ArticlePDF Available

Beyond the Dolev-Yao Model: Realistic Application-Specific Attacker Models for Applications Using Vehicular Communication

Authors:

Abstract

In recent time, the standards for Vehicular Ad-hoc Networks (VANETs) and Intelligent Transportation Systems (ITSs) matured and scientific and industry interest is high especially as autonomous driving gets a lot of media attention. Autonomous driving and other assistance systems for cars make heavy use of VANETs to exchange information.They may provide more comfort, security and safety for drivers. However, it is of crucial importance for the user's trust in these assistance systems that they could not be influenced by malicious users. VANETs are likely attack vectors for such malicious users, hence application-specific security requirements must be considered during the design of applications using VANETs. In literature, many attacks on vehicular communication have been described but attacks on specific vehicular networking applications are often missing. This paper fills in this gap by describing standardized vehicular networking applications, defining and extending previous attacker models, and using the resulting new models to characterize the possible attackers interested in the specific vehicular networking application. The attacker models presented in this paper hopefully provide great benefit for the scientific community and industry as they allow to compare security evaluations of different works, characterize attackers, their intentions and help to plan application-specific security controls for vehicular networking applications.
arXiv:1607.08277v1 [cs.CR] 27 Jul 2016
Beyond the Dolev-Yao Model:
Realistic Application-Specific Attacker Models for
Applications Using Vehicular Communication
Christoph Ponikwar, Hans-Joachim Hof
MuSe - Munich IT Security Research Group
Department of Computer Science and Mathematics
Munich University of Applied Sciences (MUAS), Germany
Email: christoph.ponikwar@hm.edu,
hof@hm.edu
Smriti Gopinath, Lars Wischhof
Department of Computer Science and Mathematics
Munich University of Applied Sciences (MUAS), Germany
Email: smriti.gopinath@hm.edu,
wischhof@hm.edu
Abstract—In recent time, the standards for Vehicular Ad-hoc Net-
works (VANETs) and Intelligent Transportation Systems (ITSs)
matured and scientific and industry interest is high especially as
autonomous driving gets a lot of media attention. Autonomous
driving and other assistance systems for cars make heavy use
of VANETs to exchange information.They may provide more
comfort, security and safety for drivers. However, it is of crucial
importance for the user’s trust in these assistance systems that
they could not be influenced by malicious users. VANETs are
likely attack vectors for such malicious users, hence application-
specific security requirements must be considered during the
design of applications using VANETs. In literature, many attacks
on vehicular communication have been described but attacks
on specific vehicular networking applications are often missing.
This paper fills in this gap by describing standardized vehicular
networking applications, defining and extending previous attacker
models, and using the resulting new models to characterize the
possible attackers interested in the specific vehicular network-
ing application. The attacker models presented in this paper
hopefully provide great benefit for the scientific community and
industry as they allow to compare security evaluations of different
works, characterize attackers, their intentions and help to plan
application-specific security controls for vehicular networking
applications.
Keywordssecurity; attacker model; VANET; V2X; ITS.
I. INTRODUCTION
Vehicular networking applications are a subset of applica-
tions used in Intelligent Transportation Systems (ITSs). They
typically need security controls, especially, when safety is at
stake. For a constructive planning of security controls, it is
of benefit to have a model of a typical attacker, a so-called
attacker model. Typical attack classes are impersonation, data
tampering, sybil attacks, or Denial of Service (DOS) attacks,
please refer to [1] for a survey on these attacks. However,
these attack classes are very general and their severity differs
from application to application. Hence, it is beneficial to have
application-specific attacker models for vehicular networking
applications. This paper presents vehicular networking appli-
cations specific attacker models. These attacker models could
be used for security control planning as well as evaluation of
security controls. Also, standardized attacker models as in this
paper are hopefully a great benefit for the scientific community
to compare evaluations of different papers and modeling real
world attackers.
This paper is structured as follows: Section II presents
related work and shows the gap this paper is closing. Section
III gives an overview on vehicular networking applications.
Section IV presents a classification of attackers that is used for
the application-specific attacker models introduced in Section
V. Section VI concludes the paper.
II. RELATED WORK
The field of attack modeling has a long history with
some of it rooting in reliability engineering and the vault tree
analysis which got adopted and adapted as attack trees [2]–
[4] in the realm of secure systems engineering. Because of its
detailed and explicit nature the attack tree modeling approach
is best suited when goals of an attacker have been elicited
and actual mitigation should be developed. The approach taken
here categorizes attackers based on different aspects that are
derived from their goal, which in return tries to take advantage
of a specific vehicular networking application. Others use a
game theory based approach to infer intentions, objectives and
strategies of attackers [5], we derive these from the vehicular
networking application that the attacker tries to exploit.
The often cited Dolev-Yao attacker model [6] models the
attacker as an active saboteur. He is omnipotent and can
therefore intercept, eavesdrop, or modify all communication of
the network. Furthermore, the attacker can pose as a legitimate
communication partner and can therefore initiate a communi-
cation with every participant in the network. Compromising or
breaking cryptographic primitives is not possible for a Dolev-
Yao attacker. Networks in an Intelligent Transportation System
(ITS) aren’t limited to the Internet, instead they consist of
Vehicular Ad-hoc Networks (VANET), enabling ad-hoc com-
munication. Cellular technologies, like Long Term Evolution
(LTE), can provide connectivity to the Internet. Roadside Units
(RSU) or other stationary participants could be connected via
traditional electrical or optical wired technologies to other
separated networks or the Internet. The Dolev-Yao model is
far too imprecise for such a complex networking structure
and it only depicts a special type of attacker. This attacker
is also unrealistically strong by being omnipotent, which gets
increasingly unlikely the more complex and diverse a network
becomes. This was previously pointed out in regards to sensor
networks [7][8]. Especially, it is pointed out that physical secu-
rity should not be expected because an attacker can easily get
access to those nodes and perform a take over or compromise
cryptographic secrets [7]. In such a way, an outside attacker
becomes an inside participating one. To sum it up, the Dolev-
Yao model is far too imprecise and unrealistically strong to
be of use for security controls planning in realistic vehicular
networking scenarios.
