Embedded Info-Security Solutions for Vehicular Networks Huaqun Guo, Lek Heng Ngoh, Lian Hwa Liow, Feng Tao, Jun Jie Ang Yongdong Wu Choon Hwee Kwek Department of Electrical & Computer Institute for Infocomm Research School of Computer Engineering Engineering 21 Heng Mui Keng Terrace Nanyang Technological University National University of Singapore Singapore 119613 50 Nanyang Avenue, 2 Engineering Drive 4, Email: email@example.com Singapore 639798 Singapore 117576 Abstract—The emerging vehicular networks in the forms of intra- exchanged with-inside and with-outside car via vehicular car, car-to-car, and car-to-infrastructure communications will networks. Fig. 1 shows the example of intra-car, C2C and C2I enable a variety of applications for safety, traffic efficiency, communications. driver assistance, as well as infotainment to be incorporated into future automotive designs. However, the availability of these exciting automotive applications can also lead to formidable set of exploits and vulnerable to attacks, as more and more data is being exchanged and communicated in and out of a car. In this paper, we present our initial works on embedded info-security solutions to protect the critical data for car communications via vehicular networks. We describe an info-security framework, system design, and the first solution prototype in this paper. The initial prototype shows that the proposed solution is feasible. Keywords: Info-Security, Vehicular Networks, Car Communications, Tamper-resistance, Integrated Data Security Gatekeeper I. INTRODUCTION Information technology is the driving force behind innovations in the automotive industry, with perhaps 90% of all innovations in cars based on electronics and software . Networked Electronic Control Units (ECUs) are increasingly being deployed in cars to realize functions such as engine management, air-bag deployment, and even in intelligent brake systems. For example, at least 70 networked ECUs are employed in a Mercedes S-Class car . Furthermore, the emerging vehicular networks in the forms of intra-car, car-to- car, car-to-infrastructure communications  will enable a variety of applications for safety, traffic efficiency, driver assistance, as well as infotainment to be incorporated into future automotive designs. There are currently a number of study groups on car communications and to define the standards for various applications. Intra-car communications, such as LIN (Local Interconnect Network) , CAN (Controller Area Network) Figure 1. Example of intra-car, C2C and C2I communications. , and FlexRay , are used for the connection among car ECUs and sensors. Car-to-car (C2C) communications, such as However, the availability of these exciting automotive 802.11p , and DSRC (Dedicated Short Range applications can also lead to formidable set of exploits and Communications) [8, 9], may be used to enable safety vulnerable to attacks, as more and more data is being applications. Car-to-Infrastructures (C2I) communications, exchanged and communicated inside and outside of a car. e.g. 802.11p and IEEE 1609 Family of Standards for Wireless Currently standards focus mainly on communications, and Access in Vehicular Environments (WAVE) , may be hence there is limited security consideration for intra-car, C2C used for traffic information. Thus, critical information is being and C2I communications [11, 12, 13, 14, 15]. Due to the limited security, there are some possible security threats and proposed a security architecture for vehicular ad hoc network attacks scenarios [15, 16], such as: (1) Eavesdropping: and analyzed the robustness of their proposal . However, Eavesdrop and record of a warning message about emergency this work remains in the theoretical analysis stage. vehicle, or diffuse wrong information in the network to affect Furthermore, this work does not address intra-car data security the behavior of other drivers (e.g., divert traffic from a given described in this paper. road and thus free it); (2) Denial of service: Accessibility of a service is restricted (e.g., channel jamming and aggressive III. INTEGRATED IN-CAR INFO-SECURITY FRAMEWORK injection of dummy messages); (3) Bogus information: Faking Our proposed info-security framework is shown in Fig. 2. of a warning message; (4) Spoofing: Take over of the identity We include security solutions for VANET (Vehicular Ad-Hoc of an authorized device; (5) ID disclosure of other vehicle: Network) which use the techniques of