Making Wireless Work
C
urrent traffic-safety statistics are notoriously
horrific. Approximately 40,000 people are
killed each year on the European Union’s roads,
with around 1.7 million people incurring criti-
cal injuries; the US reports similar statistics (http://
europa.eu.int/comm/transport/care/). The annual costs
associated with traffic accidents (such as hospital bills and
property damage) total nearly 3 percent of the world’s
gross domestic product (GDP), or roughly US$1 tril-
lion.
1
Further compounding this predicament, the num-
ber of vehicles is increasing faster than the number of
roads, leading to frequent traffic jams. Additional issues
include pollution and scarce parking spaces.
In response to these problems, governments and man-
ufacturers have launched several initiatives (such as
mandatory safety-belt laws, airbags, and antiblocking
brake systems), which have improved the situation some-
what. In October 1999, the US Federal Communica-
tions Commission allocated 75 MHz (the 5.85- to 5.925-
GHz portion) of the spectrum in America for dedicated
short-range communications (vehicle-vehicle or vehicle-
roadside). Upcoming traffic safety initiatives rely heavily
on information technology, which means that vehicles
must be able to authenticate themselves and be traceable
whenever necessary, be it for law enforcement (detection
of speeding vehicles, for example), crash reconstruction,
or toll collection. Today, most tracking operations rely on
reading license plates; this obsolete and error-prone tech-
nique is the equivalent of reading a credit card with opti-
cal character recognition technology rather than with
magnetic strips or embedded chips.
Reading plates has been replaced with authentication
over a radio link (requesting an onboard device to trans-
mit a cryptographic identity) in some
cases, most noticeably at toll roads and
bridges. As we will see, though, there is tremendous pres-
sure to adopt generalized wireless authentication, espe-
cially in advanced safety mechanisms. However, this has
deep implications for privacy, even greater than it does for
cellular networks: a mobile phone can be switched off at
any time, but a license plate can’t. This article provides a
brief overview of the relevant aspects of modern automo-
tive technology and discusses in greater detail the role se-
curity will play.
Smart vehicles and roads
An important evolution for the automotive industry is the
one toward context awareness, meaning that a vehicle is
aware of its neighborhood (including the presence and lo-
cation of other vehicles). Modern cars now possess a net-
work of processors connected to a central computing plat-
form that provides Ethernet, USB, Bluetooth, and IEEE
802.11 interfaces. Newer cars also have such features as
• an event data recorder (EDR), inspired by the “black
boxes” found on airplanes (EDRs record all major data
from the vehicle for crash reconstruction);
• a GPS receiver, the accuracy of which can be improved
by knowledge of road topology (GPS is currently used
in many navigation systems); and
• front-end radar for detecting obstacles at distances as far
as 200 meters (such radar is often used for adaptive
cruise control)
2
and short-distance radar or an ultra-
sound system, typically used for parking.
Inter-vehicle communication (IVC) supports many
JEAN-PIERRE
HUBAUX,
SRDJAN
C
ˇ
APKUN, AND
JUN LUO
EPFL
PUBLISHED BY THE IEEE COMPUTER SOCIETY ■ 1540-7993/04/$20.00 © 2004 IEEE ■ IEEE SECURITY & PRIVACY 49
Road safety, traffic management, and driver convenience
continue to improve, in large part thanks to appropriate
usage of information technology. But this evolution has
deep implications for security and privacy, which the
research community has overlooked so far.
The Security and Privacy
of Smart Vehicles
Making Wireless Work
important features, particularly in the area of crash pre-
vention (for example, by informing vehicles about traffic
congestion).
3
A set of communicating vehicles is an ex-
ample of a mobile ad hoc network. The research com-
munity has devoted much attention to the security and
privacy of such networks in the past few years,
4–6
but
none of these contributions considers any such network
for smart vehicles, which is what we’ll study here.
In this article, we call a vehicle smart if it is equipped with
recording, processing, positioning, and location capabilities
and if it can run wireless security protocols (see Figure 1).
Roads can be made smart, too. Fixed communication de-
vices installed along a road can inform passing vehicles about
the road’s precise topology (see the PATH project,
www.path.berkeley.edu). However, this approach’s draw-
back is that it requires an enormous financial investment,
which, at first, would benefit a small minority of drivers.