A realistic attack scenario is the exploitation of low level
software or hardware vulnerabilities in the network stacks of
wireless transceivers. The existence and importance of these
vulnerabilities has been discussed in various publications, [9]–
[12]. This scenario marks the lower bound of attack scenarios
that are discussed in this paper. While still being relevant
specifically to wireless communication, cellular or ad-hoc, it is
also not specific to only one vehicular networking application
and the root cause of vulnerable soft- and hardware proliferates
through all the layers of current systems and is not specific
to wireless communications. Therefore, this is not in focus
for this publication. Instead, the main contribution is the
combination and extension of previous attacker models by
[6][7][13] and the detailed description of realistic attacker
models via the extended model. Most of the previous works
[14]–[18], are missing realistic attacker models. Some like
[15]–[17] use categories of attacks, like impersonation, data
tampering, sybil, or DOS attacks and describe each attacker
based on its category. [18] is really close to defining realistic
attacker models by defining categories of attackers, like driver,
road side or infrastructure.
Realistic attacker models are needed to better understand
who might be the attacker of a system, for better comparison
and ultimately needed to make risk based decisions about
whether to implement security controls and how to guard
against a specific realistic attacker.
III. VEHICULAR NETWORKING APPLICATIONS
A general classification of vehicular networking appli-
cations uses two classes: safety applications and non-safety
applications. For realistic attacker models, a more fine-grain
categorization is needed. The classes used in this paper are
described in the following. Please refer to [1] for a detailed
description of the vehicular networking applications.
A. Cooperative Sensing (Safety)
Cooperative Sensing applications use V2X communication
for situation awareness, e.g., to reduce risks of accidents while
driving.
Road Hazard Signalling (RHS): When a vehicle picks
up a standardized condition [19], an application broadcasts
these conditions to other recipients using a Decentralized
Environmental Notification Messages (DENM) [20]. Condi-
tions include emergency vehicle approaching, slow vehicle,
stationary vehicle, emergency electronic brake lights, wrong
way driving, adverse weather condition, hazardous location,
traffic condition, roadwork, and human presence on the road.
Cooperative Collision Avoidance (CCA): When a vehicle
senses a possible collision with an approaching vehicle based
on Cooperative Awareness Messages (CAM) [21] received
from nearby vehicles, the driver gets a warning. Two distinct
collision warning applications has been specified: Intersection
Collision Risk Warning (ICRW) (a warning is triggered if a
collision is likely to happen at an intersection) and Longitudi-
nal Collision Risk Warning (LCRW) ( a warning is displayed
to the driver if a front or rear end collision is likely)[22].
B. Cooperative Maneuvering
Applications apply V2X communication for driving au-
tomation functions in the levels 3 to 5 as defined in SAE J3016
[23].
Cooperative Adaptive Cruise Control (CACC): To op-
timize resource usage by forming a convoy or platooning and
reducing speed alteration via an extended horizon where minor
changes can be leveled out.
Cooperative Merging Assistance (CMA): To avoid col-
lisions vehicles and roadside units (RSU) cooperate and nego-
tiate merging maneuvers.
Cooperative Automated Overtake (CAO): For takeover
maneuvers either in a fully autonomous self-driving or a driver
assistance scenario, cooperation among vehicles to improve
safety is needed.
C. In-Vehicle Internet Access
Internet-based applications are offered to passengers and
in distraction reduced versions even to the driver.
D. Mobility Monitoring and Configuration
The status of a vehicle can be remotely queried and
modified. This application includes control of auxiliary heating
systems as well as software and firmware updates. Usually, the
accessed vehicle is in a parked position during the interactions
of this application.
IV. ATTACKER MODEL
There are already different characteristics for attackers
known in literature, some described in the following para-
graphs and extended if needed.
Insider Attacker vs. Outsider Attacker [7][13]: An
outsider attacker is restricted because he does not participate in
regular communication. An insider attacker on the other hand
is a regular participant in the communication. A participant
could become an insider attacker e.g., when hacked or infected
with malware.
Active Attacker vs. Passive Attacker [7][13]: A passive
attacker only eavesdrops on communication. An active attacker
on the other hand acts in the network, e.g., by creating and
inserting messages, by replaying messages, or by modifying
existing messages.
Static Attacker vs. Dynamic Attacker [7]: An attacker
adapting his behavior based on the behavior of network en-
vironment or attack target is called a dynamic attacker. Static
attackers on the other hand do not adapt to changes whatsoever.
An example of a static attack is the most basic form of malware
which doesn’t utilize a command and control infrastructure and
is build only for a specific purpose, like sending spam. An
example of a dynamic attack is an attacker of an Advanced
Persistent Threat campaign, which adapts to security measures
or changes his goal based on the detected environment around
it. Cooperative Attacker [7] vs. Individual Attacker: At-
tackers colluding to reach a common goal (e.g., destabilization
of the network) are called cooperative attackers. An attacker
limited to its own abilities is called an individual attacker.
Local Attacker vs. Extended Attacker [13] extension:
Global Attacker [7]: How much influence an attacker has is
an important criteria for the scope and impact a given attack
can develop. Limited by his physical abilities, a local attacker
can only influence participants in his ad-hoc communication
vicinity. An attacker controlling multiple network segments
has the ability to execute more sophisticated attacks that need
a greater area of influence. This so-called global attacker has
the ability to access every message of the network. But based
on the diversity and complexity of ITS network architecture,
this type of attacker is limited to the infrastructure providers
or to attackers that can influence or execute control over this
communication infrastructure.