digital signature, key Surveillance of the vehicle motions by using the C2C and C2I management, tamper-resistance over secure routing protocols, infrastructure; (6) Cheating with sensory information: Alter and delay-tolerant networking. We further carry out security the perceived position, speed, direction, etc, in order to escape analysis and design in two major aspects as described here. liability notably in the case of an accident; and finally (7) Theft: Break-in and theft. Solutions to counter these possible (1) Tamper-resistant software in embedded devices We develop tamper-resistant software in embedded attacks are sometime referred to as the information-security, or info-security. devices (e.g. ECUs), by applying trusted computing techniques in order to embed a small trusted party into each In this paper, we present our initial works on embedding vehicle. This part is implemented as a light-weight security info-security solutions to protect the critical data for car ECU combining trusted hardware and software. Only this communications via vehicular networks. Our goal is to ensure ECU is fully trusted and a small part of the vehicle software that data exchanged with-inside and with-outside automotive needs to be fully trusted, while other parts can be implemented is protected from abuse and security attacks. The rest of paper with significantly lower trust assumptions i.e. at lower costs. is organized as follows. Section II presents the related works while Section III describes our integrated info-security (2) Integrated Data Security Gatekeeper Integrated Data Security Gatekeeper is an important framework for vehicular networks. Section IV presents our system design, and Section V presents the initial prototype. component to manage security and all critical exchanged Finally, Section VI outlines our conclusions and future works. information are going through the Gatekeeper. Communication control in the Gatekeeper is the key to II. RELATED WORKS manage interaction between applications and secure communication control. It enables both integrity and Secure vehicular networks as a new technology has drawn confidentiality (control of information flow) guarantees to be the attention of the industry and academia. For example, the enforced by the system. Therefore, the gatekeeper must be EASIS (Electronic Architecture and System Engineering for tamper-proof and take care of storing all the cryptographic Integrated Safety Systems) project , which was part of the material and performing cryptographic operations, especially European Commission’s 6th Framework Programme launched signing and verifying safety messages. in 2004, was a partnership of 22 European vehicle manufacturers, automotive suppliers, tool suppliers and research institutes with the aim to develop technologies for the realization of future ISS (Integrated Safety Systems). EASIS combined information from all domains to provide a better view of the state of the vehicle and its surroundings for safety decision and control action. In order to handle malicious attacks from external sources and to ensure that the state of the vehicle was secure, EASIS adopted firewall techniques. Furthermore, the EASIS Security Architecture Approach was a security management architecture based on the AUTOSAR (AUTomotive Open System ARchitecture) approach  which included rules for protecting car-internal communication entities, further management databases for own certificates and security session status and common APIs for cryptographic functions and external functions . SEVECOM (Secure Vehicular Communication) , an EU-funded project launched in 2006, focuses on providing a full definition and implementation of security requirements for vehicular communications. A liaison with security activities in EASIS supported the activities of SEVECOM. In the most recent publication of SEVECOM, M. Raya and J.P. Hubaux Figure 2. Integrated in-car info-security framework. IV. SYSTEM DESIGN As commented in , although MANET is highly flexible, it has a few issues in the following areas: A. Inter-Car Communication Initially, this project intended to use socket programming • Wireless medium access to leverage on the free Wireless@SG country-wide network Since MANET transfers data through a wireless medium, for communication among cars. But the problem with the free simultaneous data transmission must be controlled to prevent wireless network is that it is based on proximity-limited collision. This