CARACTERIZACIÓN DE LOS SERVICIOS .1 Conceptualización de los servicios

We consider two different attacker models. These are a

1. simple attacker, who is an active, local, outsider attacker. This attacker has no physical control over the attacked node(s), i.e., he can only carry out the attack over the air, and an 2. advanced attacker, who is an active, local, insider attacker. The advanced attacker has full control over a valid node being used to attack other nodes. This means especially, that he can manipulate in-vehicle information and switch the vehicle on and off. However, the assumed advanced attacker cannot access the sensitive key material inside the OBU directly, i.e., he cannot circumvent the protection mechanisms of the Hardware Security Module (HSM) holding the sensitive cryptographic material, e.g., private keys for PSCs. In both cases, the attacker can send GNSS signals to the attacked node containing arbitrary time and location information. As outlined in Section 2.1.2, time and location information inside a VANET protocol stack is highly dependent on GNSS input. The contained time signal is used for time synchronization among nodes. Furthermore, absolute location information is obtained from GNSS. Thus, manipulation of these basic data sets can be expected to show a significant impact on the security of a VANET.

For the case of the simple attacker, the attacked vehicle is controlled by a valid VANET user, i.e., a driver who does not act as an attacker. The attacker tries to attack VANET services inside the vehicle from the outside.

In contrast, the advanced attacker controls a vehicle whose OBU is attacked to generate malicious messages to be used for a (later) attack on valid nodes. In doing so, the attacker makes use of the valid credentials of the node he controls. One should note, that an attacker can try to hide his identity in case of a detected attack, but not the identity of the used node, as AAs can link the used pseudonyms to the node. However, vehicle lender’s fleets or car sharing fleets are vulnerable to the described attack, as the time of the actual attack on the VANET is (almost) independent from the time of controlling the misused valid node.

5.3.1.1 Impact on Security Functionality

Time information is used within the security entity for two main purposes [125], which are 1. setting or checking the sending time stamp of a message, and

2. checking the validity time restriction of certificates.

Thus, an attacker manipulating the time information can make an attacked node emit messages with any time stamp, for which a valid certificate chain is stored. Moreover, all received mes- sages valid at the point of time set by the attacker are accepted.

Absolute position information is used within the security entity for two main purposes sim- ilar to time information [125]. These are

1. setting or checking the sending location stamp of a message, and 88

2. checking the geographical validity restriction of certificates.

Hence, an attacker controlling the location information can make an attacked node transmit messages with any location stamp, for which a valid certificate chain is present. Furthermore, all received messages valid at the location provided by the attacker are accepted. One should note that geographical validity restrictions are not foreseen for PSCs in ETSI ITS. Moreover, the security envelope of CAMs do not hold a location stamp in contrast to other kinds of messages [125]. Thus, manipulation of the location component is not required for CAM based attacks.

Location spoofing cannot be used against an RSU, as it has a fixed location. Thus, this location can be stored during setup of the station and no corresponding updates are required during its operation.

In case an attacker targets only a single isolated node, the neighborhood table of this node will be empty. Thus, the station will not send CAMs but only pure beacons. The attacker can easily change this, by transmitting own beacons to the targeted node. Current ETSI ITS standards do not require beacons to be signed by the security entity [122]. Therefore, the attacker does not need access to valid key material to generate the required beacons. This is clearly not required in case the attacker can target at least two vehicles, which will mutually initiate the transmission of CAMs once they recognized each others beacons.

In the following, a number of different attacks is described, which are enabled by successful GNSS spoofing of VANET nodes.

DOS Attack Temporal validity restrictions of PSCs enable a simple attacker to perform a DOS attack on nodes. To carry out the attack, the internal time of the attacked node(s) is set to a point in time (past or future) for which they do not hold a valid PSC and also PSCs of nodes within their neighborhoods have either passed the end of their lifetime or their lifetime has not started yet. This causes two effects, which are

• an attacked node is not able to send out any further VANET message, as there is no valid PSC to sign it, and

• an attacked node will discard all received messages, as they seem to be signed by certifi- cates being used outside of their lifetime. Moreover, messages either seem to be massively outdated or to come from the future, which also causes their discarding [54].

Thus, the attacker can ban any further communication between the attacked node and the remain- ing VANET, which leads to a successful DOS attack. An analogous attack can be performed misusing geographical restrictions of PSCs, too. Unlike for CAMs, the security envelopes of BSMs also use locations stamps and not only time stamps.

Acceptance of Outdated Messages An attacker can receive and store valid messages. The simple attacker just uses the messages of nodes he cannot control. In contrast, the advanced attacker can drive arbitrary trajectories and store the corresponding VANET messages emitted by the node under his control.

After having recorded the data sets, the attacker sends out the stored messages in a replay attack. Moreover, he transmits a faked GNSS signal, which causes the time inside attacked

nodes to be in line with the time stamps of the replayed messages. This makes the attacked nodes accept the replayed messages. Thereby, bogus virtual nodes can be suggested to various protocol stack entities. For example, the neighborhood table on the network layer will store the invalid nodes as possible message forwarders. Misbehavior of applications by reaction to the presence of the invalid nodes may be caused, too.

