Security for Vehicle-to-Vehicle Communications

The National Highway Traffic Safety Administration (NHTSA) has released a report titled "Vehicle-to-Vehicle Communications: Readiness of V2V Technology for Application." It's very long, and mostly not interesting to me, but there are security concerns sprinkled throughout: both authentication to ensure that all the communications are accurate and can't be spoofed, and privacy to ensure that the communications can't be used to track cars. It's nice to see this sort of thing thought about in the beginning, when the system is first being designed, and not tacked on at the end.

Posted on September 22, 2014 at 6:03 AM • 21 Comments

Comments

WmSeptember 22, 2014 7:40 AM

"It's nice to see this sort of thing thought about in the beginning, when the system is first being designed..."

Except for the back door that our government will be sure is put into it so that they can track us everywhere we go with impunity.

ThothSeptember 22, 2014 7:59 AM

We can't even manage our online transactions and eBanking or even the basic security of our own privacy and emails ... let alone vehicle communication security.

I can imagine the amount of TLAs to be included into a vehicle:
- Voice / Image recording (internal and external)
- GPS tracking
- Remote Kill Switch
- Speed and car function remote controls (includes locking occupants in the car)
- Mobile Wifi and Phone interception in vehicle
- just imagine more ....

It is not just the agencies and state actors, hackers are getting really good and script kiddie tools are getting more deadly.

Spaceman SpiffSeptember 22, 2014 8:06 AM

@Wm Not to mention forcing our cars to stop on command, or automatically issuing tickets when we exceed the speed limit.

Piero OttuzziSeptember 22, 2014 8:07 AM

The problem I see is not spoofing but how to avoid false information: how to avoid someone malicious that spread incorrect informations?
Say you can share your last mile average speed to give a prediction about traffic: how about someone that sits near the road with an instrument saying to all others vehicles that in his last mile average speed was 0.1MpH? Or simply stating that a mile ahead there is a car accident and the road is blocked?

Bye
Piero

kronosSeptember 22, 2014 8:40 AM

One of the ways this will be sold to the public is through broadcasting only to vehicles in the area about traffic accidents, local weather alerts, missing children, etc. They want the ability to send info only to vehicles within specified areas and of course to do that they will need to know where you are. I would be shocked if automated vehicle shutdown wasn't hidden somewhere in their wish list but with computerized controls in cars it would not be very difficult to add.

EvilKiruSeptember 22, 2014 4:24 PM

I can no longer see any comments on this site and there's a javascript:void(0) "Login" link where the comments used to be. Following the link takes me to a TypePad login page. Yet the old commenting form is still here. Will clicking Submit even work? This makes no sense whatsoever.

EvilKiruSeptember 22, 2014 4:25 PM

And now that I've commented, the Login link is gone and I can see comments again. Very strange!

ScaredSeptember 22, 2014 5:28 PM

@Thoth
Just another reason to keep my 14 year old car running. It might even increase in value in the not so distant future when new cars are running Windows Embedded and have to be rebooted every 150 miles and when the insurance company can check the black-box to see if I was doing 2 miles over the speed limit before an accident.
And then all the features you mention....

Bob S.September 22, 2014 5:38 PM

"It's very long....", and thus totally useless. Every word, every comma, every syllable is subject to interpretation by whoever has the biggest wallet.

Vehicles are going to become another tracking device like all the rest. The data will be used, abused, sliced, diced, shared and sold on a vast scale.

I'd wager I could find a sentence in the law that says exactly that, according to my $2 lawyer.

ThothSeptember 22, 2014 9:06 PM

@Scared
The best mode of transport is your own limbs or the public transport. Yes, there are CCTVs all over the place but you will be mixed up with all the other people around you giving you chances to blend in. If you have a habit of turning of the phone and removing the phone's battery on the move, that's even better assurance. This way, you wouldn't be tracked every single step from the doorway of your house (unless you want to include persistent tracking via visual cue on CCTV).

Due to the convenience of modern transport, we become less willing to use our legs but it's the best gift from avoiding the crowd.

Mike AmlingSeptember 22, 2014 9:33 PM

One hopes V2V will do better than another communications standard (802.11) that also included security (WEP).

BoppingAroundSeptember 23, 2014 10:20 AM

Wm,

There's no need to backdoor it, probably. Data collection routines for 'marketing and advertising purposes' would fulfil the role.

Bob S.,

They are already. ANPR for all purposes, from law enforcement to marketing. Tyre tags have been mentioned already. EDRs aka 'blackboxes'.

