Security issues and challenges in V2X: A Survey

Security Issues and Challenges in V2X: A Survey

Journal Pre-proof

Security Issues and Challenges in V2X: A Survey Amrita Ghosal, Mauro Conti PII: DOI: Reference:

S1389-1286(19)30585-7 https://doi.org/10.1016/j.comnet.2019.107093 COMPNW 107093

To appear in:

Computer Networks

Received date: Revised date: Accepted date:

11 May 2019 29 September 2019 28 December 2019

Please cite this article as: Amrita Ghosal, Mauro Conti, Security Issues and Challenges in V2X: A Survey, Computer Networks (2019), doi: https://doi.org/10.1016/j.comnet.2019.107093

This is a PDF file of an article that has undergone enhancements after acceptance, such as the addition of a cover page and metadata, and formatting for readability, but it is not yet the definitive version of record. This version will undergo additional copyediting, typesetting and review before it is published in its final form, but we are providing this version to give early visibility of the article. Please note that, during the production process, errors may be discovered which could affect the content, and all legal disclaimers that apply to the journal pertain. © 2019 Published by Elsevier B.V.

Security Issues and Challenges in V2X: A Survey Amrita Ghosal∗ and Mauro Conti Department of Mathematics, University of Padua, Italy {amrita.ghosal, conti}@math.unipd.it

Abstract In its latest report, the United States National Highway Traffic Safety Administration (NHTSA) registered some 37,300 fatalities for the yearly victims of motor vehicle accidents in 2017. Vehicle-to-everything (V2X) is playing an important role in improving road safety, traffic efficiency and infotainment systems. With the growth of the connected vehicle technology, V2X is emerging as a key component in the rapid rise of this technology. Therefore, researchers think that development of robust wireless communication through efficient V2X technologies can significantly improve the vehicular environment. The highly dynamic environment and the mobility factor appear to be challenging for implementation of V2X technology. Similar to other wireless technology, the security issues are also key concerns in V2X. In this survey, we highlight and discuss the main security issues of V2X. Particularly, the main objective of this survey is providing for a comprehensive and structured outline of different research directions and approaches, mostly emphasizing on the security issues and challenges in V2X communication technologies. At first, we discuss the key features of V2X and focus on the standardization techniques used for communication technologies. Then, we introduce the security challenges and requirements of V2X. We also classify present state-of-the-art works dealing with implementing different secured techniques in V2X. We further discuss the project implementation that concentrated on the various applications in V2X. Finally, we identify possible future research directions of V2X, particularly in the area of security. Keywords: Vehicle-to-Everything, Dedicated Short Range Communication, Wireless Access in Vehicular Environments, Long Term Evolution.

1

2 3 4 5 6 7 8 9 10 11 12 13 14

1. Introduction The future Intelligent Transport System (ITS) very much relies on the Vehicle-to-everything (V2X) communication system which constitutes an integral and fundamental part of its architecture. The prime objective of V2X is enhancing road safety and improving traffic management [1]. V2X communications define the information exchange of a vehicle with different components of the ITS, including pedestrians, other vehicles, transport infrastructure (e.g., traffic signs and lights), and Internet gateways [2]. The last decade witnessed massive transformation in motor vehicles, from just being simple mechanical devices to using of highly sophisticated technologies. Nowadays, motor vehicles use sensors that can measure different attributes, thus increasing the experience of driver/passenger as well as vehicle safety. Still, the transportation system is plagued with several problems. The past few years witnessed rapid growth of expansion in the metropolitan areas along with increase in motor vehicle traffic in large cities. Therefore, traffic congestion and road accidents are on the rise in urban roads and highways,leading to ∗

