Network Management

Vehicular Networks Are Expected to Save Lives But Carry Privacy Risks

By: Carolyn Duffy Marsan

Date: November 1, 2015

line break image

Vehicular communications systems, which hold the promise of preventing crashes and saving lives, are poised for wide-scale deployment during the next decade. IETF 93’s technical plenary session discussed the underlying networking technologies and protocols required by vehicular communications, as well as related privacy and security challenges.

Cristoph Sommer, assistant professor at the University of Paderborn, opened the discussion with an overview of the status of vehicular communication systems deployment, including the standards that have been developed to support these systems and field trials conducted to date.

Vehicular communications refer to networked vehicles talking to each other and to roadside nodes for safety warnings and traffic information. For example, when a vehicle brakes suddenly, it would automatically warn the cars behind it to stop as a way of preventing rear-end collisions.

Sommer said the idea for vehicular communication systems date back to the 1970s, but it wasn’t until mobile networking became ubiquitous in the 1990s that systems such as General Motors’ OnStar and BMW Assist became viable.

“After 2000, the sharp increase in computing power made it possible to deploy fully distributed and highly reactive ad hoc systems that allow cars to directly communicate to other cars on the road,” Sommer said. “This generated a number of activities, including lots of coordinated research programs… between the biggest manufacturers in the United States, Europe, or Japan. That culminated in numerous large-scale field trials that concluded this technology is hugely beneficial.”

The US National Highway Traffic Safety Association (NHTSA) concluded that two simple applications—intersection movement and left turn assist—could prevent 500,000 crashes and save 1,000 lives annually. In August 2014, NHTSA said it is going to propose rulemaking for all new vehicles to be equipped with vehicular networks by 2020. Indeed, some US car manufacturers say they will deliver this technology as early as 2017.

Meanwhile, innovators like Google are developing autonomous driving systems, which would enable self-driving cars or platooning, where a vehicle driven by a human is followed closely by several autonomously driven vehicles that accelerate or decelerate based on the lead car’s actions.

“Vehicle networking represents the third evolution in networking,” Sommer said. “The first was traditional wired networks with nonmoving, static configurations. The second was mobile ad hoc networking, based on wireless mobile technology and dynamic configuration. The third is vehicular ad hoc networks, which are a completely new field of deployment.”

The lower level network protocol for vehicular communications already has been developed: Dedicated Short Range Communication (DSRC), which is the underlying “wire” for these applications. DSRC comprises extensions to the IEEE 802.11 standards for wireless communication. DSRC uses: 802.11e for quality of service; 802.11j-2004 for half-clocked operations, which are a more robust form of communication; and 802.11p for operation in the 5.9 GHz band and a new mode called OCB for Outside the Context of a Basic Service Set.

“OCB mode allows devices at all times to transmit frames addressed to a wildcard service and to always receive wildcard service packets,” Sommer explained.

Sommer said the 5.9 GHz band is reserved for vehicular communications, with the United States dedicating seven channels for communication and Europe dedicating five channels. While these channels have no licensing costs, they have strict usage rules to ensure that only vehicular networks operate on these frequencies.

Sommer said IP-based communications only fit into a small space in the vehicular networking paradigm because routing requires too much network overhead for most applications. Only entertainment applications might support data streaming to cars, he said.

“It’s just a necessity to assemble a new stack that needs to meet lots of old challenges, such as multicast, low load, and low delay, and new challenges such as highly dynamic topology, safety, partitioning, and complex mobility,” Sommer said.

So far, three standards have been developed to meet the challenge of vehicular networks:

IEEE 1609 WAVE, for Wireless Access in Vehicular Environments, is being adopted in the United States. The WAVE stack features: a physical layer; a MAC (Media Access Control) layer with channel coordination; an LLC (Logical Link Control) layer; and finally the Wave Short Message Protocol or WSMP. Sommer said it is possible that IPv6 and TCP/UDP could ride upon the LLC layer, but more development is needed to make that happen. WAVE supports single or multiple radio devices, with single radio devices periodically tuning to the Control Channel (CCH) to ensure receipt of important messages.

ETSI ITS G5, or Intelligent Transportation Systems, is being adopted in Europe. This standard focuses more on multiradio scenarios, with one radio always being tuned to the CCH. This stack features Cooperative Awareness Messages, which are periodic messages about speed and location of surrounding vehicles. ITS G5 stack consists of physical and MAC layers based on IEEE 802.11p, with Decentralized Congestion Control (DCC) that handles traffic management tasks for the access layer, the networking and transport layer, and the facilities layer. This standard also features Geonetworking, which enables disseminating information to an area determined by a particular latitude and longitude.

ARIB T109, or 700 MHz Band Intelligent Transpot Systems, which was designed in Japan. Sommer didn’t describe this standard in detail.

“The outlook for vehicular networking leaves us with a lot of applications, but each is tailor made to a specific use case with each also using a very different part of the network,” Sommer said.

Among the applications for vehicular networking that Sommer cited along with the corresponding standards were: electronic payment through IEEE 1609.11; traffic signal timing through SAE SPAT; periodic broadcast safety messages through ETSI CAM and IEEE/SAE BSM; and geo-based broadcasting of warnings using ETSI DENM.

“Aside from all of these apps, vehicle networking opens up a whole lot of opportunities with one of the biggest being the merging of in-vehicle and vehicle-to-vehicle communication,” Sommer said. “This will be the first time we can do sensor data fusion of local vehicle sensors and sensors in other vehicles. So if another car tells me there is an obstacle in the road, I might try to double-check using my computer vision system.”

After Sommer concluded his talk, the security and privacy aspects of vehicular networking were discussed by William Whyte, chief scientist of Security Innovation.

