Objetivo general

An introduction to the concept of VoD is given in Section 2.2.4.6. A set of attacks on VoD using VANET implementations is given in the following. These attacks have not been discovered in related work, except of prior work of the author in [40]2. They assume a local static outsider attacker.

2

Contribution of the co-author is mainly related to dedicated network and facility layer topics. Discussion of cross layer issues was done in close cooperation of both authors. Overall, the main contribution is from the author of this work, especially in regard to the proposed attacks.

5.2.1 Denial of Service Attacks by Misuse of GeoNetworking Features

VoD is based on the assumption that verified data is only required by applications. However, this only holds in case lower layers of the protocol stack act in a totally stateless manner, like in WAVE. This is not the case within ETSI ITS, as the network layer keeps a neighborhood table to provide the feature of message forwarding, i.e., multi-hop communication support. This leads to the two security vulnerabilities given in Sections 5.2.1.1 and 5.2.1.2.

5.2.1.1 Neighborhood Table Poisoning

The neighborhood table on the network layer is updated with each received message. In case messages are not verified before the update is performed, an attacker can poison the neighbor- hood table by

• adding extra bogus entries, and/or

• causing bogus updates of existing (valid) entries.

Incorrect entries in the neighborhood table can cause incorrect forwarding of messages (i.e., failure to forward or superfluous forwarding). With the used CBF method for forwarding in ETSI ITS, an attacker could fake the position of a multi-hop message’s sender in a way to make valid forwarder candidates not forward the message. Thus, the attacker can perform a DOS attack on multi-hop communication.

Multiple countermeasures to the found weakness can be thought of including

• verification of all messages before the neighborhood table update happens. However, this completely disables VoD, as every received message gets verified.

• Instead of replacing entries in the neighborhood table, one could keep prior entries, too. Old entries are only removed after a later update got verified by another mechanism. How- ever, this significantly increases memory requirements, due to an expected low number of verifications.

• One could only store entries in the neighborhood table after the corresponding message got verified. However, low numbers of verifications will cause neighborhood tables to be (very) sparse. Thus, it can be expected that routing will significantly suffer from this approach.

The found disadvantages of countermeasures together with the impact of the attack itself lead to the conclusion that the combination of approaches requiring neighborhood table keeping with VoD is not recommended.

5.2.1.2 Denial of Service Attack by bogus Multi-Hop Messages

ETSI ITS standard [122] requires a received multi-hop message to be verified in case the receiver is about to forward the message. This is done in order to prevent an attacker from flooding

the VANET with bogus messages and creating harmful channel load in a large area, as the dissemination area of a multi-hop message is not limited in general.

[54] suggests to limit the size of dissemination areas to several kilometers, but this still mas- sively exceeds the communication range of the attacker. Hence, unverified message forwarding would still significantly increase message injection capabilities of attackers.

The used forwarding strategy in ETSI ITS is CBF. Thus, forwarder selection is done in a decentralized manner. A node considers itself a forwarder candidate in case it can achieve progress towards the destination. This decision is done by comparison of the own position and the position of the sender, which is obtained by a look-up in the neighborhood table based on the sender’s MAC address. Afterwards, the timeout for sending is started, as described in Section 2.1.2.

To ensure that targeted nodes consider themselves forwarder candidates, the attacker hijacks a valid identity of a node present in the VANET. He can easily obtain such identities from receiving valid CAMs. An example for such an attack is given in Figure 5.6. In the given example, the attacker sends out two bogus messages. One is claimed to originate from node A and one from node B. Node C is caused to trigger verification of both bogus messages, while the remaining nodes only consider themselves forwarder candidates for one bogus message (either claimed from node A or B).

forwarder area

sender identity of node B

targeted with hijacked targeted with hijacked sender identity of node A

attacker forwarder area disemmination area from node A for message claimed disemmination area

for message claimed from node B

node A

node B node C

Figure 5.6: Example for DOS attack on VoD by bogus multi-hop messages.

Two possibilities exist for when to trigger verification of the to be forwarded message. Either verification is triggered when the timeout is started or after the timeout has elapsed. The first variant provides the advantage of parallel usage of the timeout time for verification and forwarder selection. However, this strategy causes all nodes which consider itself forwarder candidates to verify the to be forwarded (bogus or valid) message.

The core advantage of CBF over sender based forwarder selection is to use up to date infor- mation about the current distribution of nodes in the network. Thus, the length of the timeout interval before message forwarding is selected to be small [141]. The verification delay would increase that delay after the sending timeout has already elapsed. Thus, during verification the knowledge used for forwarder selection will become somewhat out of date. Hence, verification should be fast, which is somehow in contrast to the aim of VoD targeting to reduce perfor- mance requirements for verifications. Moreover, this strategy cannot avoid verification of bogus messages at all forwarder candidates. The attacker cannot correctly sign the message, which causes the verification to fail. Thus, the messages never gets forwarded. Hence, the timeout at all forwarder candidates will elapse (without being canceled) causing message forwarding, i.e., verification.

