Embedded Info-Security Solutions for Vehicular Networks by uoy21072


									       Embedded Info-Security Solutions for Vehicular
   Huaqun Guo, Lek Heng Ngoh,                             Lian Hwa Liow,                            Feng Tao, Jun Jie Ang
         Yongdong Wu                                     Choon Hwee Kwek                      Department of Electrical & Computer
    Institute for Infocomm Research                School of Computer Engineering                        Engineering
      21 Heng Mui Keng Terrace                    Nanyang Technological University             National University of Singapore
            Singapore 119613                            50 Nanyang Avenue,                          2 Engineering Drive 4,
    Email: guohq@i2r.a-star.edu.sg                        Singapore 639798                            Singapore 117576

Abstract—The emerging vehicular networks in the forms of intra-       exchanged with-inside and with-outside car via vehicular
car, car-to-car, and car-to-infrastructure communications will        networks. Fig. 1 shows the example of intra-car, C2C and C2I
enable a variety of applications for safety, traffic efficiency,      communications.
driver assistance, as well as infotainment to be incorporated into
future automotive designs. However, the availability of these
exciting automotive applications can also lead to formidable set of
exploits and vulnerable to attacks, as more and more data is
being exchanged and communicated in and out of a car. In this
paper, we present our initial works on embedded info-security
solutions to protect the critical data for car communications via
vehicular networks. We describe an info-security framework,
system design, and the first solution prototype in this paper. The
initial prototype shows that the proposed solution is feasible.

    Keywords:   Info-Security, Vehicular Networks, Car
Communications, Tamper-resistance, Integrated Data Security