Malicious Attacker vs. Rational Attacker [7][13] exten-
sion: Opportunistic Attacker: An indiscriminate attacker who
does not care about losses, resource usage, or consequences
and targets functionality of participants or the network is called
malicious attacker. A rational attacker tries to reach a certain
goal by the cheapest means possible and is focused on his
benefit or profit. An attacker who only executes an attack when
an opportune circumstance occurs is called an opportunistic
attacker.
Table I shows the profile matrix based on the attacker
characteristics described above that is used in the rest of this
paper to describe application-specific attackers.
TABL E I. GENE RA L ATTACKER PROFILE M ATRIX
Attacker Properties
Membership: insider outsider
Method: active passive
Adaptability: dynamic static
Organization: cooperative individual
Scope: global extended local
Motivation: malicious rational opportunistic
Based on this profile matrix, specific attackers can be
modeled. The worst possible attacker is shown in Table II.
The worst possible attacker is the most powerful attacker one
can think of. As described in Section II for the Dolev-Yao
model, such a powerful attacker is quite unlikely to appear in
most realistic scenarios (however, there is one valid scenario
listed below).
TABL E II. WORST ATTACKER P ROFILE MATRIX
Attacker Properties
Membership: insider outsider
Method: active passive
Adaptability: dynamic static
Organization: cooperative individual
Scope: global extended local
Motivation: malicious rational opportunistic
Table III shows the weakest possible attacker of the appli-
cation specific attacker model.
TABL E III. W EAKEST ATTACKER P ROFILE MATRI X
Attacker Properties
Membership: insider outsider
Method: active passive
Adaptability: dynamic static
Organization: cooperative individual
Scope: global extended local
Motivation: malicious rational opportunistic
The worst attacker and weakest attacker are both ends of
the application specific attacker model presented in this paper.
However, in most vehicular networking applications a realistic
attacker model lies between the worst attacker and the weakest
attacker. The following section presents the realistic attacker
models applicable for each vehicular networking application
presented in Section III.
V. APPLICATION SPECIFIC ATTACKER MODELS
For each vehicular networking application (see Section
III.), different specific attacker profiles are described in this
section.
A. Cooperative Sensing (Safety)
Attackers interfering with safety functions are always in-
advertently or intentionally risking to cause damage to them-
selves or other humans besides causing financial damage. It is
important to keep this in mind especially when judging about
the motivation of a certain attacker.
A perpetrator is stuck in traffic, he then decides to push
a button that forces his vehicle to send out false road hazard
warnings to influence other vehicles. In an ideal situation for
the attacker, the victim vehicles fall for his false claims. He
might pose as an emergency vehicle, send out false wrong way
driving warnings, roadwork, or human presence on the road
to clear a lane, to speed past other vehicles. He is an active
dynamic insider acting as an individual, with local reach, see
table IV. As stated previously, fiddling with safety functions is
borderline malicious activity. The speeding attacker might still
try to be rational about the reliance of the successful deceiving
of other traffic participants as they might simply ignore his
false claims or he might overlook real hazards.
TABL E IV. SPEEDS TER PROFILE M ATR IX
Attacker Properties
Membership: insider outsider
Method: active passive
Adaptability: dynamic static
Organization: cooperative individual
Scope: global extended local
Motivation: malicious rational opportunistic
Another group taking advantage of this safety application
may be a single or group of environmentalists or annoyed
residents. Their goal might be to reduce the speed of vehicles,
no matter what the rest of the community decided on to be
acceptable. There are two basic technical approaches these
attacker can pursue either they try to jam valid RSUs (Denial
of Service), see Table V, or they try to compromise or mimic
a valid RSU, see TableVI.
TABL E V. OU TS IDER TR AFFIC CALMIN G PROFILE M ATRIX
Attacker Properties
Membership: insider outsider
Method: active passive
Adaptability: dynamic static
Organization: cooperative individual
Scope: global extended local
Motivation: malicious rational opportunistic
When being able to communicate to other vehicles other
attacks are possible, like trying to get the vehicles to alter their
route, because of hazard warnings like weather conditions or
TABL E VI. INS IDER TRAFFIC CALM ING PROFILE MATR IX
Attacker Properties
Membership: insider outsider
Method: active passive
Adaptability: dynamic static
Organization: cooperative individual
Scope: global extended local
Motivation: malicious rational opportunistic
fake traffic conditions. But a single RSU or a fake one has
only a limited area of influence.
A small step up for the attacker who is compromising
RSUs, see Table VI, to slow vehicles down, would be if he
does not stop after controlling one RSU. He would try to get
control over a larger area to have a bigger influence on victim
vehicles, see Table VII. By doing so he poses a greater risk to
safety in that area by exercising his power over an area and
colluding RSUs, to make the false or modified warnings look
authentic.
TABL E VII. SOPH ISTICATED TRAFFIC MAN IPULATION P ROFILE M ATR IX
Attacker Properties
Membership: insider outsider
Method: active passive
Adaptability: dynamic static
Organization: cooperative individual
Scope: global extended local
Motivation: malicious rational opportunistic
To prevent duplicate information, the following attack
model omits the table, because the attacker resembles the
worst case attacker as pictured in Table II. The attacker could
be a foreign power either state sponsored or independent but
the goal of this group would be to put on a stranglehold on
safety related functions to unleash massive chaos by using
infrastructure to flood victims with false hazard, collision
warning and creating non existent vulnerable road users in
front of vehicle, to get the safety systems to collapse and
shutdown. During such an attack the goal of the attacker
would be to create human casualties or at least create huge
financial losses and impediment. The whole purpose of such
a malicious attack is to weaken the position of an opponent
and to strengthen their own, this could be also achieved by
holding the infrastructure ransom and threatening to vandalize
the infrastructure. To have such a large scale effect the attacker
needs to compromise the infrastructure by ether common
vulnerabilities or by compromising the provider of it.