Thoth,

I think it's tougher with CCTV these days as it's interlaced with facial recognition systems. Plus microphones. Some Dutch guys made a film about /mass/ surveillance circa 2012. These systems were featured in it.

ThothSeptember 23, 2014 11:01 AM

@BoppingAround
It's a sad thing that the security theater promoted by so-called security companies are reaping in huge success for themselves and one good example is the belief that mass surveillance which includes mass installations of CCTVs, propagation of privacy breaching tools like "Stingrays" and biometric recognition programs would make us safer. In the end it shows very little to no results at all.

anonymousSeptember 23, 2014 2:21 PM

It's interesting to see such a negative tone to a positive blog post. Many of the concerns that commenters are raising are addressed in the executive summary. It's only 7 pages, and you can even skim it for the word privacy to find that they know people are concerned with the same issues raised here and have specifically designed the system to take this into account.

To quote the executive summary (pages 20/21 of the PDF):
"Privacy: At the outset, readers should understand some very important points about the V2V system as currently contemplated by NHTSA. The system will not collect or store any data identifying individuals or individual vehicles, nor will it enable the government to do so. There is no data in the safety messages exchanged by vehicles or collected by the V2V system that could be used by law enforcement or private entities to personally identify a speeding or erratic driver. The system—operated by private entities—will not enable tracking through space and time of vehicles linked to specific owners or drivers.
Third parties attempting to use the system to track a vehicle would find it extremely difficult to do so, particularly in light of far simpler and cheaper means available for that purpose. The system will not collect financial information, personal communications, or other information linked to individuals. The system will enroll V2V enabled vehicles automatically, without collecting any information that identifies specific vehicles or
owners. The system will not provide a “pipe” into the vehicle for extracting data. The system will enable NHTSA and motor vehicle manufacturers to find lots or production runs of potentially defective V2V equipment without use of VIN numbers or other information that could identify specific drivers or vehicles. Our research to date suggests that drivers may be concerned about the possibility that the government or a private entity could use V2V communications to track their daily activities and whereabouts. However,
as designed, NHTSA is confident that the V2V system both achieves the agency’s safety goals and protects consumer privacy appropriately."

So to answer the comments (based on the executive summary):
Q. There might be a backdoor
A. Why would they need this to introduce a backdoor? Is this any greater risk than having integrated GPD, Bluetooth, WiFi, OnStar, an ECU, and so forth?

Q. These will be used by the government to record/monitor: Voice / Image recording (internal and external), GPS tracking, Remote Kill Switch, Speed and car function remote controls (includes locking occupants in the car), Mobile Wifi and Phone interception in vehicle, and more.
A. The system won't have access to these functions nor this information.

Q. This will be used to force our cars to stop on command, or automatically issuing tickets when we exceed the speed limit.
A. The system won't have access to these functions nor this information.

Q. How will it avoid someone malicious that spread incorrect information?
A. Very good point. I'll continue reading and see if I can get an answer on this. It seems like the worst case scenario is that you will get an incorrect warning indicator.

Q. Aren't cars already trackable through the tire-pressure transmitters?
A. Good point. I've heard this, but haven't looked into it enough to verify the claim.

Q. From kronos about it needing to know your location for basic functionality.
A. This is vehicle to vehicle communication, so it's just going to broadcast to nearby vehicles. The information transmitted doesn't include the VIN, license plate, or any information about whom is driving.

Q. Just another reason to keep my 14 year old car running...
A. I certainly support you in that. On the other hand, having seatbelts is a safety enhancement that you probably have, which is nice. Maybe your vehicle has airbags. Is an indicator light that tells you things like "someone who is in your blind spot" the end of the world? Either way, I support your right to be grandfathered in to the old regulations with your old model car. It is, and should be, your choice.

Q. "It's very long....", and thus totally useless. (goes on to talk about subject to interpretation).
A. I wouldn't agree that all long documents are totally useless. The document states that there are still some things which need more research. I haven't gotten far enough into the details to determine if it's subject to interpretation or not. It probably is, because it's very difficult to express complex things in ways that are impossible to be misunderstood. But it is possible. If it weren't then it wouldn't be possibly for engineers to describe hot to build a bridge and have the construction workers build it properly.

