S-Class car . Furthermore, the
emerging vehicular networks in the forms of intra-car, car-to-
car, car-to-infrastructure communications  will enable a
variety of applications for safety, traffic efficiency, driver
assistance, as well as infotainment to be incorporated into
future automotive designs.
There are currently a number of study groups on car
communications and to define the standards for various
applications. Intra-car communications, such as LIN (Local
Interconnect Network) , CAN (Controller Area Network) Figure 1. Example of intra-car, C2C and C2I communications.
, and FlexRay , are used for the connection among car
ECUs and sensors. Car-to-car (C2C) communications, such as However, the availability of these exciting automotive
802.11p , and DSRC (Dedicated Short Range applications can also lead to formidable set of exploits and
Communications) [8, 9], may be used to enable safety vulnerable to attacks, as more and more data is being
applications. Car-to-Infrastructures (C2I) communications, exchanged and communicated inside and outside of a car.
e.g. 802.11p and IEEE 1609 Family of Standards for Wireless Currently standards focus mainly on communications, and
Access in Vehicular Environments (WAVE) , may be hence there is limited security consideration for intra-car, C2C
used for traffic information. Thus, critical information is being and C2I communications [11, 12, 13, 14, 15]. Due to the
limited security, there are some possible security threats and proposed a security architecture for vehicular ad hoc network
attacks scenarios [15, 16], such as: (1) Eavesdropping: and analyzed the robustness of their proposal . However,
Eavesdrop and record of a warning message about emergency this work remains in the theoretical analysis stage.
vehicle, or diffuse wrong information in the network to affect Furthermore, this work does not address intra-car data security
the behavior of other drivers (e.g., divert traffic from a given described in this paper.
road and thus free it); (2) Denial of service: Accessibility of a
service is restricted (e.g., channel jamming and aggressive III. INTEGRATED IN-CAR INFO-SECURITY FRAMEWORK
injection of dummy messages); (3) Bogus information: Faking Our proposed info-security framework is shown in Fig. 2.
of a warning message; (4) Spoofing: Take over of the identity We include security solutions for VANET (Vehicular Ad-Hoc
of an authorized device; (5) ID disclosure of other vehicle: Network) which use the techniques of digital signature, key
Surveillance of the vehicle motions by using the C2C and C2I management, tamper-resistance over secure routing protocols,
infrastructure; (6) Cheating with sensory information: Alter and delay-tolerant networking. We further carry out security
the perceived position, speed, direction, etc, in order to escape analysis and design in two major aspects as described here.
liability notably in the case of an accident; and finally (7)
Theft: Break-in and theft. Solutions to counter these possible (1) Tamper-resistant software in embedded devices
We develop tamper-resistant software in embedded
attacks are sometime referred to as the information-security, or
info-security. devices (e.g. ECUs), by applying trusted computing
techniques in order to embed a small trusted party into each
In this paper, we present our initial works on embedding vehicle. This part is implemented as a light-weight security
info-security solutions to protect the critical data for car ECU combining trusted hardware and software. Only this
communications via vehicular networks. Our goal is to ensure ECU is fully trusted and a small part of the vehicle software
that data exchanged with-inside and with-outside automotive needs to be fully trusted, while other parts can be implemented
is protected from abuse and security attacks. The rest of paper with significantly lower trust assumptions i.e. at lower costs.
is organized as follows. Section II presents the related works
while Section III describes our integrated info-security (2) Integrated Data Security Gatekeeper
Integrated Data Security Gatekeeper is an important
framework for vehicular networks. Section IV presents our
system design, and Section V presents the initial prototype. component to manage security and all critical exchanged
Finally, Section VI outlines our conclusions and future works. information are going through the Gatekeeper.
Communication control in the Gatekeeper is the key to
II. RELATED WORKS manage interaction between applications and secure
communication control. It enables both integrity and
Secure vehicular networks as a new technology has drawn
confidentiality (control of information flow) guarantees to be
the attention of the industry and academia. For example, the
enforced by the system. Therefore, the gatekeeper must be
EASIS (Electronic Architecture and System Engineering for
tamper-proof and take care of storing all the cryptographic
Integrated Safety Systems) project , which was part of the
material and performing cryptographic operations, especially
European Commission’s 6th Framework Programme launched
signing and verifying safety messages.
in 2004, was a partnership of 22 European vehicle
manufacturers, automotive suppliers, tool suppliers and
research institutes with the aim to develop technologies for the
realization of future ISS (Integrated Safety Systems). EASIS
combined information from all domains to provide a better
view of the state of the vehicle and its surroundings for safety
decision and control action. In order to handle malicious
attacks from external sources and to ensure that the state of the
vehicle was secure, EASIS adopted firewall techniques.