The last three attacker types in this section dedicated are
derived from the weakest attacker, see Table III. The goal of
these attackers is to acquire knowledge about nearby vehicles.
This goal is similar to the snooping individual who uses
the manufacturer build in monitoring as described in Table
XIII. The difference between these three type of attackers is
their scope, whether they have only local, extended or global
reception. A local influence might be easy to establish, only
one receiver is needed. For extended visibility, more receivers
are required, but for global reach the RSU to attacker receiver
ratio must be one-to-one. This would be easy to achieve for an
worst case attacker as he does not only want to have control
over some infrastructure but wants to have control over all
available ones.
B. Cooperative Sensing (Information/Non-Safety)
In comparison to the safety relevant applications mentioned
before, informational cooperative sensing application do not
have an immediate life threatening aspect. The application for
exchanging dynamic mapping information is particularly inter-
esting as it might be used to improve the driver’s experience,
but could be misused to annoy the driver or even to literally
navigate him into dangerous situations. One attacker who is
trying to annoy drivers or shop owners sets up a fake RSU to
send out false information about points of interest. This might
reach from false opening hours to false location information.
This can be considered as trolling, wasting someone’s time
and resources and annoying people to no end, as presented
in Table VIII. He is rather static, a individual opportunistic
attacker with only a local scope.
TABL E VIII. TROLLIN G VI A FALSE INFORMATION PROFILE MATRIX
Attacker Properties
Membership: insider outsider
Method: active passive
Adaptability: dynamic static
Organization: cooperative individual
Scope: global extended local
Motivation: malicious rational opportunistic
The second type of attacker are criminals, see Table IX,
that use technology to make their activities easier. In case of
mapping information, they could try to trick the driver via the
navigation system to take another route, to send the driver to an
abundant place to either rob or kidnap him. It may be enough
to setup some fake RSUs or compromise a few, software wise
or physically, to mislead or manipulate the victims systems.
A single criminal or a group of them may feed dynamic false
information into the systems near their victim and may even
deploy multiple RSUs to have a higher chance of misleading
the driver. When considering criminals as attackers, the dif-
ferentiation whether their motivation is malicious or rational
depends on where the perpetrators want to reuse their scheme,
like a business, or if they are outright hitmen. But whether the
latter one would invest in the technology and know-howto ease
his job of executing a paid for assassination is questionable.
Nonetheless intentional criminal activity would be considered
malicious.
TABL E IX. FA LSE INF ORMATIO N AS CR IMINAL AC TIVITY SUPPO RT
Attacker Properties
Membership: insider outsider
Method: active passive
Adaptability: dynamic static
Organization: cooperative individual
Scope: global extended local
Motivation: malicious rational opportunistic
C. Cooperative Maneuvering
When considering cooperative maneuvering, one distin-
guishes if a non-cooperative fallback is available or not. If
a non-cooperative fallback is available, the attacker might be
just like the trolling one mentioned in Table VIII as no real
harm is possible because a safe downgrade to non cooperative
assistance is available. If no fallback is available, there is a
safety issue. CACC should have a non cooperative companion
ACC. For the cooperative automated overtake application
especially in an autonomous driving environment, the safety
implications are obvious. An attacker sending false awareness
information is only different from the worst case attacker (see
Table II) in regards to his reach as he is locally limited and to
the organizational aspect as he is an individual, see Table X.
TABL E X. IN TENTIO NALLY FALSE CAM ATTACKER PROFILE MATR IX
Attacker Properties
Membership: insider outsider
Method: active passive
Adaptability: dynamic static
Organization: cooperative individual
Scope: global extended local
Motivation: malicious rational opportunistic
D. In-Vehicle Internet Access
A malware author who uses the Internet connectivity as
an initial attack vector to infect software components in a
vehicle is summarized in Table XI. This type of an active
attack depends heavily on the design of the vehicular internet
access capabilities. If the vehicle itself does not have Internet
enabled or capable components and merely provides an access
point for other smart devices to get access, than the attack
surface is reduced. Still, an outside attacker could try to
attack the access point software or more generally common
software components among vehicles of the same manufacturer
or across the industry, that is reachable via the Internet. The
ability of an attacker to adapt his malware or the ability of it
getting new orders via an command and control infrastructure
makes him an dynamic opponent. As an individual attacker
who uses the Internet as the initial access vector to his victims,
his capabilities are also limited by the ability to directly
connect to a victim or whether the victim has to make the
initial connection. In this case, he would resort to common
scenarios like water hole, or phishing attacks, where the victim
connects to an Internet resource who serves an exploit kit
targeted at software vulnerabilities. Nevertheless the attackers
scope is limited in the sense of the initial attack vector to a
local one, further more he is going to act in a rational way, as
he wants to make a profit of off his work.