The observation of what happens on roads is called
traffic monitoring,
7
which has a primary purpose of detect-
ing anomalous situations, such as those generated by an
accident or difficult driving conditions. It also optimizes
traffic flow, most notably by synchronizing traffic lights
with each other and with observed traffic, and civil engi-
neers often use it to help plan construction of new roads.
Traffic monitoring is based on different traffic measure-
ment techniques; one of the most conventional (and
popular) consists of inductive loop detectors buried in as-
phalt. Less “intrusive” techniques include video image
processors, microwave radar, infrared laser radar, and
acoustic/ultrasonic devices.
With more smart cars and roads, we can expect many
changes. First, the number and severity of accidents
should decrease: by integrating information about posi-
tion and mutual distance with other vehicles, a given ve-
hicle will be able to permanently assess the level of danger
and trigger a warning to the driver, if necessary. In the
more distant future, it could even override the driver—
activating the brakes or taking control of the steering
wheel, for example. Moreover, if an accident occurs, res-
cue teams will have immediate access to relevant infor-
mation; a posteriori data will also help determine driver
liability. With smart cars and roads, traffic monitoring it-
self will improve because it relies on much more accurate
data. Ideally, traffic monitoring will eventually provide
personalized advice to each driver via a personal naviga-
tion system. Ultimately, smart cars’ benefits will range
from simplifying the payment process for the driver (tolls,
parking, and fuel), to helping the driver find an available
parking place, to assisting authorities in fighting crime
and terrorism. (Because terrorist activities often involve
car bombs, automatic identification can help stop suspi-
cious vehicles before they can access sensitive areas.)
However, a major hurdle in moving forward is that,
for a lengthy time period, only a small subset of vehicles
will be smart, yet the safety mechanisms we’ve described,
especially those involving wireless authentication, require
most—if not all—vehicles to be smart. As a result, boot-
strapping the authentication mechanism’s deployment is
a formidable business challenge. An additional obstacle is
the negative perception that the population might have
about such mechanisms—especially the feeling of being
permanently monitored by some arbitrary authority.
Devising an appropriate production and marketing
strategy is beyond this article’s scope, but we believe the
solution is to deploy new features gradually, beginning
with those that are operational even if only a small subset
of vehicles can handle them—examples include access
control to specific areas, wireless toll collection, personal-
ized information about traffic congestion, and theft pre-
vention. Another possibility for gradually deploying such
systems without generating much resistance is to equip
professional vehicles first—commercial trucks, buses,
taxis, ambulances, and police cars, for example (in fact,
many trucks already have EDRs).
Security and privacy
Surprisingly, most people overlook the security and pri-
vacy questions that vehicular technology’s evolution
raises. Currently, every vehicle is registered with its na-
tional or regional authority, which allocates a unique
identifier to it, but in parts of the US and the EU, registra-
tion authorities have made substantial progress toward
electronically identifying vehicles and similar progress is
being made toward machine-readable driving licenses. To
allow the wireless authentification of vehicles, these au-
thorities must provide each vehicle with a private/public
key pair, along with a shared symmetric key, and a digital
certificate of its identity and public key. Such authorities
will most likely be cross certified, making it possible for
any vehicle to check any other vehicle’s certificates.
To guard against misuse, the overall organization for
such a system’s security architecture must be very care-
fully designed, especially if it’s deployed worldwide and
50 IEEE SECURITY & PRIVACY ■ MAY/JUNE 2004
Display
Event data recorder (EDR)
Forward radar
Positioning system
Communication
facility
Rear radar
Computing platform
Figure 1. A smart vehicle’s onboard instrumentation. The computing
platform supervises protocol execution, including those related to
security. The communication facility supports wireless data
exchange with other vehicles or fixed stations.
Making Wireless Work
because of the information it will protect, so registration
authorities must devise an appropriate Public Key Infra-
structure. In magnitude, this challenge is equivalent to se-
curing credit cards or mobile phones, but it also includes
newer, more difficult problems: it must embed security
features in stringent real-time protocols such as those
used to prevent accidents, secure physical location and
distance, and support communication within highly spo-
radic groups of participants.