Furthermore, the EASIS Security Architecture Approach was
a security management architecture based on the AUTOSAR
(AUTomotive Open System ARchitecture) approach 
which included rules for protecting car-internal
communication entities, further management databases for
own certificates and security session status and common APIs
for cryptographic functions and external functions .
SEVECOM (Secure Vehicular Communication) , an
EU-funded project launched in 2006, focuses on providing a
full definition and implementation of security requirements for
vehicular communications. A liaison with security activities in
EASIS supported the activities of SEVECOM. In the most
recent publication of SEVECOM, M. Raya and J.P. Hubaux Figure 2. Integrated in-car info-security framework.
IV. SYSTEM DESIGN As commented in , although MANET is highly
flexible, it has a few issues in the following areas:
A. Inter-Car Communication
Initially, this project intended to use socket programming • Wireless medium access
to leverage on the free Wireless@SG country-wide network Since MANET transfers data through a wireless medium,
for communication among cars. But the problem with the free simultaneous data transmission must be controlled to prevent
wireless network is that it is based on proximity-limited collision. This undesirable behavior has been solved in ad-hoc
wireless access points. A typical situation of distress is as routing algorithm with the use of a handshaking protocol, such
illustrated in Fig. 3. Hence, this method of wireless as Request-To-Send (RTS) and Clear-To-Send (CTS)
infrastructure has been scrapped. handshake protocol.
Since every nodes in MANET must have an unique IP to
communicate. Using DHCP is forbidden due to the lack of
access point, while using static addressing is not flexible
enough since MANET network could scales very fast and in
large numbers. Hence a typical solution to this problem is to
use Address Resolution Protocol to spot any address collisions
and remedy on them by allocating another IP.
• Network security
Network security is of utmost importance in any
infrastructure, especially wireless since the radio waves are
free to air. Hence, cryptographic methods such as Public Key
Infrastructure (PKI) and symmetric key encryption are used.
In addition, due to the nodes' high mobility, the network
topology changes frequently. Hence, a suitable ad-hoc routing
protocol is needed to counter this dynamic property.
Figure 3. Problem of wireless access point.
Ad-hoc On-Demand Distance Vector (AODV)  is a
A wireless Mobile Ad-hoc Network (MANET) is used reactive routing protocol whereby routes from the sender to
instead. As mentioned in , it is a network consisting of two the receiver is only determined on demand and it does not
or more mobile nodes, equipped with their own wireless attempt to maintain all routes to every nodes in its routing
networking capability, without the need for any preexisting table at all times. This helps to relieve the network from
network infrastructure. Each node acts as both a mobile host unnecessary traffic which are trying to establish routes from
and a router that helps to forward traffic on behalf of other one node to every other nodes. Thus, we adapt the AODV
nodes within the network, as shown in Fig. 4. routing protocol for inter-car communication. The exchange of
messages using AODV is as illustrated in Fig. 5.
Figure 4. MANET. Figure 5. AODV protocol message.
B. Intra-Car Communication In the next section, we present our initial prototype and
The typical intra-car communication applied in the project test results.
is to use the gatekeeper to protect automotive from theft, as V. PROTOTYPE
shown in Fig. 6.
We have built the first prototype of our solution shown in
Fig. 8. We use a single board computer (SBC), Soekris
Net4801, to act as a core platform for the security gatekeeper.
D-Link DWL-G520 wireless card and iTegno GPRS modem
are connected to Soekris Net4801. Soekris Net4801 also has
serial port interface that connects to networked ECUs inside a
car. Finally, Gentoo Linux is adopted as OS (operating
system) for the SBC because of its ease of usage,
configuration and updatability.
Figure 6. Intra-car communication. GPRS
The gatekeeper disables an automotive and its key auto
systems through remote control when the automotive is stolen.
The gatekeeper will verify the automotive and its key auto
systems before it allows the automotive to start. If an
automotive is stolen, its owner will use his mobile phone to
send out a disable command to the gatekeeper. After the
gatekeeper receives the disable command, the gatekeeper will
disable the automotive from re-starting and the key auto
systems from activating. Thus, the gatekeeper allows the D-Link DWL-G520 Soekris
Wireless card Net4801
owner still has some control to disable the automotive from
starting and key auto systems from activating after it is stolen.
Figure 8. Prototype of the gatekeeper.