However, there is an advantage for the case of valid messages. During the time for verifica- tion, the sender timeouts of additional nodes may elapse. This still causes message verification at multiple nodes. However, as long as the verification delay is smaller then the maximum time- out interval there is the chance to spare verifications at nodes, which are not going to forward the message at first. Therefore, verification after the CBF timeout time is recommended for nodes providing significantly fast signature verification.

The outlined attack can be easily targeted to a single node in case sender based forwarder selection is used. Thereby, the attacker can explicitly select the targeted node as the forwarder. However, an attacker has to target every node individually, while attacking all nodes at once is possible for the case of CBF-based forwarding.

In case the verification capabilities of a node are highly limited, an attacker can exceed such capabilities by just sending more multi-hop messages to a node then can be verified. Thus, veri- fication of all kinds of messages is (massively) delayed and if storage capabilities of correspond- ing buffers are overwhelmed affected messages will have to be dropped. Hence, such messages cannot be used leading to failure to forward or unavailability of information for ADAS. This clearly makes the attacker achieve his aim of performing a DOS attack, not only on multi-hop communication, but on the whole VANET input of affected nodes.

One way to avoid the outlined attack is to be able to verify all incoming messages. However, this contradicts the VoD aim of limiting the performance requirement for message verification. An alternative countermeasure is to use prioritization of verifications. Thereby, one can only perform them for to be forwarded messages in case the single hop messages leave enough spare verification capacity. While this would allow an attacker to perform a DOS attack on the multi- hop part of communication, single hop communication (like dissemination of CAMs) still works under presence of the attack somehow limiting its impact.

5.2.2 Denial of Service Attack by bogus Triggering of Applications

VoD triggers verification of VANET messages in case these would be used by ADAS to perform a safety critical operation, e.g., to display a warning message to the driver. From the definition of ADAS, e.g., in [111,112], an attacker can easily determine the condition a bogus message has to fulfill to be regarded as relevant by an ADAS. Straight forward examples include all kinds of road hazard warnings (like icy road warning), which are taken into regard by any node within the relevance area of the warning. The attacker can freely chose this warning area, to attack as many nodes as he wants to attack.

The impact of the attack is similar to the one of the attack on message forwarding outlined in Section 5.2.1. In case too many bogus messages have to be verified, proper verification of valid messages is at risk. This clearly limits the data quality available for ADAS. In case the attacker can send enough bogus messages to avoid verification of valid messages at all, he achieves a full scale DOS attack.

The only way to avoid dropping of valid messages’ verifications is to be able to verify all received messages. However, this contradicts the aim of VoD, which is to limit the required verification performance. This shows that one can either choose to use VoD at the cost of lim- ited system robustness, or to use a verify-all scheme to successfully avoid the outlined DOS weaknesses.

5.2.3 Attacks on Complex Data Processing on Higher Protocol Layers

A general method for keeping a system secure is to keep the interface(s), which are exposed to an attacker, as small as possible. For the case of VANETs, prior work has argued in favor of a change of the security envelope’s format, to avoid parsing of its content before signature verifi- cation takes place [237]. A verify-all scheme only exposes low level data processing interfaces up to the network layer security entity.

In contrast, the VoD concept suggests to parse the whole message on all protocol layers, before deciding on whether to verity the message at all [199]. Thus, the surface for an attack on data parsing and usage is significantly increased by VoD in comparison to a verify-all scheme.

Within ETSI ITS the data sets on several protocol layers use more complex data encoding schemes in comparison to WAVE, for which VoD was initially proposed. ETSI ITS protocol layers above the MAC layer use variable length data sets and deeply nested data types [119, 122, 125]. On the facility layer ASN.1 encoding, e.g., in the UPER variant for CAM and DENM, is used. Parsing of data encoded with such complex schemes requires complex implementations, which leads to a high risk of security problems. Even for very simple ASN.1 schemes, like the BER variant, many security problems have been found in implementations in the past [55, 70, 172, 173, 227, 323], e.g., the BERserk vulnerability [172, 173].

Therefore, the effort for secure implementation of all data processing units within a node handling received data is significantly increased by using VoD in comparison to a verify-all scheme. This finding puts the VoD concept into question from a system design perspective.

Overall, the found weaknesses of VoD lead to the conclusion that usage of this verification scheme is not recommended for usage within ETSI ITS. Instead, a verify-all scheme should be applied.