Electronic tracking of vehicles could be derided as an
incarnation of Big Brother, depending on your view-
point, but it’s a fact that the level of traffic monitoring is
increasing. The public’s acceptance of electronic track-
ing might be fuelled by the prospect of improved safety
and optimized traffic for travelers and potential revenues
for manufacturers. After all, privacy concerns haven’t
prevented the widespread acceptance of the Internet,
cellular networks, or electronic payment systems.
Therefore, the right question is not whether it should
happen, but how to make it happen in the most desirable
way.
An important task is to devise appropriate privacy-
preserving protocols, which are typically based on
anonymity schemes, relying on temporary pseudonyms.
Fortunately, anonymity can be quantified, meaning that
we can compare different proposals. Let’s consider, for
example, an anonymity metric based on entropy,
8
and
let’s assume that an attacker wants to retrieve a given vehi-
cle’s identity by sniffing identification messages the victim
has transmitted.
Let X be a discrete random variable with probability
function p
i
= Pr(X = i), where i represents each possible
value that X can take. In our case, X represents the
pseudonym under the attacker’s scrutiny, and each i
corresponds to an element (a vehicle) of the anonymity
set. We use H(X) to denote entropy after the attack oc-
curs. For each vehicle belonging to the vehicle set of
size N, an attacker assigns a probability p
i
. We can cal-
culate H(X) as
thus the pseudonym’s maximum entropy is
H
max
= log
2
N,
where N is the anonymity set’s size. Based on this, we
compute the degree of anonymity d, provided by a given
privacy-protection system, as
The degree of anonymity quantifies the amount of in-
formation the system is leaking for a given pseudonym.
Electronic license plates
We call the certified identity that a vehicle provides via a
wireless link an electronic license plate. The protocols that
use such license plates can be designed in different ways—
when a vehicle’s engine is on, for example, it can period-
ically broadcast a beacon containing its electronic license
plate, road position, clock, and current speed. It also can
store any data related to itself in an EDR. Alternatively,
the vehicle can permanently listen to the environment
and register the beacons it hears (that is, it can hear other
vehicles’ beacons regardless of whether the engine is on
or off ). This last design decision helps support sophisti-
cated services, but it should be engineered carefully be-
cause it demands a lot of energy.
A possible application of electronic license plates is dy-
namic pricing. The onboard navigation system (or, alter-
natively, the driver can check a Web site before leaving or
while en route from a cellular terminal) can propose a
choice of routes to the driver, with an estimate of current
toll prices. The vehicle will then be charged when it en-
ters the related toll areas (see Figure 2).
Another way to use electronic license plates is to find
drivers who flee the scene of an accident: even if no vehi-
cle is in the radio power range, the culprit’s vehicle likely
will soon pass a parked car that can record its identity (see
Figure 3). By interrogating the EDRs of nearby parked
cars, police can retrieve the identities of all vehicles that
have passed a specific spot at a given time.
Although powerful, electronic license plates are vul-
nerable to attack. A first, obvious threat is the attempt by
the smart vehicle’s owner (or thief) to disable, at least par-
tially, its communication and storage capabilities (in par-
ticular, the EDR). Prevention is easier to automate for
electronic license plates than it is for physical ones: we can
d
HX
H
=
()
.
max
HX p p
ii
i
N
() log ,=−
=
∑
2
1
www.computer.org/security/ ■ IEEE SECURITY & PRIVACY 51
7 5
6
12
11
10
8 4
2
1
9 3
7 5
6
12
11
10
8 4
2
1
9 3
Payment request
Payment
Tariff estimation
Communications
tower
Tariff request
Figure 2. Dynamic pricing. The driver (possibly assisted by a
navigation system) decides on a route; the payment of any tolls
automatically occurs when entering the toll road or bridge.
Making Wireless Work
try to protect the EDR physically, or trigger an alarm or
alert law enforcement.
A second threat is the impersonation attack: a vehicle
owner deliberately stealing another vehicle’s identity and
attributing it to his or her own car, or vice versa. We can
prevent this type of attack by storing the vehicle’s identity
in tamper-resistant hardware, having it properly certified,
and using modern authentication protocols. Electronic li-
cense plates are much more resistant to this sort of attack
than physical ones.