Acceptance of Outdated Certificates Similar to the case of outdated messages, an attacker can cause the acceptance of outdated certificates by resetting the internal time of targeted nodes into the past. In case of pure replay attack, this means that in addition to the validity time check of a message also the corresponding validity checks of certificates used to secure the messages are passed. Thus, the outdated message is accepted as a valid one by the receiver.

Moreover, acceptance of outdated PSCs is a particular sensitive issue in regard to access control in VANETs. In case an attacker can get access to formerly valid, but outdated sensitive key material he can use the GNSS-based attack on internal time of valid nodes to circumvent the access control feature. The attacker can use the outdated key material to generate arbitrary messages and inject them into the VANET. These messages will be accepted by valid nodes as outlined before.

Even in case such an attack gets detected, there is currently no mechanism in ETSI ITS to ban such an attacker from accessing the VANET, as there are no Certificate Revocation Lists (CRLs) in ETSI ITS. Instead, nodes with detected misbehavior do not receive PSC updates from AAs. This approach is intended to make such nodes run out of valid PSCs over time. However, this mechanism does not work in case the outlined GNSS attack is used, as the misbehaving nodes can just use their outdated certificates. In contrast, CRLs are used in WAVE [176]. Hence, the problem affects ETSI ITS in a more severe way than WAVE.

Acceptance of Messages Outside Validity Range Location stamps within the security enve- lope are used to limit the validity of a message to a dedicated area in connection with a geo- graphical validity restriction of the corresponding PSC. ETSI ITS uses this kind of restriction for DENMs [125].

An attacked node using manipulated location information can be caused to accept messages, which are distributed outside their region of validity. The malicious message can originate from a replay attack.

Creation of Messages with Future Time Stamps To generate signed messages with future time stamps, an attacker sends a spoofed GNSS signal with target time tf (in the future) to the OBUs of attacked nodes. The advanced attacker can clearly start the attack before starting up the car. Thereby, the GNSS receiver receives the manipulated signal from begin of its operation on. This makes the attack more probable to succeed as the receiver’s possibilities to detect the attack are greatly limited [299].

The point in time most far in the future the attacker can use for tf is the end of lifetime of the PSC being valid for the longest time from current time on. This point in time is denoted by tf,max≥ tf.

If tf is sufficiently far in the future (i.e., the attacker has enough time for carrying out the attack) the attacker can repeat the procedure described above again and again until he has ob- tained faked messages signed by all PSCs contained in the OBU, which are valid at tf. Thereby, a successful Sybil attack [86] can be performed, as the attacker can use multiple well signed sets of messages in parallel. This weakness especially affects VANET implementations using a so called certificate pool, i.e., many PSCs with overlapping validity time spans are stored within an OBU to keep the frequency of certificate refill procedures low. The advanced attacker can easily create multiple sets of messages from the same time range using multiple stored PSCs with overlapping validity time periods. To do so, he just switches the vehicle off and on again causing a re-start of the OBU. This causes selection of a new PSC (see e.g., [54]).

Even in case the attacker can not directly control a vehicle’s start up, he can still use the described attack once on every node within the range of his manipulated GNSS signal to obtain properly signed messages from the future. This clearly violates the VANET system security requirement of non-repudiation. In case a start up of a targeted car is required, an attacker can target places with high numbers of such procedures happening, like car parks.

One should note that this kind of attack is especially serious for vehicles with rapidly chang- ing users, e.g., those from car sharing or car lenders fleets. An attacker can temporarily use a vehicle from the fleet and generate future messages with its PSCs. Afterwards, he uses the generated and recorded messages (e.g., CAMs and DENMs) significantly after he returned the vehicle. Even in case the nodes misbehavior is detected, the vehicle’s user at the time the attacker performed his replay attack will be suspected of having caused the misbehavior. This is due to the expected non-repudiation property of the security system, which was actually circumvented by the attacker.

The only kind of validity restriction of certificates not affected by the GNSS attack is the limitation of a certificates to a dedicated set of ITS-AIDs, and corresponding SSPs. These kind of usage limitations only relate to the granted capabilities of a node, but not to time or location related information.

5.3.1.2 Impact on Trajectory Modeling

Collision avoidance applications require quite detailed trajectory modeling of nodes to detect possible future collisions [285]. With the outlined attack, an attacker can manipulate the time and location data sets contained in application layer messages, e.g., CAMs and BSMs. These data sets are used by receivers to model the trajectory of the sender. Thus, the attacker can create a node with an arbitrary trajectory at receivers. In case no further validation of the input data can be performed, e.g., by using additional sensors like radar sensors, inappropriate reaction of ADAS may be caused by the attacker.

Moreover, multi-hop communication uses geographic routing in VANETs. To enable such routing, the absolute position of nearby nodes is stored in a neighborhood table inside each node together with a time stamp. This means that the performance of multi-hop communication depends on accurate trajectory modeling. Hence, manipulated GNSS data can be expected to decrease the performance of multi-hop communication.