                      I.      INTRODUCTION
     Information technology is the driving force behind
innovations in the automotive industry, with perhaps 90% of
all innovations in cars based on electronics and software [1].
Networked Electronic Control Units (ECUs) are increasingly
being deployed in cars to realize functions such as engine
management, air-bag deployment, and even in intelligent
brake systems. For example, at least 70 networked ECUs are
employed in a Mercedes S-Class car [2]. Furthermore, the
emerging vehicular networks in the forms of intra-car, car-to-
car, car-to-infrastructure communications [3] will enable a
variety of applications for safety, traffic efficiency, driver
assistance, as well as infotainment to be incorporated into
future automotive designs.
     There are currently a number of study groups on car
communications and to define the standards for various
applications. Intra-car communications, such as LIN (Local
Interconnect Network) [4], CAN (Controller Area Network)              Figure 1. Example of intra-car, C2C and C2I communications.
[5], and FlexRay [6], are used for the connection among car
ECUs and sensors. Car-to-car (C2C) communications, such as                However, the availability of these exciting automotive
802.11p [7], and DSRC (Dedicated Short Range                          applications can also lead to formidable set of exploits and
Communications) [8, 9], may be used to enable safety                  vulnerable to attacks, as more and more data is being
applications. Car-to-Infrastructures (C2I) communications,            exchanged and communicated inside and outside of a car.
e.g. 802.11p and IEEE 1609 Family of Standards for Wireless           Currently standards focus mainly on communications, and
Access in Vehicular Environments (WAVE) [10], may be                  hence there is limited security consideration for intra-car, C2C
used for traffic information. Thus, critical information is being     and C2I communications [11, 12, 13, 14, 15]. Due to the
limited security, there are some possible security threats and      proposed a security architecture for vehicular ad hoc network
attacks scenarios [15, 16], such as: (1) Eavesdropping:             and analyzed the robustness of their proposal [20]. However,
Eavesdrop and record of a warning message about emergency           this work remains in the theoretical analysis stage.
vehicle, or diffuse wrong information in the network to affect      Furthermore, this work does not address intra-car data security
the behavior of other drivers (e.g., divert traffic from a given    described in this paper.
road and thus free it); (2) Denial of service: Accessibility of a
service is restricted (e.g., channel jamming and aggressive            III.   INTEGRATED IN-CAR INFO-SECURITY FRAMEWORK
injection of dummy messages); (3) Bogus information: Faking             Our proposed info-security framework is shown in Fig. 2.
of a warning message; (4) Spoofing: Take over of the identity       We include security solutions for VANET (Vehicular Ad-Hoc
of an authorized device; (5) ID disclosure of other vehicle:        Network) which use the techniques of digital signature, key
Surveillance of the vehicle motions by using the C2C and C2I        management, tamper-resistance over secure routing protocols,
infrastructure; (6) Cheating with sensory information: Alter        and delay-tolerant networking. We further carry out security
the perceived position, speed, direction, etc, in order to escape   analysis and design in two major aspects as described here.
liability notably in the case of an accident; and finally (7)
Theft: Break-in and theft. Solutions to counter these possible          (1) Tamper-resistant software in embedded devices
                                                                        We develop tamper-resistant software in embedded
attacks are sometime referred to as the information-security, or
info-security.                                                      devices (e.g. ECUs), by applying trusted computing
                                                                    techniques in order to embed a small trusted party into each
     In this paper, we present our initial works on embedding       vehicle. This part is implemented as a light-weight security
info-security solutions to protect the critical data for car        ECU combining trusted hardware and software. Only this
communications via vehicular networks. Our goal is to ensure        ECU is fully trusted and a small part of the vehicle software
that data exchanged with-inside and with-outside automotive         needs to be fully trusted, while other parts can be implemented
is protected from abuse and security attacks. The rest of paper     with significantly lower trust assumptions i.e. at lower costs.
is organized as follows. Section II presents the related works
while Section III describes our integrated info-security                 (2) Integrated Data Security Gatekeeper
                                                                         Integrated Data Security Gatekeeper is an important
framework for vehicular networks. Section IV presents our
system design, and Section V presents the initial prototype.        component to manage security and all critical exchanged
Finally, Section VI outlines our conclusions and future works.      information     are    going     through    the   Gatekeeper.
                                                                    Communication control in the Gatekeeper is the key to
                     II.    RELATED WORKS                           manage interaction between applications and secure
                                                                    communication control. It enables both integrity and
     Secure vehicular networks as a new technology has drawn
                                                                    confidentiality (control of information flow) guarantees to be
the attention of the industry and academia. For example, the