A more dangerous attack is denial of service: an at-
tacker systematically or selectively jamming the signals
that vehicles exchange. There is no purely technical solu-
tion to such attacks, which is one of the reasons why we
won’t see a car overriding its driver in the near future.
To make the use of radio-transmitted information to
track a given car’s location (and therefore its driver) so-
cially acceptable, it should protect driver privacy, at least
as long as no collisions occur. For this reason, the broad-
casted certified identity must be a pseudonym that
changes over time; only the regional or national authori-
ties should be able to determine the relationship between
a pseudonym and its real identity. (Because the car’s pub-
lic key is broadcasted as well, it must also change periodi-
cally.) In this way, any personal information the electronic
license plate transmits would be negligible when com-
pared to that provided by its physical counterpart. The
scheme’s quality can be expressed by the degree of
anonymity we defined earlier.
Location verification
Any car’s location can be determined by using GPS or
with the help of on-road infrastructure; IVC can also
help. Existing positioning and distance estimation tech-
niques assume that vehicles cooperate in determining or
reporting their locations or distances, but some might try
to report false distances or locations. Let’s look at two so-
lutions for verifying vehicle locations.
Tamper-proof GPS
Each vehicle should have a tamper-proof GPS receiver that
registers its location at all times and provides this data to fixed
stations or other vehicles in an authentic manner. Fortu-
nately, this doesn’t require any additional infrastructure and
can be implemented independently in each vehicle. How-
ever, one drawback is its availability in urban environments:
buildings, bridges, or tunnels often block GPS signals. An-
other disadvantage is that this option relies on tamper-
resistant hardware, which has well-known weaknesses.
9
The most serious problem with this approach is that
GPS-based systems are vulnerable to several different
kinds of attack, including blocking, jamming, spoofing,
and physical attacks. Moreover, relatively unsophisticated
adversaries can successfully execute them. The most dan-
gerous attack involves fooling the GPS receiver with a
GPS satellite simulator, which produces fake satellite
radio signals that are stronger than legitimate ones. Such
simulators are routinely used to test new GPS products
and cost US$10,000 to $50,000. Some simple software
changes to most GPS receivers would let them detect rel-
atively unsophisticated spoofing attacks,
10
but more so-
phisticated ones would still be hard to detect.
Verifiable multilateration
A second solution for verifying vehicle location is based
on roadside infrastructure and uses distance bounding
and multilateration. (Distance bounding guarantees that
the distance is no greater than a certain value; multilater-
ation is the same operation in several dimensions.) This
approach removes the need for tamper-proof hardware,
but requires the installation of a set of base stations con-
trolled by a central authority. The infrastructure covers an
area of interest, such as specific roads or city blocks, and
can verify vehicle locations in two or three dimensions.
Verifiable multilateration works as follows: Four veri-
fying base stations with known locations perform distance
bounding to the vehicle, the results of which give them
four upper bounds on distance from the vehicle. If the ver-
ifiers can uniquely compute the vehicle’s location using
these distance bounds, and if this location falls into the tri-
angular pyramid formed between the verifiers, then they
conclude that the vehicle’s location is correct. Equiva-
lently, only three verifiers are needed to verify the vehicle’s
location in two dimensions; the verifiers still consider the
car’s location correct if they can be uniquely computed
and if it falls in the triangle formed between them.
Verifiable multilateration relies on distance bounding; a
claimant can always pretend to be further from the verifier
than it really is, but it can’t prove itself to be closer. Stefan
52 IEEE SECURITY & PRIVACY ■ MAY/JUNE 2004
75
6
12
11
10
84
2
1
93
75
6
12
11
10
84
2
1
93
A parked vehicle records
the fleeing culprit vehicle that passes by.
The vehicle rolls
over a pedestrian.
Figure 3. A parked vehicle recording a fleeing one. The recorded
data can help the police identify the culprit.