TABL E XI. VEHICULAR MA LWARE INI TIAL ATTACK VECTOR
Attacker Properties
Membership: insider outsider
Method: active passive
Adaptability: dynamic static
Organization: cooperative individual
Scope: global extended local
Motivation: malicious rational opportunistic
E. Mobility Monitoring and Configuration
There are cases where an owner or an agent of the
owner (modder, tuner) could be seen as an attacker from the
perspective of a vehicle manufacturer. In this case, the owner
or his agent tries to manipulate the vehicle, e.g., to decrease the
mileage count of a car. It is obvious that the owner or his agent
can access all available communication, hence he is an insider
attacker. He also has the ability to modify the hardware of
software and react to security controls in place. For example,
extraction of cryptographic keys from firmware images is
a well-known approach in the car hacking and chip tuning
community. Hence, the attacker is an adaptive attacker. Attacks
usually affect only one vehicle. A special case is an attack on
an online service portal of the manufacturer. If all vehicles of
this manufacturer can be modified remotely, the attack could
have an extended scope, but the initial vulnerability is still
local to the service portal. The owner of a vehicle is a rational
attacker as he is resource sensitive. If the use of a vehicle hack
has less value than the money needed to execute the hack, the
owner likely will not execute the attack. See Table XII for a
summary.
TABL E XII. MODDER/TUNER PROFILE MATRIX
Attacker Properties
Membership: insider outsider
Method: active passive
Adaptability: dynamic static
Organization: cooperative individual
Scope: global extended local
Motivation: malicious rational opportunistic
Another attacker is a control freak attacker. His goal is
snooping on his or her spouse, child, or anybody else using
the vehicle. As the owner of the vehicle, the active insider
individual attacker can use the location tracking or monitoring
ability for the legitimate purpose (e.g., finding his vehicle or
creating an automatic driver’s logbook) butalso use it to spy on
persons he lends the vehicle to. He does not need to change
his behavior as tracking devices are already build into most
vehicles. He is very opportunistic as he uses the abilities of the
existing monitoring system. Only his own vehicle is affected.
The properties of the control freak attacker are summarized in
Table XIII.
TABL E XIII. CONTROL FREAK PROFILE M ATRIX
Attacker Properties
Membership: insider outsider
Method: active passive
Adaptability: dynamic static
Organization: cooperative individual
Scope: global extended local
Motivation: malicious rational opportunistic
An extension of the control freak attacker is an attacker
attacking a centralized location information system of a man-
ufacturer. If such a centralized system (e.g., a service portal)
exists and the user can query it for the position of his
vehicle (e.g., to find a parked car), it could be an attractive
target. The attacker is an outside attacker but he must be
highly motivated, persistent, and dynamic. When attacking
the system, the possession or control of multiple vehicles
might be advantageous but the attacker is still considered to
be individual and locally limited to the attacked system, that
stores the location information. The attacker is not interested
to create outages or service interruption as he is interested in
the functioning system and especially in the data it gathers,
therefor he can be considered being rational. See Table XIV
for a summary of this attacker.
TABL E XIV. MASS SURVEIL LANC E PROFILE M ATR IX
Attacker Properties
Membership: insider outsider
Method: active passive
Adaptability: dynamic static
Organization: cooperative individual
Scope: global extended local
Motivation: malicious rational opportunistic
The last two attacker models are still fit into the V2X
communication and application paradigm, although they are
centered around the existence of systems run by the manufac-
turer and misusing or exploiting weaknesses in them, which
are reachable via the Internet.
VI. CONCLUSION AND FUTURE WORK
This paper presented a survey on current vehicular net-
working applications, including Cooperative Sensing (Safety),
Cooperative Sensing (Information/Non-Safety), Cooperative
Maneuvering, In-Vehicle Internet Access, and Mobility Moni-
toring and Configuration. Novel attacker models are presented
that focus on realistic application-specific attacks instead of
general attacks on vehicular networks.
TABL E XV. ATTAC KER MODEL OVERVI EW
Attacker Properties
1 Speedster IV
2 Outsider Traffic Calming V
3 Insider Traffic Calming VI
4 Sophisticated Traffic Manipulation VII
5 Massive Financial Damages and Human Casualties II
6-8 Information Gathering with three different scopes III
9 Trolling via false information VIII
10 False information as criminal activity support IX
11 Intentionally false CAM attacker X
12 Vehicular malware initial attack vector XI
13 Modder/Tuner XII
14 Control Freak XIII
15 Mass Surveillance XIV
Our contribution describes 15 realistic attacker profiles in
its main Section V, an summary is given in table XV. These
attacker models allow for a more focused planning of security
controls for vehicular networks, as well as a better compara-
bility of security evaluations using these attacker models.
Using this attacker modeling approach for evaluation and
providing in-depth examples on how to benefit from it in
particular vehicular communication applications is reserved for
future work.
REFERENCES
[1] C. Ponikwar and H.-J. Hof, “Overview on security approaches in
intelligent transportation systems,” SECURWARE 2015 : The Ninth
International Conference on Emerging Security Information, Systems
and Technologies, 2015, pp. 160–165.
[2] C. Salter, O. S. Saydjari, B. Schneier, and J. Wallner, “Toward a secure
system engineering methodolgy, in Proceedings of the 1998 workshop
on New security paradigms. ACM, 1998, pp. 2–10.
[3] B. Schneier, Attack trees,” Dr. Dobbs journal, vol. 24, no. 12, 1999,
pp. 21–29.
[4] A. P. Moore, R. J. Ellison, and R. C. Linger, Attack modeling for
information security and survivability,” DTIC Document, Tech. Rep.,
2001.
[5] P. Liu, W. Zang, and M. Yu, “Incentive-based modeling and inference
of attacker intent, objectives, and strategies, ACM Transactions on
Information and System Security (TISSEC), vol. 8, no. 1, 2005, pp.
78–118.
[6] D. Dolev and A. C. Yao, “On the security of public key protocols,
Information Theory, IEEE Transactions on, vol. 29, no. 2, 1983, pp.
198–208.
[7] H.-J. Hof, “Sichere dienste-suche in sensornetzen,” Ph.D. dissertation,
Institut fr Telematik an der Universit¨at Karlsruhe (TH), 2007.