Q. The best mode of transport is your own limbs or the public transport.
A. Agreed!

Q. Hope we do better than WEP
A. Absolutely. Although there's might not be a need for encryption if there's no sensitive data, there will probably be a need to certificate validation and things of that nature.

name.withheld.for.obvious.reasonsSeptember 23, 2014 2:45 PM

@ anonymous

Q. This will be used to force our cars to stop on command, or automatically issuing tickets when we exceed the speed limit.
A. The system won't have access to these functions nor this information.

Wow, I feel so much better! Thank god, this is similar to the NSA only collecting phone numbers and not names, call location, or call data. I will rest so much easier tonight knowing that corporations and government are doing the "right" thing.

ThothSeptember 23, 2014 8:57 PM

@anonymous
All those are fanciful proposal papers and knowing very well proposals always look very nice on paper but mostly ugly when deployed in real life. How would you gaurantee what they say ? They do not release open specifications nor open up their design to proof the trust.

We know that every single bit of data produced from machine or human interaction is metadata and these metadata have always been misused and be used for inference purposes. How an attacker gets to know you is by your surrounding if you are unreachable. They look for the weakest link and start getting their hands on it.

Why are we showing the negative concerns for something seemingly positive ? The reason is simple. Our trust have been thrown away not once but many times. How would you expect us to trust someone who cannot proof themselves ? We are security people and we are more careful when it coes to such proposals as we have seen many proposals on privacy and security falling flat within a short period of time.

If we can simply trust everyone, why bring up the topic of security or privacy ? If the fact is built out of pure trust, then I see no reason of them for mentioning security and privacy but they did mention security and privacy so haven't they figured out that human intentions for such design cannot be fully trusted ? If there is pure trust, there is no more need for defense and offense... it will become some sort of dream-like paradise itself.

BoppingAroundSeptember 24, 2014 11:32 AM

anonymous,

Some commenters are becoming or have become jaded over the course of years. Looking back, for example, at the infamous TIA programme which had been claimed as 'killed' only to /probably/ resurface as a pack of various programmes. The metadata programme that has never been killed. DRIP act in UK, after the EU Court ruling on data retention deemed unlawful etc.

Are they right in their doubts? I don't know but I can understand them.

TJ WilliamsSeptember 25, 2014 1:24 AM

They are talking of about 1000 certs per car per year for 300 million vehicles, that is a PKI issuing and revoking 300 billion certs per year. Possibly a self collapsing system of its own.

TJ

anonymousOctober 4, 2014 10:27 AM

The overall point of my comment was to encourage people to made educated decisions, based on data, rather than making assumptions and committing the straw-man logically fallacy.

We all have preconceived notions, many of them based on getting burned in the (often times not so distant) past. I get that. I started reading this report looking for facts to back up the comments because I assumed they were probably (at least partially) correct. I've come to expect people designing new systems to take a very one-sided approach. In this case, I expected them to care more about safety than privacy. Similarity, I expect security folks to care about security and privacy with little regard to performance, easy of use, or functionality. So before I looked at any of the data, I already had an opinion, and that was that this was going to be terrible, and now I'm going to have to look for a loophole on who doesn't have to comply, or find some exploit so I can illustrate how terrible of an idea this is. What I found after I opened the PDF and got past the initial shock of how bloody long it was, was that they actually do think about privacy and security. They have taken years to analyze this warning system, and have estimates on how many lives it could save. Once they demonstrated the potential benefits, I was at least willing to consider what they had to say.

@name.withheld.for.obvious.reasons

Based on your response, it's unclear whether or not your concern of forced stopping and issuing of tickets has been addressed. It seems like it has and you are now raising a concern of having people's location being tracked, although your sarcasm makes it difficult to tell. Since the only information being broadcast is that there's a car there, and not that YOUR car is there, it seems that this doesn't aid in tracking. There are far easier ways for government agencies to track your location, as I'm sure you are aware.


@Thoth

Oh, I strongly disagree that proposals always look good on paper. Many proposals completely omit the question of privacy, as they're concerned with whatever their subject of expertise is (e.g. safety, robotics, production, etc.). As for the devil being in the details of implementation: absolutely. However, if the architecture is broken, then it means that all implementations are also broken. It's similar to a vulnerability in a specific piece of software, versus a vulnerability in the protocol. In one situation, there might be a vendor which does a decent job.