undesirable behavior has been solved in ad-hoc wireless access points. A typical situation of distress is as routing algorithm with the use of a handshaking protocol, such illustrated in Fig. 3. Hence, this method of wireless as Request-To-Send (RTS) and Clear-To-Send (CTS) infrastructure has been scrapped. handshake protocol. • Addressing Since every nodes in MANET must have an unique IP to communicate. Using DHCP is forbidden due to the lack of access point, while using static addressing is not flexible enough since MANET network could scales very fast and in large numbers. Hence a typical solution to this problem is to use Address Resolution Protocol to spot any address collisions and remedy on them by allocating another IP. • Network security Network security is of utmost importance in any infrastructure, especially wireless since the radio waves are free to air. Hence, cryptographic methods such as Public Key Infrastructure (PKI) and symmetric key encryption are used. In addition, due to the nodes' high mobility, the network topology changes frequently. Hence, a suitable ad-hoc routing protocol is needed to counter this dynamic property. Figure 3. Problem of wireless access point. Ad-hoc On-Demand Distance Vector (AODV)  is a A wireless Mobile Ad-hoc Network (MANET) is used reactive routing protocol whereby routes from the sender to instead. As mentioned in , it is a network consisting of two the receiver is only determined on demand and it does not or more mobile nodes, equipped with their own wireless attempt to maintain all routes to every nodes in its routing networking capability, without the need for any preexisting table at all times. This helps to relieve the network from network infrastructure. Each node acts as both a mobile host unnecessary traffic which are trying to establish routes from and a router that helps to forward traffic on behalf of other one node to every other nodes. Thus, we adapt the AODV nodes within the network, as shown in Fig. 4. routing protocol for inter-car communication. The exchange of messages using AODV is as illustrated in Fig. 5. Figure 4. MANET. Figure 5. AODV protocol message. B. Intra-Car Communication In the next section, we present our initial prototype and The typical intra-car communication applied in the project test results. is to use the gatekeeper to protect automotive from theft, as V. PROTOTYPE shown in Fig. 6. We have built the first prototype of our solution shown in Fig. 8. We use a single board computer (SBC), Soekris Net4801, to act as a core platform for the security gatekeeper. D-Link DWL-G520 wireless card and iTegno GPRS modem are connected to Soekris Net4801. Soekris Net4801 also has serial port interface that connects to networked ECUs inside a car. Finally, Gentoo Linux is adopted as OS (operating system) for the SBC because of its ease of usage, configuration and updatability. iTegno Figure 6. Intra-car communication. GPRS Modem The gatekeeper disables an automotive and its key auto systems through remote control when the automotive is stolen. The gatekeeper will verify the automotive and its key auto systems before it allows the automotive to start. If an automotive is stolen, its owner will use his mobile phone to send out a disable command to the gatekeeper. After the gatekeeper receives the disable command, the gatekeeper will disable the automotive from re-starting and the key auto systems from activating. Thus, the gatekeeper allows the D-Link DWL-G520 Soekris Wireless card Net4801 owner still has some control to disable the automotive from starting and key auto systems from activating after it is stolen. Figure 8. Prototype of the gatekeeper. C. System Architecture Based on above analyses, we design our system We have developed C programs to realize the architecture as shown in Fig. 7. The gatekeeper consists of a communication between ECUs to SBC and SBC to GPRS single board computer (SBC), GPRS modem, and wireless modem. AODV is the routing protocol used in the system and card. For inter-car communication, all messages are received AODV-UU  is ported and implemented. or transmitted through the gatekeeper via AODV routing First, we embedded our security algorithm (details of this protocol or GPRS. The gatekeeper also links to the networked algorithm is available from the authors) in CAN bus system, ECUs via intra-car communication. and added tamper resistance of software in ECUs. In addition, the exchanged messages are encrypted and