[8] H.-J. Hof and M. Zitterbart, “Scan: A secure service directory for
service-centric wireless sensor networks, Computer Communications,
2005, pp. 1517–1522.
[9] C. Mulliner, N. Golde, and J.-P. Seifert, “Sms of death: From analyzing
to attacking mobile phones on a large scale.” in USENIX Security
Symposium, 2011.
[10] C. Mulliner, “On the impact of the cellular modem on the security
of mobile phones,” Ph.D. dissertation, Technische Universitt Berlin,
Fakultt IV - Elektrotechnik und Informatik, 2012.
[11] R.-P. Weinmann, “Baseband attacks: Remote exploitation of memory
corruptions in cellular protocol stacks. in WOOT, 2012, pp. 12–21.
[12] ——, “Baseband exploitation in 2013: Hexagon challenges, in Pacsec
2013, 2013.
[13] M. Raya and J.-P. Hubaux, “Securing vehicular ad hoc networks,
Journal of Computer Security, vol. 15, no. 1, 2007, pp. 39–68.
[14] M. Amoozadeh, A. Raghuramu, C.-N. Chuah, D. Ghosal, H. M. Zhang,
J. Rowe, and K. Levitt, “Security vulnerabilities of connected vehicle
streams and their impact on cooperative driving,” Communications
Magazine, IEEE, vol. 53, no. 6, 2015, pp. 126–132.
[15] V. Hoa La and A. Cavalli, “Security Attacks and Solutions in Vehic-
ular Ad Hoc Networks: A Survey, International Journal on AdHoc
Networking Systems, vol. 4, no. 2, Apr. 2014, pp. 1–20.
[16] N. Nikaein, S. K. Datta, I. Marecar, and C. Bonnet, “Application
distribution model and related security attacks in vanet,” in 2012
International Conference on Graphic and Image Processing, 2012, pp.
876 808–876 808.
[17] I. A. Sumra, I. Ahmad, H. Hasbullah, and J.-l. B. A. Manan, “Classes
of attacks in vanet, in Electronics, Communications and Photonics
Conference (SIECPC), 2011 Saudi International. IEEE, 2011, pp. 1–5.
[18] T. Leinm¨uller, R. K. Schmidt, E. Schoch, A. Held, and G. Sch¨afer,
“Modeling roadside attacker behavior in vanets, in GLOBECOM
Workshops, 2008 IEEE. IEEE, 2008, pp. 1–10.
[19] European Telecommunications Standards Institute, “ETSI TS 101 539-
1 V1.1.1 (2013-08): Intelligent Transport Systems (ITS); V2x Applica-
tions;Part 1: Road Hazard Signalling (RHS) application requirements
specification, Aug. 2013.
[20] ——, “ETSI TS 102 637-3 V1.1.1 (2010-09): Intelligent Transport
Systems (ITS); Vehicular Communications; Basic Set of Applications;
Part 3: Specifications of Decentralized Environmental Notification Basic
Service, Sep. 2010.
[21] ——, “ETSI TS 102 637-2 V1.2.1 (2011-03): Intelligent Transport
Systems (ITS); Vehicular Communications; Basic Set of Applications;
Part 2: Specification of Cooperative Awareness Basic Service,” Mar.
2011.
[22] ——, “ETSI TS 101 539-3 V1.1.1 (2013-11): Intelligent Transport
Systems (ITS); V2X Applications; Part 3: Longitudinal Collision Risk
Warning (LCRW) application requirements specification,” Nov. 2013.
[23] SAE International - On-Road Automated Vehicle Standards Committee,
“Taxonomy and Definitions for Terms Related to On-Road Motor
Vehicle Automated Driving Systems,” Jan. 2014.
... Such a model would be of great help during the design of the specific vehicular applications to take security into consideration. First steps towards this model were presented in [2]: attackers specific for typical vehicular applications. This paper presents the next step for discussion in the community: a graphical representation of the high level decision making process and the areas of influence an attacker can have on this process. ...
... In a previous work [2], we made the case for application-specific realistic attacker models to ease comparison of di↵erent approaches, to better understand the means and motives of an attacker and therefore decide on security controls and development of such. We also classified vehicular networking applications regarding their security requirements and developed various attacker models. ...
... In [2], we characterize attackers according to their membership, method, adaptability, organization, scope and motivation. In total, 15 attackers, not only targeting cooperative sensing but also cooperative maneuvering applications, are described. ...
Conference Paper
Full-text available
Decisions for automated driving on levels 2 and above rely on accurate information collected by on-board sensors and data received by wireless communication. Based on networking application specific attacker models presented in a previous article, this position paper contributes first steps towards a formal model for evaluating and comparing different vehicular security solutions and concepts: a graphical and prosaic representation of the high level decision making process and the areas of influence an attacker has over this process is given.
... To achieve reliable automation, attackers action(s) and target(s) need to be defined using an attacker model. Although several attacker models exist, they are either too V2X-centric [4][5][6] or vehicle-centric [7], and thus, do not consider the whole perception lifecycle. As a result, they fail to capture the entire attack space. ...
... A starting point could be the V2X plausibility framework of Sun et al. [10] combined with the multi-source fusion framework of Van der Heijden et al. [45]. Finally, the generic attacker model (Section 3.1) can adapt to the attacker model of Ponikwar et al. [6] for VANET attacks. Both are extension of the same model [4]. ...