C. System Architecture
Based on above analyses, we design our system We have developed C programs to realize the
architecture as shown in Fig. 7. The gatekeeper consists of a communication between ECUs to SBC and SBC to GPRS
single board computer (SBC), GPRS modem, and wireless modem. AODV is the routing protocol used in the system and
card. For inter-car communication, all messages are received AODV-UU  is ported and implemented.
or transmitted through the gatekeeper via AODV routing
First, we embedded our security algorithm (details of this
protocol or GPRS. The gatekeeper also links to the networked
algorithm is available from the authors) in CAN bus system,
ECUs via intra-car communication.
and added tamper resistance of software in ECUs. In addition,
the exchanged messages are encrypted and authenticated. With
this prototype, we demonstrated the anti-theft security between
mobile phone and ECUs inside a commercial passenger car.
Notice that this system has far superior security feature than
existing mobile phone-based anti-theft systems which do not
employ embedded info-security code described here, and can
be easily compromised.
Second, we carry out inter-car communication test using
the setup shown in Fig. 9. Node 2 is the prototype of the
gatekeeper. Node 1 and Node 3 are two laptop computers,
while Node 4 is an automotive simulator. All four nodes run
AODV routing protocol and they can communicate each other.
Then, we measure the throughput of inter-car communication.
The results are shown in Fig. 10. From Fig. 10, it is clear that
when the distance between two nodes, i.e., Node 1 and Node 2
is within 100meters, the throughput is high and stable, and
Figure 7. System architecture. hence AODV is suitable for the inter-car communication.
 Escar, Embedded security in cars 2006, Berlin, Germany, November
 DaimlerChrylser, Gartner Research, Nov 2005.
 CAR 2 CAR Communication Consortium. http://www.car-to-car.org/
 Local Interconnect Network. http://www.lin-subbus.org/.
 Controller Area Network. http://www.can-cia.org/can/
 FlexRay. http://www.flexray.com/
 IEEE 802.11p. http://en.wikipedia.org/wiki/IEEE_802.11p
 Dedicated Short Range Communications.
 IEEE 1609 WAVE Radio Communication Standards.
 IEEE 1609 - Family of Standards for Wireless Access in Vehicular
 J. Blum and A. Eskandarian, ”The threat of intelligent collisions,” IT
Professional 6(1), pp. 23-29, 2004.
 L. Gollan and C. Meinel, “Digital Signatures for Automobiles,”
Figure 9. Setup for inter-car communication. Proceedings of Systemics, Cybernetics and Informatics (SCI)’02, 2002.
 J.-P. Hubaux, S. Capkun and J. Luo, “The security and privacy of smart
vehicles,” IEEE Security and Privacy Magazine 2(3) (2004), 49-55.
 M. Raya and J.-P. Hubaux, “The security of vehicle ad hoc networks,”
Proceedings of the ACM Workshop on Security in Ad hoc and Sensor
Networks (SASN’05), pp. 11-21, Alexandria, Virginia, USA, November
 M. El Zarki, S. Mehrotra, G. Tsudik and N. Venkatasubramanianm,
“Security issues in future vehicular network,” Proceedings of European
 T. Eymann, “The EASIS security architecture approach,” the 1st C2C-
CC Security Workshop, Berlin, November 2006.
 EASIS. http://www.easis-online.org
 AUTOSAR. http://www.autosar.org
 SEVECOM. http://www.sevecom.org/
 M. Raya and J.-P. Hubaux, “Securing vehicular ad hoc networks,”
Journal of Computing Security, 15(2007) 39-68.
 B. Wiberg, “Porting AODV-UU implementation to ns-2 and enabling
trace-based simulation,” Uppsala University, December 2002.
 I. D. Chakeres, E. M. Belding-Royer, “AODV routing protocol
implementation design,” the 24th International Conference on Distributed
Distance (m) Computing Systems Workshops (ICDCSW’04), 2004.
 AODV-UU. http://core.it.uu.se/core/index.php/AODV-UU
Figure 10. Throughput of inter-car communication.
This paper presents our initial works on info-security
solutions to protect the critical data exchanged with-inside car
and with-outside car via vehicular networks. We carry out
security analysis, describe an info-security framework, present
our system design, and show the first prototype. In the
prototype, we embedded the security code in CAN bus system,
and added tamper-resistance of software in ECUs. In addition,
all messages exchanged are encrypted and authenticated. With
this prototype, we demonstrated the secure communication
between mobile phone and ECUs inside the car for anti-theft
purposes. The experimental prototype is also carried out to test
the throughput of inter-car communication and the results
show that the throughput is high and stable. Therefore, our
initial prototype shows that our solution is feasible.
In the near future, we will continue working on integrated
data security gatekeeper, and realize the reliable secure car