Making Wireless Work
Brands and David Chaum first introduced the notion of
distance-bounding protocols;
11
they proposed a technique
that lets a party (the verifier) determine an upper bound on
its physical distance to another party (the claimant). The
main idea is simple but powerful: it’s based on the fact that
light travels at a finite speed, and with current technology,
it’s possible to measure (local) time with nanosecond preci-
sion. Their protocol was recently extended to support
provable encounters in mobile wireless networks.
12
Figure 4 shows an example of how the distance-
bounding protocol unfolds. The protocol is performed
between a verifier v (a fixed base station) and a vehicle C
(which stands for claimant). After a mutual authentica-
tion phase (not shown in the figure), the vehicle commits
to two random values N
C
and N
C
′ by hashing them with
a collision-resistant one-way hash function h and sending
the result to v. The verifier then generates a challenge
nonce N
v
and sends it to C. On receiving the challenge, C
is expected to respond immediately with N
v
⊕ N
C
. The
verifier measures the challenge-response time of f light t
v
C
and estimates the distance to C, but because C can’t send
the correct response before receiving the challenge, it ei-
ther delays the response or sends it immediately after re-
ceiving the challenge. In the last stage of the protocol, C
signs the second part of the commitment N
C
′. The veri-
fier then uses the signature of the second part of the com-
mitment to authenticate C and verify if the commitment
corresponds to C’s response.
When it estimates the distance to C, the verifier also
takes into account C’s processing delay. Here, this time is
relatively short, given that C needs to perform only an
XOR operation and does not need to perform any cryp-
tographic operation until the end of the protocol.
Figure 5 shows an example of verifiable multilatera-
tion. The intuition behind the technique is that a vehicle
might try to cheat about its location. As we mentioned
earlier, the vehicle can only pretend that it is further from
the verifier than it really is because of the distance-
bounding property. However, if it increases the measured
distance to one of the verifiers, it would need to prove
that at least one of these distances is shorter than it actually
is, to keep its claimed location consistent with the in-
creased distance. This property holds only if the claimed
location is within the triangular pyramid formed by the
verifiers: if an object is located within the pyramid and it
moves to a different location within the pyramid, it will
certainly reduce its distance to at least one of the pyramid
vertices. The same holds in two dimensions.
In a real deployment, the number of base stations
would of course be much larger than what we see in Fig-
ure 5; as a result, a vehicle would always be within the
geometric shape that three or four stations form.
Verifiable multilateration also detects distance enlarge-
ment attacks from outside attackers: If an attacker tries to
jam the signal that the vehicle sends to the verifiers and
delay its response, the verifiers detect this attack in the
same way as if the vehicle itself performed the distance
enlargement. The distance measurements’ precision is
very important. Today’s technology based on time of
flight and ultra wideband can achieve a precision of 15 cm
for distances up to 2 km.
13
An example application:
Cooperative driving
Once we verify a vehicle’s identity (via its electronic li-
cense plate) and location (via the mechanisms we just de-
www.computer.org/security/ ■ IEEE SECURITY & PRIVACY 53
Figure 4. The distance-bounding protocol. The verifier (v) upper-
bounds its distance to an untrusted vehicle C.
C : generate random nonces N
C
, N
C
′
: generate commitment commit = h(N
C
, N
C
′)
C → v: C, commit
v : generate random nonce N
v
v → C: v, N
v
C → v: N
v
⊕ N
C
v : measure the time t
v
C
between sending N
v
and
receiving N
v
⊕ N
C
C → v: C, N
C
′, sigK
C
(C, N
C
′)
v : verify if the signature is correct and if commit = h(N
C
, N
C
′)
v
1
v
3
v
2
v
4
v
5
Communication tower
Figure 5. Two examples of verifiable multilateration. Base stations
v
1
, v
2
, v
3
, and v
4
can verify a vehicle’s location in three dimensions if
the vehicle is located in the triangular pyramid that v
1
, v
2
, v
3
, and v
4
forms. Base stations v
1
, v
3
, and v
5
can verify a vehicle’s location in
two dimensions if the vehicle is located in the triangle formed by v
1
,
v
3
, and v
5
.
Making Wireless Work
scribed), we can implement several new functions, in-
cluding cooperative driving.