Conference Paper
Full-text available
Connected and Automated Vehicle is the next goal for car manufacturers towards traffic safety and efficiency. While researchers deceived range sensors and vehicular communication, few analyzed the inside and the outside of the vehicle surface. As a result, current attacker models are too network-oriented or sensor-oriented. Therefore , we propose an attacker model which details attacks occurring in Ground Truth environment and data fusion processes. Then, we define a new security model with the perspective of achieving a secured automotive perception. CCS CONCEPTS • Security and privacy → Security requirements; Embedded systems security; • Computer systems organization → Embedded and cyber-physical systems; Dependable and fault-tolerant systems and networks;
... An attacker model describes the abilities as well as the goals of an attacker. See [7] for details. This information is used to determine the attack surface of the system at test. ...
Poster
Full-text available
New functions of modern vehicles (e.g., autonomous driving, early airbag ignition) make heavy use of internal and external communication. The increased usage of communication for the realization of safety-critical functions leads to new challenges for security and safety. In order to meet current as well as future requirements regarding the validity of autonomous vehicles, a holistic (regarding security and safety), systematic and traceable assurance methodology is required. In this extended abstract an approach for a model-based assurance methodology for both security and safety is introduced
... Individual terms or sets of guidewords can be eliminated from consideration if the adversary model used by the analyst includes no capabilities relating to a particular time/element. Exactly what a system must be designed to avoid should be dictated by an explicit adversary model-either a general purpose model such as Dolev-Yao's, or a domain speci c model akin to the one proposed by Ponikwar et al. [15]-rather than being left unstated, as in most hazard analysis techniques. For example, if the system's software development organization can be completely trusted (i.e., secure facility, no network access, etc.) and the developed artifacts can be delivered via a secure channel, then guideword 3 can be eliminated and its compensatory actions need not be taken. ...
Conference Paper
Full-text available
Safety-critical system engineering and traditional safety analyses have for decades been focused on problems caused by natural or accidental phenomena. Security analyses, on the other hand, focus on preventing intentional, malicious acts that reduce system availability, degrade user privacy, or enable unauthorized access. In the context of safety-critical systems, safety and security are intertwined, e.g., injecting malicious control commands may lead to system actuation that causes harm. Despite this intertwining, safety and security concerns have traditionally been designed and analyzed independently of one another, and examined in very different ways. In this work we examine a new hazard analysis technique---Systematic Analysis of Faults and Errors (SAFE)---and its deep integration of safety and security concerns. This is achieved by explicitly incorporating a semantic framework of error "effects" that unifies an adversary model long used in security contexts with a fault/error categorization that aligns with previous approaches to hazard analysis. This categorization enables analysts to separate the immediate, component-level effects of errors from their cause or precise deviation from specification. This paper details SAFE's integrated handling of safety and security through a) a methodology grounded in---and adaptable to---different approaches from the literature, b) explicit documentation of system assumptions which are implicit in other analyses, and c) increasing the tractability of analyzing modern, complex, component-based software-driven systems. We then discuss how SAFE's approach supports the long-term goals of of increased compositionality and formalization of safety/security analysis.
Article
Full-text available
Major standardization bodies developed and designed systems that should be used in vehicular ad-hoc networks. The Institute of Electrical and Electronics Engineers (IEEE) in America designed the wireless access in vehicular environments (WAVE) system. The European Telecommunications Standards Institute (ETSI) did come up with the "ITS-G5" system. Those Vehicular Ad-hoc Networks (VANETs) are the basis for Intelligent Transportation Systems (ITSs). They aim to efficiently communicate and provide benefits to people, ranging from improved safety to convenience. But different design and architectural choices lead to different network properties, especially security properties that are fundamentally depending on the networks architecture. To be able to compare different security architectures, different proposed approaches need to be discussed. One problem in current research is the missing focus on different approaches for trust establishment in VANETs. Therefore, this paper surveys different security issues and solutions in VANETs and we furthermore categorize these solutions into three basic trust defining architectures: centralized, decentralized and hybrid. These categories represent how trust is build in a system, i.e., in a centralized, decentralized way or even by combining both opposing approaches to a hybrid solution, which aims to inherit the benefits of both worlds. This survey defines those categories and finds that hybrid approaches are underrepresented in current research efforts.
Article
Full-text available
Autonomous vehicles capable of navigating unpredictable real-world environments with little human feedback are a reality today. Such systems rely heavily on onboard sensors such as cameras, radar/LIDAR, and GPS as well as capabilities such as 3G/4G connectivity and V2V/V2I communication to make real-time maneuvering decisions. Autonomous vehicle control imposes very strict requirements on the security of the communication channels used by the vehicle to exchange information as well as the control logic that performs complex driving tasks such as adapting vehicle velocity or changing lanes. This study presents a first look at the effects of security attacks on the communication channel as well as sensor tampering of a connected vehicle stream equipped to achieve CACC. Our simulation results show that an insider attack can cause significant instability in the CACC vehicle stream. We also illustrate how different countermeasures, such as downgrading to ACC mode, could potentially be used to improve the security and safety of the connected vehicle streams.
Conference Paper
Full-text available
Published attacks against smartphones have concentrated on software running on the application processor. With numerous countermeasures like ASLR, DEP and code signing being deployed by operating system vendors, practical exploitation of memory corruptions on this processor has become a time-consuming endeavor. At the same time, the cellular baseband stack of most smart-phones runs on a separate processor and is significantly less hardened, if at all. In this paper we demonstrate the risk of remotely exploitable memory corruptions in cellular baseband stacks. We analyze two widely deployed baseband stacks and give exemplary cases of memory corruptions that can be leveraged to inject and execute arbitrary code on the baseband processor. The vulnerabilities can be triggered over the air interface using a rogue GSM base station, for instance using OpenBTS together with a USRP software defined radio.