authenticated. With this prototype, we demonstrated the anti-theft security between mobile phone and ECUs inside a commercial passenger car. Notice that this system has far superior security feature than existing mobile phone-based anti-theft systems which do not employ embedded info-security code described here, and can be easily compromised. Second, we carry out inter-car communication test using the setup shown in Fig. 9. Node 2 is the prototype of the gatekeeper. Node 1 and Node 3 are two laptop computers, while Node 4 is an automotive simulator. All four nodes run AODV routing protocol and they can communicate each other. Then, we measure the throughput of inter-car communication. The results are shown in Fig. 10. From Fig. 10, it is clear that when the distance between two nodes, i.e., Node 1 and Node 2 is within 100meters, the throughput is high and stable, and Figure 7. System architecture. hence AODV is suitable for the inter-car communication. REFERENCES Node1 Node4  Escar, Embedded security in cars 2006, Berlin, Germany, November 2006. http://escar.crypto.rub.de/06/general.html  DaimlerChrylser, Gartner Research, Nov 2005. http://www.mathworks.cn/company/pressroom/press_covrg_pdfs/1.5.06 _edn.pdf  CAR 2 CAR Communication Consortium. http://www.car-to-car.org/  Local Interconnect Network. http://www.lin-subbus.org/.  Controller Area Network. http://www.can-cia.org/can/  FlexRay. http://www.flexray.com/  IEEE 802.11p. http://en.wikipedia.org/wiki/IEEE_802.11p  Dedicated Short Range Communications. Node2 http://grouper.ieee.org/groups/scc32/dsrc/  IEEE 1609 WAVE Radio Communication Standards. Node3 http://standards.ieee.org/announcements/PR_radiocomstd.html  IEEE 1609 - Family of Standards for Wireless Access in Vehicular Environments (WAVE). http://www.standards.its.dot.gov/fact_sheet.asp?f=80  J. Blum and A. Eskandarian, ”The threat of intelligent collisions,” IT Professional 6(1), pp. 23-29, 2004.  L. Gollan and C. Meinel, “Digital Signatures for Automobiles,” Figure 9. Setup for inter-car communication. Proceedings of Systemics, Cybernetics and Informatics (SCI)’02, 2002.  J.-P. Hubaux, S. Capkun and J. Luo, “The security and privacy of smart vehicles,” IEEE Security and Privacy Magazine 2(3) (2004), 49-55.  M. Raya and J.-P. Hubaux, “The security of vehicle ad hoc networks,” Proceedings of the ACM Workshop on Security in Ad hoc and Sensor Networks (SASN’05), pp. 11-21, Alexandria, Virginia, USA, November 2005.  M. El Zarki, S. Mehrotra, G. Tsudik and N. Venkatasubramanianm, Throughput (KB/s) “Security issues in future vehicular network,” Proceedings of European Wireless’02, 2002.  T. Eymann, “The EASIS security architecture approach,” the 1st C2C- CC Security Workshop, Berlin, November 2006.  EASIS. http://www.easis-online.org  AUTOSAR. http://www.autosar.org  SEVECOM. http://www.sevecom.org/  M. Raya and J.-P. Hubaux, “Securing vehicular ad hoc networks,” Journal of Computing Security, 15(2007) 39-68.  B. Wiberg, “Porting AODV-UU implementation to ns-2 and enabling trace-based simulation,” Uppsala University, December 2002.  I. D. Chakeres, E. M. Belding-Royer, “AODV routing protocol implementation design,” the 24th International Conference on Distributed Distance (m) Computing Systems Workshops (ICDCSW’04), 2004.  AODV-UU. http://core.it.uu.se/core/index.php/AODV-UU Figure 10. Throughput of inter-car communication. VI. CONCLUSIONS This paper presents our initial works on info-security solutions to protect the critical data exchanged with-inside car and with-outside car via vehicular networks. We carry out security analysis, describe an info-security framework, present our system design, and show the first prototype. In the prototype, we embedded the security code in CAN bus system, and added tamper-resistance of software in ECUs. In addition, all messages exchanged are encrypted and authenticated. With this prototype, we demonstrated the secure communication between mobile phone and ECUs inside the car for anti-theft purposes. The experimental prototype is also carried out to test the throughput of inter-car communication and the results show that the throughput is high and stable. Therefore, our initial prototype shows that our solution is feasible. In the near future, we will continue working on integrated data security gatekeeper, and realize the reliable secure car communications.
Pages to are hidden for
"Embedded Info-Security Solutions for Vehicular Networks"Please download to view full document