Vehicles that pass through critical points such as high-
way entrances and blind crossings (those without light
control) must coordinate to avoid collisions. With the
IVC’s support, this coordination can be at least partially
automated. Coordination functions that share resources
among a group of nodes are usually achieved by group
communication primitives (such as mutual exclusion) in
computer networks, but the problem we face here is
more challenging: human lives are concerned, the nodes
are mobile, the groups are highly transient, and the com-
munications are wireless.
A potential solution to this challenge is a light-
weight group communication system managed by a
token (see Figure 6). Every vehicle sees the wireless link
with one of its neighbors (other vehicles within the
transmission range) as outgoing; the neighbors see this
link as incoming. As a result, a directed acyclic graph
(DAG) forms to link the members of a contention
group (those vehicles contending for a common point)
together. The sink (a node without an outgoing link) of
the DAG is elected among the nodes closest to the crit-
ical point. This node then initiates a token (a small mes-
sage that grants the right to access a resource) and goes
across the point. The token then passes to one of the
nodes that have outgoing links to the token holder,
which lets that node move forward.
We can apply different policies to control the behavior
of token passing; for example, the token can switch from
vehicles on one road to those on the other one at a high-
way’s entrance (which merges the two flows of vehicles).
In any case, a policy would use each vehicle’s verified po-
sition and identity to fine-tune the token’s circulation and
provide each driver with appropriate information.
A related problem is that when vehicles arrive at a
given spot (such as at a crossroad) or travel together for a
while (such as on a highway), they might need to ex-
change many messages and therefore may have to estab-
lish a shared symmetric key based on their certified pub-
lic keys. Many people have proposed solutions for this
recurring issue, usually based on so-called multiparty
Diffie-Hellman agreement protocols.
14
Most of these
protocols rely on an underlying group communication
system to achieve fault tolerance, but in our case, the pro-
tocols must cope with stringent real-time constraints and
the fact that human involvement is not possible. Obvi-
ously, such protocols still must be designed.
B
ecause many safety features require some level of co-
operation between vehicles, bootstrapping the adop-
tion of the necessary hardware is a major business chal-
lenge. Of course, this push requires a substantial effort
from the standardization bodies before it can materialize.
So far, the security and privacy challenges related to
this area have been overlooked,
15
but the two solutions
we’ve sketched in this article are a good place to start. In
particular, electronic license plates have the potential
benefit of allowing a much more accurate definition (and
control) of what data law-enforcement agencies can ac-
cess; this is likely to be one of the most relevant challenges
in the area of wireless security. Location verification is the
cornerstone of cooperative safety mechanisms, and the
smarter vehicles become, the more their safety features
will need to be secured.
Acknowledgments
We are indebted to Mario
˜
Cagalj, Robert Dick, Markus Jakobsson,
Ken Laberteaux, Jean-Yves Le Boudec, Christof Paar, and Pravin
Varaiya for their comments on early versions of this article. Special thanks
also to Matthias Grossglauser and Alcherio Martinoli for their thought-
provoking discussions on this topic.
References
1. W. Jones, “Building Safer Cars,” IEEE Spectrum, vol. 39,
no. 1, 2002, pp. 82–85.
2. R. Moebus, A. Joos, and M. Morari, “Multi-Object Adap-
tive Cruise Control,” Proc. Hybrid Systems: Computation and
Control, LNCS vol. 2623, Springer Verlag, 2003, pp.
359–376.
3. W. Franz, R. Eberhardt, and T. Luckenbach, “FleetNet:
Internet on the Road,” Proc. 8th World Congress on Intel-
ligent Transport Systems, 2001.
4. L. Zhou and Z. Haas, “Securing Ad Hoc Networks,”
IEEE Network, vol. 13, no. 6, 1999, pp. 26–30.
5. Y.-C. Hu, A. Perrig, and D.B. Johnson, “Ariadne: A
Secure On-Demand Routing Protocol for Ad Hoc Net-
works,” Proc. 8th ACM Int’l Conf. Mobile Computing and
Networking (Mobicom), ACM Press, 2002, pp. 12–23.
54 IEEE SECURITY & PRIVACY ■ MAY/JUNE 2004
(a) (b)
Figure 6. Cooperative driving. The red car holds the token that
lets it access the resource (a) at a blind crossing and (b) at a
highway entrance.