Article
Full-text available
Vehicular Ad hoc Networks (VANETs) have emerged recently as one of the most attractive topics for researchers and automotive industries due to their tremendous potential to improve traffic safety, efficiency and other added services. However, VANETs are themselves vulnerable against attacks that can directly lead to the corruption of networks and then possibly provoke big losses of time, money, and even lives. This paper presents a survey of VANETs attacks and solutions in carefully considering other similar works as well as updating new attacks and categorizing them into different classes.
Article
Full-text available
In this paper, we present a model for application distribution and related security attacks in dense vehicular ad hoc networks (VANET) and sparse VANET which forms a delay tolerant network (DTN). We study the vulnerabilities of VANET to evaluate the attack scenarios and introduce a new attacker`s model as an extension to the work done in [6]. Then a VANET model has been proposed that supports the application distribution through proxy app stores on top of mobile platforms installed in vehicles. The steps of application distribution have been studied in detail. We have identified key attacks (e.g. malware, spamming and phishing, software attack and threat to location privacy) for dense VANET and two attack scenarios for sparse VANET. It has been shown that attacks can be launched by distributing malicious applications and injecting malicious codes to On Board Unit (OBU) by exploiting OBU software security holes. Consequences of such security attacks have been described. Finally, countermeasures including the concepts of sandbox have also been presented in depth.
Article
Full-text available
Mobile communication is an essential part of our daily lives. Therefore, it needs to be secure and reliable. In this paper, we study the security of feature phones, the most common type of mobile phone in the world. We built a framework to analyze the security of SMS clients of feature phones. The framework is based on a small GSM base station, which is readily available on the market. Through our analysis we discovered vulnerabilities in the feature phone platforms of all major manufacturers. Using these vulnerabilities we designed attacks against end-users as well as mobile operators. The threat is serious since the attacks can be used to prohibit communication on a large scale and can be carried out from anywhere in the world. Through further analysis we determined that such attacks are amplified by certain configurations of the mobile network. We conclude our research by providing a set of countermeasures.
Thesis
Mobile Kommunikation, Mobiltelefone und Smartphones sind ein wesentlicher Bestandteil unseres täglichen Lebens geworden. Daher ist es essentiell, dass diese sicher und zuverlässig funktionieren. Mobiltelefone und Mobilfunknetze sind hoch komplexe Systeme. Solche Systeme abzusichern ist eine anspruchsvolle Aufgabe. Vorangegangene Arbeiten haben sich meist auf die mobilen Endgeräte, im Speziellen auf die Betriebssysteme sowie Endanwendungen, konzentriert. Die vorliegende Doktorarbeit untersucht einen neuen Weg im Bereich Mobilfunksicherheit. Im Fokus steht das Modem als Schnittstelle zum Mobilfunknetz. Das Mobilfunkmodem ist die Komponente, welche die Funkverbindungzum Mobilfunknetz herstellt und ist nach unserer Auffassung eine der Schlüsselkomponenten bei der Untersuchung und Verbesserung der Mobilfunksicherheit. Mobilfunkmodems sind proprietär und können nur mit extrem hohem Aufwand untersucht werden. Für den Einbau zusätzlicher Sicherungsmaßnahmengilt dasselbe. Aus diesen Gründen analysiert diese Arbeit nicht das Innenleben eines Modems, sondern dessen Schnittstelle zum mobilen Betriebssystem. In dieser Arbeit untersuchen wir daher die folgende von uns aufgestellte These: Die Sicherheit mobiler Endgeräte sowie der Mobilfunknetze hängt direkt mit der Sicherheit der Modemschnittstelle zusammen. Diesen Zusammenhang legen wir anhand von drei Schritten dar. Im ersten Schritt führen wir eine Untersuchung der Modemschnittstelle durch. Basierend auf den Ergebnissen der Untersuchung führen wir mehrere Sicherheitsanalysen von Short-Message-Service- (SMS) Implementierungen von verschiedenen Telefontypen durch. Im zweiten Schritt untersuchen wir die Möglichkeiten, die sich Schadcode auf mobilen Endgeräten zu Nutze machen kann. Für diese Untersuchung entwickeln wir ein Proof-of-Concept-Botnetz, welches mittels des Modems verdeckt kommuniziert. Im dritten Schritt implementieren wir, basierend auf den Ergebnissen der vorangegangenen Schritte, einen Schutzmechanismus zur Absicherung des Modems gegen bösartige Zugriffe. Durch unsere Untersuchungen sind wir zu mehreren Ergebnissen gekommen. Die Software für den Empfang von SMS-Nachrichten beinhaltet oftmals (zum Teil kritische) Sicherheitsprobleme. Diese Sicherheitsprobleme haben auch Auswirkungen auf andere Komponenten der Endgeräte. Mit unserem mobilen Botnetz zeigen wir, welche Möglichkeiten Schadcode auf Mobiltelefonen grundsätzlich zur Verfügung stehen. Durch den von uns entwickelten Schutzmechanismus der Modemschnittstelle bestätigen wir unsere anfangs formulierte These. Die Absicherung der Modemschnittstelle verhindert die zuvor präsentierten Angriffe und zeigt hierdurch, dass die Modemschnittstelle einen entscheidenden Faktor der Mobilfunksicherheit darstellt.
Article
Attack trees provide a methodical way of describing threats against, and countermeasures protecting, a system. By extension, attack trees provide a methodical way of representing the security of systems. They allow people to make calculations about security, compare the security of different systems, and do a whole bunch of other cool things. This chapter starts with a simple attack tree for a noncomputer security system, and builds the concepts up slowly. it illustrates a simple attack tree against a physical safe, and an attack tree for the PGP e-mail security program. Once people build up a library of attack trees against particular computer programs, door and window locks, network security protocols, or whatever, they can reuse them whenever they need to. For a national security agency concerned about compartmentalizing attack expertise, this kind of system is very useful.