                                                                    enforced by the system. Therefore, the gatekeeper must be
EASIS (Electronic Architecture and System Engineering for
                                                                    tamper-proof and take care of storing all the cryptographic
Integrated Safety Systems) project [17], which was part of the
                                                                    material and performing cryptographic operations, especially
European Commission’s 6th Framework Programme launched
                                                                    signing and verifying safety messages.
in 2004, was a partnership of 22 European vehicle
manufacturers, automotive suppliers, tool suppliers and
research institutes with the aim to develop technologies for the
realization of future ISS (Integrated Safety Systems). EASIS
combined information from all domains to provide a better
view of the state of the vehicle and its surroundings for safety
decision and control action. In order to handle malicious
attacks from external sources and to ensure that the state of the
vehicle was secure, EASIS adopted firewall techniques.
Furthermore, the EASIS Security Architecture Approach was
a security management architecture based on the AUTOSAR
(AUTomotive Open System ARchitecture) approach [18]
which      included    rules    for    protecting   car-internal
communication entities, further management databases for
own certificates and security session status and common APIs
for cryptographic functions and external functions [16].
     SEVECOM (Secure Vehicular Communication) [19], an
EU-funded project launched in 2006, focuses on providing a
full definition and implementation of security requirements for
vehicular communications. A liaison with security activities in
EASIS supported the activities of SEVECOM. In the most
recent publication of SEVECOM, M. Raya and J.P. Hubaux                   Figure 2. Integrated in-car info-security framework.
                     IV.    SYSTEM DESIGN                               As commented in [21], although MANET is highly
                                                                   flexible, it has a few issues in the following areas:
A. Inter-Car Communication
     Initially, this project intended to use socket programming        •   Wireless medium access
to leverage on the free Wireless@SG country-wide network                Since MANET transfers data through a wireless medium,
for communication among cars. But the problem with the free        simultaneous data transmission must be controlled to prevent
wireless network is that it is based on proximity-limited          collision. This undesirable behavior has been solved in ad-hoc
wireless access points. A typical situation of distress is as      routing algorithm with the use of a handshaking protocol, such
illustrated in Fig. 3. Hence, this method of wireless              as Request-To-Send (RTS) and Clear-To-Send (CTS)
infrastructure has been scrapped.                                  handshake protocol.
                                                                       •   Addressing
                                                                        Since every nodes in MANET must have an unique IP to
                                                                   communicate. Using DHCP is forbidden due to the lack of
                                                                   access point, while using static addressing is not flexible
                                                                   enough since MANET network could scales very fast and in
                                                                   large numbers. Hence a typical solution to this problem is to
                                                                   use Address Resolution Protocol to spot any address collisions
                                                                   and remedy on them by allocating another IP.
                                                                       •   Network security
                                                                        Network security is of utmost importance in any
                                                                   infrastructure, especially wireless since the radio waves are
                                                                   free to air. Hence, cryptographic methods such as Public Key
                                                                   Infrastructure (PKI) and symmetric key encryption are used.
                                                                       In addition, due to the nodes' high mobility, the network
                                                                   topology changes frequently. Hence, a suitable ad-hoc routing
                                                                   protocol is needed to counter this dynamic property.
          Figure 3. Problem of wireless access point.
                                                                        Ad-hoc On-Demand Distance Vector (AODV) [22] is a
     A wireless Mobile Ad-hoc Network (MANET) is used              reactive routing protocol whereby routes from the sender to
instead. As mentioned in [21], it is a network consisting of two   the receiver is only determined on demand and it does not
or more mobile nodes, equipped with their own wireless             attempt to maintain all routes to every nodes in its routing
networking capability, without the need for any preexisting        table at all times. This helps to relieve the network from
network infrastructure. Each node acts as both a mobile host       unnecessary traffic which are trying to establish routes from
and a router that helps to forward traffic on behalf of other      one node to every other nodes. Thus, we adapt the AODV
nodes within the network, as shown in Fig. 4.                      routing protocol for inter-car communication. The exchange of
                                                                   messages using AODV is as illustrated in Fig. 5.