Making Wireless Work
6. J. Kong and X. Hong, “ANODR: Anonymous on
Demand Routing with Untraceable Routes for Mobile
Ad Hoc Networks,” Proc. 4th ACM Int’l Symp. on Mobile
Ad Hoc Networking and Computing, ACM Press, 2003,
pp. 291–302.
7. L. Klein, Sensor Technologies and Data Requirements for ITS,
Artech House, 2001.
8. A. Serjantov and G. Danezis, “Toward an Information
Theoretic Metric for Anonymity,” Proc. Privacy Enhanc-
ing Technologies (PET), Springer-Verlag, 2002.
9. R. Anderson and M. Kuhn, “Tamper Resistance: A Cau-
tionary Note,” Proc. 2nd Usenix Workshop on Electronic
Commerce, Usenix Assoc., 1996, pp. 1–11.
10. J. Warner and R. Johnston, Think GPS Cargo Tracking =
High Security? Think Again, tech. report, Los Alamos Nat’l
Lab., 2003.
11. S. Brands and D. Chaum, “Distance-Bounding Proto-
cols,” Theory and Application of Cryptographic Techniques,
Springer-Verlag, 1993, pp. 344–359.
12. S. C
ˇ
apkun, L. Buttyan, and J.-P. Hubaux, “SECTOR:
Secure Tracking of Node Encounters in Multi-Hop
Wireless Networks,” Proc. ACM Workshop on Security in
Ad Hoc and Sensor Networks (SASN), ACM Press, 2003.
13. J.-Y. Lee and R.A. Scholtz, “Ranging in a Dense Mul-
tipath Environment Using a UWB Radio Link,” IEEE
J. Selected Areas in Comm., vol. 20, no. 9, 2002, pp.
1677–1683.
14. G. Ateniese, M. Steiner, and G. Tsudik, “New Multi-
Party Authentication Services and Key Agreement Pro-
tocols,” IEEE J. Selected Areas in Comm., vol. 18, no. 4,
2000, pp. 628–639.
15. J. Luo and J.-P. Hubaux, A Survey of Inter-Vehicle Com-
munications, tech. report IC/2004/04, EPFL, Mar. 2004.
Jean-Pierre Hubaux is a professor at EPFL. His research inter-
ests are mobile networking and computing, with a special
interest in fully self-organized wireless ad hoc networks. He
also serves as an associate editor on IEEE Transactions on
Mobile Computing and the Elsevier Journal on Ad Hoc Net-
works. He is a senior member of the IEEE and a member of
ACM. Contact him at jean-pierre.hubaux@epfl.ch; http://
lcawww.epfl.ch/hubaux.
Srdjan C
ˇ
apkun is working toward his PhD at EPFL. His current
research interests include security, privacy, and positioning in
wireless networks. He received a BSc in electrical engineering
and computer science from the University of Split, Croatia. He
is a member of the IEEE Communications and Computer Societies
and the ACM. Contact him at srdan.capkun@epfl.ch; http://
lcawww.epfl.ch/capkun.
Jun Luo is working toward a PhD in communication systems at
EPFL. His research interests include multicasting, mobile com-
puting (especially in ad hoc networks), reliable group commu-
nication, and network security. He received a BS and MS, both
in electrical engineering, from Tsinghua University, Beijing, PRC.
He is a student member of ACM. Contact him at jun.luo@epfl.ch;
http://lcawww.epfl.ch/luo.
www.computer.org/security/ ■ IEEE SECURITY & PRIVACY 55
NEW for 2004!
IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING
Learn how others are achieving systems and networks design and develop-
ment that are dependable and secure to the desired
degree, without compromising performance.
This new journal provides original results in research, design, and develop-
ment of dependable, secure computing methodologies,
strategies, and systems including:
• Architecture for secure systems
• Intrusion detection and error tolerance
• Firewall and network technologies
• Modeling and prediction
• Emerging technologies
Publishing quarterly in 2004
Member rate:
$31 print issues
$25 online access
$40 print and online
Institutional rate: $525
Learn more about this new
publication and become a
charter subscriber today.
http://computer.org/tdsc