Whyte said vehicular networking has all the security challenges typical of networks, such as confidentiality, integrity, authenticity, authorization, and nonrepudiation, as well as cryptography requirements. However, vehicular networking adds privacy concerns such as not wanting to enable tracking or traffic analysis.

“If you have this radio in your car—and the plan in the United States is that cars will be mandated to be equipped with these radios in 2020 or 2022—you don’t want that radio to give you automatic speeding tickets. You don’t want wide-scale tracking to be possible,” Whyte explained.

In addition, vehicular networking involves constrained devices in terms of size, power, storage, and connectivity, which puts limits on the hardware-based security capabilities. The communications are constrained because there are a limited number of 10 MHz channels.

“If you have 200 or 300 vehicles in an area, and they all have you communicate at the same time, you need to make sure the communications overhead is not too much,” Whyte said.

Whyte identified several security-related efforts within the IETF that may overlap with vehicular networking, due to similar certificates, automated certificate issuance, and certificate management.

“One thing I hope we will do in the next few years is work more closely with existing technologies and existing technology groups to make sure that we don’t reinvent the wheel,” Whyte said.

In terms of the vehicular networking trust model, the plan is to use IEEE 1609.2 and ETSI TS 103 097 certificates. The signed PDUs (Protocol Data Units) are authorized by certificates, with Service Specific Permissions within applications. The Certificate Authority ensures that the sender is entitled to those permissions. The receiver checks that the PDU is consistent with permissions.

For example, emergency vehicles would have special permissions to allow them to send messages to other vehicles saying essentially “get out of my way,” Whyte explained.

In terms of security performance, vehicular network standards use Elliptical Curve Digital Signature Algorithm (ECDSA) with 256-bit curves for cryptography. Due to the significant security overhead of the digital signatures, IEEE permits implicit certificates with no explicit signatures to improve performance, while ETSI uses only explicit certificates.

Another performance concern is that the system can handle 600 incoming messages per second. While the EU is using hardware acceleration to improve performance, the United States is filtering messages and using butterfly keys, which are a one-time request to the certificate authority to generate a certain number of distinct certificates.

Whyte said new legislation will be needed to prevent vehicles from being tracked. One technical way to minimize tracking is that the vehicle will receive multiple certificates for an application so that it can be tracked here and there but not on all points in between. Another privacy threat is that an insider at the Certificate Authority could track a vehicle, or the Certificate Authority could be hacked.

One precaution is that vehicular networks won’t reveal information about the previous movement of a vehicle. “If a car is stolen in June, it can be tracked going forward, but not the movements before,” Whyte said.

The ETSI model requires that all packets sent over geonetworking are signed at the geonetworking layer; this indicates that the sender has permissions to ask that a packet is forwarded. In addition, packets are verified before forwarding. By preventing unauthorized requests for forwarding, congestion is reduced.

“This is a further optimization because if you’re signing at the network layer anyways, you don’t need to sign at the application layer,” Whyte said.

Vehicular networks may carry advertisements for services, such as high-speed towing or electric vehicle charging, but the network protocols assume a buyer beware strategy. Another risk would be if hardly anyone uses that service, the buyer’s privacy might be at risk.

“One outstanding research area in privacy is… if you have multiple apps such that the combination of them is a fingerprint for your device,” Whyte said. “The device should support some kind of separation such as a separate virtual device for each of the apps. It has yet to be seen if that works.”

Whyte said that the key security system challenges in preparing vehicular networks for deployment in the next decade are working within channel capacity and processing constraints, while supporting different trust levels and protecting privacy against likely attacks. The future, however, involves integrating vehicular networks into the general Internet of Things security framework.

“Vehicular networks will be a subset of machine-to-machine systems; in general, we will be moving into their frameworks over the next few years to make sure we can scale,” Whyte said. “We need to manage congestion in adversarial settings as DoS attacks might have real impact in the future. And we need to harmonize policy about which applications can use which channels.”

At the end of the formal presentations, IAB member Russ Housley moderated a question-and-answer session.

Allistair Woodman asked whether the information collected when a vehicle crosses a bridge or tunnel or pays a toll can be subpoenaed and used against the driver.

“The governments are aware that they are mandating this and looking on very suspiciously at the privacy concerns,” Whyte said. “The whole purpose is to save lives. If 1 percent of people turn it off to avoid being tracked, there is a 2 percent drop in effectiveness. Everyone takes seriously the idea that information won’t be used by law enforcement and won’t be subpoenable.”

Christian Huitema asked if there are any plans to bring the technology developed for vehicular networks into other domains such as the IETF.

“The technology is all public, and none of it is subject to patent,” Whyte said. “We’re building PKI to the capacity of issuing 1,000 certs a year to every vehicle on the road. That massive scale should be possible to support other uses. I’d be very interested in exploring other uses.”

Finally, Charlie Perkins asked if there is a difference in the networking protocols for car with drivers and self-driving cars.

“On the application layer, there will be huge differences depending on who the information is for, whether a human or an autonomous vehicle,” Sommer said. “But at the physical layer and the MAC layer, they don’t care.”

ITU Secretary-General Shares His Vision

At the conclusion of the IAB plenary session, ITU Secretary-General Houlin Zhao addressed the audience emphasizing the importance of a strong relationship between the ITU and the IETF.

“I would like to strengthen cooperation between the ITU and the Internet Society, the IETF, the IAB, and ICANN for the benefit of our global families,” Zhao said, adding that he is focused on helping the many people around the world who are not yet Internet users. “I encourage you not only to talk about new technologies for those who are already connected, but also encourage you to find innovations for those not connected with technologies that are physical and sustainable.”