How would I guarantee what they say? The short answer is that I wouldn't without first having someone I trust (possible myself) verifying that the implementation matches the specification. However, the goal of this report was not to describe a specification which is to be followed. This is merely providing evidence that this V2V communication concept is technically feasible, that the cost is going to be this many dollars per vehicle, and this will be the estimated benefit. They feel that the benefit outweighs the cost. I suspect that the specification will be open, as it will be difficult for manufacturers to maintain compatibility. They could keep the spec under an NDA, but then they would have to deal with all the people asking questions by themselves. If they release it as an open specification, then people can discuss it in public and help one another.

A side note on verification: I'd argue that we have to verify everything, including open source software and hardware. Making it closed source does make this more challenging, but making it open source doesn't solve the problem. Also, since I trust certain others, if the EFF or CCC reviewed it, I would probably take what they say at face value without looking over it myself. So when I say that I'd have to verify it, I mean

Unintended consequences & looking for the weakest link: agreed. I don't see anything here that would be the weakest link. There are almost always unintended consequences which come along with new things, especially technology. To prevent these, we could just never adopt any new technology of any kind. That doesn't seem like a good plan. On the flip side, there's also the cost of not adopting new technology. It's typical for people to be weary of new technology, but when we look back on the days of elevator operators and telephone switch boards, the sentiment is often "wow, I can't believe people lived like that!"

I think I covered the rest of your comments about being cynical, trust, and verification above. As for the idea of paradise, I think the solution lies in changing the incentives. Trusting that someone won't act against their own self interest is not very difficult. Trusting someone to "do the right thing" when the "wrong" thing is clearly more advantageous to them, well that's a little more difficult. If things were set up in a manner so it wasn't "us vs. them", but rather in a manner where working together would produce better results for everyone than working separate (or against one another), then the only real problems are natural disasters, and people who do irrational things, which is pretty rare, especially in an environment which cultivates cooperation. Bruce touched on some of these concepts in "Liars and Outliers" and I think he was on the right track. As usual, more investigation needs to take place on the topic. If anyone would like to continue this conversation (changing the incentives), I'd be happy to do so in a more appropriate forum (you choose the place).


@BoppingAround
You are right. It is understandable. But does it get us anywhere?


UPDATE!
So I was just skimming through the document (because I still haven't read the whole thing) looking for some technical specifications to address the claim that the spec isn't open. Well, if you take a look at page 90 of the PDF, you'll find a diagram of the components. Everything looks like what I'd expect there after reading the executive summary EXCEPT the link to the "Vehicle's internal communications network" which is defined as "Existing network that interconnects components." The sounds like it's tapping into the CAN Bus. Reading the previous page for some context:

"NHTSA also foresees the potential for V2V safety systems to be integrated into an
existing electronic control unit(s) during large-scale production of vehicles equipped with these systems. Figure V-1 illustrates the vehicle-based components needed for an integrated V2V system that uses integrated vehicle devices. (A V2V system with ASDs would only differ in its lack of connection to the vehicle’s internal communications network.)"

So it looks a little bit like a bait and switch, and seems to contradict what was said in the executive summary. So here's the evidence of scope creep that all the naysayers were either unwilling or unable to read and reference. Without any explanation as to why this integration is strictly necessary, I can't support that. I suspect the answer is something like: "because it'd be easy and there's a bunch of data there." So if V2V comes up in the future, I would encourage you to cite the fact that there are some plans to tap into the ECU, which could allow problems (or features) with the V2V system to cause cars to break.

The moral of the story remains the same. Read the documents before complaining about them, and cite some facts in your complaints. Skim through this document and find more examples of risky decisions so they can all be raised concurrently (as I should have done). They'll carry a lot more weight that way, especially with people who don't already agree with your conclusion before you start. Also, giving them a path for getting what they want (vehicles to be safer) will be much more effective at getting what you want (vehicles to be secure and concerned with privacy). So saying things like:

Well if they'd remove the connection to the ECU, and other components, come up with specific protocols, compatibility tests, a reference implementation to help ensure that all manufacturers' devices will look identical, and work out how updates are done, then yeah, I might support a V2V communication system.

Jose Maria de FuentesOctober 13, 2014 4:06 AM

Dear all,

We have been addressing this research topic since 2008. If you feel interest in this matter, you might find interesting the paper "Overview of security issues in vehicular ad-hoc networks" Link to paper .

Thank you Mr. Schneier for pointing out this issue. From my point of view, vehicular communications will suffer a great evolution in the short term and we will see several related security issues.

We have also proposed an steganographic system for vehicular communications Link to paper to enable victims of offenders to report misbehaving vehicles in a private way. As you may see, this field is receiving increasing research attention!

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.