                      Figure 4. MANET.                                          Figure 5. AODV protocol message.
B. Intra-Car Communication                                               In the next section, we present our initial prototype and
     The typical intra-car communication applied in the project     test results.
is to use the gatekeeper to protect automotive from theft, as                               V.    PROTOTYPE
shown in Fig. 6.
                                                                         We have built the first prototype of our solution shown in
                                                                    Fig. 8. We use a single board computer (SBC), Soekris
                                                                    Net4801, to act as a core platform for the security gatekeeper.
                                                                    D-Link DWL-G520 wireless card and iTegno GPRS modem
                                                                    are connected to Soekris Net4801. Soekris Net4801 also has
                                                                    serial port interface that connects to networked ECUs inside a
                                                                    car. Finally, Gentoo Linux is adopted as OS (operating
                                                                    system) for the SBC because of its ease of usage,
                                                                    configuration and updatability.

              Figure 6. Intra-car communication.                                                                         GPRS
     The gatekeeper disables an automotive and its key auto
systems through remote control when the automotive is stolen.
The gatekeeper will verify the automotive and its key auto
systems before it allows the automotive to start. If an
automotive is stolen, its owner will use his mobile phone to
send out a disable command to the gatekeeper. After the
gatekeeper receives the disable command, the gatekeeper will
disable the automotive from re-starting and the key auto
systems from activating. Thus, the gatekeeper allows the                  D-Link DWL-G520    Soekris
                                                                            Wireless card    Net4801
owner still has some control to disable the automotive from
starting and key auto systems from activating after it is stolen.
                                                                                Figure 8. Prototype of the gatekeeper.
C. System Architecture
    Based on above analyses, we design our system                      We have developed C programs to realize the
architecture as shown in Fig. 7. The gatekeeper consists of a       communication between ECUs to SBC and SBC to GPRS
single board computer (SBC), GPRS modem, and wireless               modem. AODV is the routing protocol used in the system and
card. For inter-car communication, all messages are received        AODV-UU [23] is ported and implemented.
or transmitted through the gatekeeper via AODV routing
                                                                         First, we embedded our security algorithm (details of this
protocol or GPRS. The gatekeeper also links to the networked
                                                                    algorithm is available from the authors) in CAN bus system,
ECUs via intra-car communication.
                                                                    and added tamper resistance of software in ECUs. In addition,
                                                                    the exchanged messages are encrypted and authenticated. With
                                                                    this prototype, we demonstrated the anti-theft security between
                                                                    mobile phone and ECUs inside a commercial passenger car.
                                                                    Notice that this system has far superior security feature than
                                                                    existing mobile phone-based anti-theft systems which do not
                                                                    employ embedded info-security code described here, and can
                                                                    be easily compromised.
                                                                        Second, we carry out inter-car communication test using
                                                                    the setup shown in Fig. 9. Node 2 is the prototype of the
                                                                    gatekeeper. Node 1 and Node 3 are two laptop computers,
                                                                    while Node 4 is an automotive simulator. All four nodes run
                                                                    AODV routing protocol and they can communicate each other.
                                                                    Then, we measure the throughput of inter-car communication.
                                                                    The results are shown in Fig. 10. From Fig. 10, it is clear that
                                                                    when the distance between two nodes, i.e., Node 1 and Node 2
                                                                    is within 100meters, the throughput is high and stable, and
                 Figure 7. System architecture.                     hence AODV is suitable for the inter-car communication.
                     Node1                                     Node4
                                                                         [1]    Escar, Embedded security in cars 2006, Berlin, Germany, November
                                                                         [2]    DaimlerChrylser, Gartner Research, Nov 2005.
                                                                         [3]    CAR 2 CAR Communication Consortium. http://www.car-to-car.org/
                                                                         [4]    Local Interconnect Network. http://www.lin-subbus.org/.
                                                                         [5]    Controller Area Network. http://www.can-cia.org/can/
                                                                         [6]    FlexRay. http://www.flexray.com/
                                                                         [7]    IEEE 802.11p. http://en.wikipedia.org/wiki/IEEE_802.11p
                                                                         [8]    Dedicated Short Range Communications.
                    Node2                                                       http://grouper.ieee.org/groups/scc32/dsrc/
                                                                         [9]    IEEE 1609 WAVE Radio Communication Standards.
                                                     Node3                      http://standards.ieee.org/announcements/PR_radiocomstd.html
                                                                         [10]   IEEE 1609 - Family of Standards for Wireless Access in Vehicular
                                                                                Environments (WAVE).
                                                                         [11]   J. Blum and A. Eskandarian, ”The threat of intelligent collisions,” IT
                                                                                Professional 6(1), pp. 23-29, 2004.
                                                                         [12]   L. Gollan and C. Meinel, “Digital Signatures for Automobiles,”
                        Figure 9. Setup for inter-car communication.            Proceedings of Systemics, Cybernetics and Informatics (SCI)’02, 2002.
                                                                         [13]   J.-P. Hubaux, S. Capkun and J. Luo, “The security and privacy of smart
                                                                                vehicles,” IEEE Security and Privacy Magazine 2(3) (2004), 49-55.
                                                                         [14]   M. Raya and J.-P. Hubaux, “The security of vehicle ad hoc networks,”
                                                                                Proceedings of the ACM Workshop on Security in Ad hoc and Sensor
                                                                                Networks (SASN’05), pp. 11-21, Alexandria, Virginia, USA, November
                                                                         [15]   M. El Zarki, S. Mehrotra, G. Tsudik and N. Venkatasubramanianm,
Throughput (KB/s)

                                                                                “Security issues in future vehicular network,” Proceedings of European
                                                                                Wireless’02, 2002.
                                                                         [16]   T. Eymann, “The EASIS security architecture approach,” the 1st C2C-
                                                                                CC Security Workshop, Berlin, November 2006.
                                                                         [17]   EASIS. http://www.easis-online.org
                                                                         [18]   AUTOSAR. http://www.autosar.org
                                                                         [19]   SEVECOM. http://www.sevecom.org/
                                                                         [20]   M. Raya and J.-P. Hubaux, “Securing vehicular ad hoc networks,”
                                                                                Journal of Computing Security, 15(2007) 39-68.
                                                                         [21]   B. Wiberg, “Porting AODV-UU implementation to ns-2 and enabling
                                                                                trace-based simulation,” Uppsala University, December 2002.
                                                                         [22]   I. D. Chakeres, E. M. Belding-Royer, “AODV routing protocol
                                                                                implementation design,” the 24th International Conference on Distributed
                                      Distance (m)                              Computing Systems Workshops (ICDCSW’04), 2004.
                                                                         [23]   AODV-UU. http://core.it.uu.se/core/index.php/AODV-UU
                     Figure 10. Throughput of inter-car communication.

                                    VI.    CONCLUSIONS
     This paper presents our initial works on info-security
solutions to protect the critical data exchanged with-inside car
and with-outside car via vehicular networks. We carry out
security analysis, describe an info-security framework, present
our system design, and show the first prototype. In the
prototype, we embedded the security code in CAN bus system,
and added tamper-resistance of software in ECUs. In addition,
all messages exchanged are encrypted and authenticated. With
this prototype, we demonstrated the secure communication
between mobile phone and ECUs inside the car for anti-theft
purposes. The experimental prototype is also carried out to test
the throughput of inter-car communication and the results
show that the throughput is high and stable. Therefore, our
initial prototype shows that our solution is feasible.
    In the near future, we will continue working on integrated
data security gatekeeper, and realize the reliable secure car

To top