Corresponding author

Preprint submitted to Elsevier

January 3, 2020

15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67

major socioeconomic issues. In its latest report, the United States National Highway Traffic Safety Administration (NHTSA) registered some 37,300 fatalities for the yearly victims of motor vehicle accidents in 2017 [3]. Motor vehicle injuries constitute 99% of non-fatal transportation injuries and 94% of transportation deaths. With yearly increases in travel and no improvement over our current safety performance, fatalities and injuries could increase by 50% by 2020. Emerging ITS technology could dramatically reduce the number of collisions on the nation’s highways. A recent analysis suggests that a reduction of more than 1 million collisions per year is possible by 2020. This would correspond to a $25.6 billion economic savings per year [4]. Government agencies, academic institutions as well auto manufacturers undertook huge efforts to address the above mentioned problems related to road safety, so as to provide the transport infrastructure and the vehicles with communication capabilities. This lead to the development of V2X communications which are formed as a combination of Vehicle-to-Vehicle (V2V), Vehicle-to-Infrastructure (V2I), and Vehicle-to-Pedestrian (V2P) communications [5]. Extensive research on present vehicle sensing competencies, showcases the potential of V2X in empowering various advanced applications, e.g., remote vehicle diagnostics, intersection collision avoidance, in-vehicle Internet access and cooperative collision warning [6, 7, 8, 9]. V2X communications perform the task of increasing the collaboration among pedestrians, vehicles, and transport infrastructure, that is supposed to reduce road accidents by 80%, resulting in a safer and secured ground transportation system [10]. Visiongain’s report [11] reflects the growing importance of the significance of V2X in vehicular communication. The results of the report indicate the rapid advancement of V2X in today’s automotive industry based on a detailed analysis of the V2X global market. Visiongain results assessed that the V2X market has the capability of generating revenues of more than 37 billion dollar and selling of vehicles possessing V2X modules rising to 47.1 million in 2016. Various stakeholders are giving special attention to the induction of V2X in the automotive sectors. In USA, General Motors have announced the selling of cars embedded with V2X technology. Also, the four states in USA (Nevada, Florida, California and Columbia) have already set up laws for permitting the use of automotive vehicles on roads. In Europe, the platforms, ERTICO [12] and Cooperative-ITS are working on the implementation of V2X. The European Commission also declared the ambitious goal of minimizing the number of deaths due to accidents on European roads by 50% within 2020. Therefore, implementing the communication technologies needed for automated driving will provide the vital support for setting up of new security standards. In Asia, countries such as Japan and Singapore are building smart transportation using V2X. In Singapore, the road transport authority is building an ITS ecosystem, devoted to research and innovation in V2X [13]. Japan Toyota Motor Corp. and KDDI Corp. took the initiative of establishing a global communications platform for promotion of connected cars [14]. In China, Tongji University and The National Intelligent Connected Vehicle Pilot Zone are performing experiments on 25 self-driven cars composed of electronic control units, communication units and different sensors [15]. In the recent past, some research works have surveyed V2X communication networks. In contrast to the current study, none of the survey works have focused on V2X security issues for vehicular networks. The paper in [2] surveyed solutions related to cellular and Dedicated Short Range Communication (DSRC) inter-working for efficient and effective V2X communications. The study in [16] focused on classifying and describing the most appropriate channel models and vehicular propagation, particularly paying attention on the models’ usability for the evaluation of applications and protocols. Although the authors in [16] provided a thorough description of the different channel models in vehicular communication, the survey did not provide any discussion on the security aspects of V2X. In [17], the authors provided an outline of applications and related requirements, together with solutions for associated challenges. The survey in [17] gives a comprehensive summary of the requirements and applications of vehicular networks, but less attention is given to the security issues underlying V2X communication. Given the particular characteristics of pseudonymity, the research 2

68 69 70 71 72 73 74 75 76 77 78

79 80 81

82 83

84 85

86 87

in [18] involves identity and public key based cryptography, symmetric authentication and group signatures that rely on pseudonym techniques. Authors in [18] mainly focused on the different techniques used for guaranteeing security and privacy in vehicular networks, but did not discuss issues related with standard technologies and applications in V2X. The study in [19] surveyed the research areas of different topics in V2X, including standardization activities and historical developments, thereby providing an advanced view of research in different significant areas. The survey in [20] addresses the security problems faced by V2X communication in cellular network, together with the V2X authentication solutions existing in literature. The objective of [1] is assessing the outcomes of OFDM design and performance parameters on the outcomes of V2X communication. In this survey, our main contributions are as follows: • We present a detailed and organized overview of the existing V2X communication technologies, including research initiatives, various applications, challenges and requirements for V2X communications. • We explore the different attacks prevalent in V2X communication together with existing security approaches for thwarting those attacks. • We categorize the various security approaches adopted in V2X for ensuring security in V2X communication. • We discuss the possible directions for future research works in V2X, specifically, related to the security issues.

95

The rest of the paper organization is as follows. In Section 2, we briefly discuss the emergence of V2X in the context of vehicular communication, followed by the standard V2X communication technologies and the application areas of V2X. Section 3 discusses the security challenges and requirements of V2X along with the attacks and their possible mitigation solutions. In Section 4, we categorize and discuss the existing security approaches in V2X. Section 5 provides a description of the projects that were undertaken or are ongoing in V2X. Finally, we identify the open issues in V2X in Section 6 and provide conclusion in Section 7.

96

2. Background

88 89 90 91 92 93 94

97 98 99

100 101 102 103 104 105 106 107 108 109 110 111 112 113

In this section, we briefly discuss the different communication systems used in V2X. In particular, we discuss the background of V2X technology in Section 2.1, Section 2.2 presents the V2X communication technologies and, in Section 2.3, we present the V2X applications. 2.1. V2X Introduction The connected transportation system is heavily dependent on a robust wireless communication network. Reliable and seamless V2X communication is an important aspect of connected vehicle technologies. Many communication technologies such as, Wi-Fi, WiMAX, Long Term Evolution (LTE) and DSRC exist, but not all of them have the ability for provisioning minimum delay, reliability and accurate data transmission that are needed for safety applications in connected vehicles. As an example, the DSRC technology delivers certain features, such as, rapid network connectivity, low communication latency, very secure as well as fast communication for various safety related applications, but depending on DSRC alone is not a good option for different connected vehicle technologies [21]. Therefore, research activities for wireless technologies that can increase V2X communication for diverse applications are being considered. Also, the effect of combining the technologies of DSRC with WIMAX, Wi-Fi and LTE is being explored [22]. Furthermore, it is obvious that installation of DSRC roadside components will take place at important 3

Internet

ITS Server

RSU  V2I Communication

V2V Communication

Figure 1: Example of V2V and V2I communication.

146

positions like junctions and intersections. So, the coverage limitation of DSRC (about 300 m) and the integration of prevailing technologies of LTE, WIMAX, and Wi-Fi networks provides for a heterogeneous wireless network suitable for connected vehicle application. Thus, the DSRC technology forms an integral part of ITS and aims to contribute towards safer and efficient road networks. Statistical data obtained from [23] reveal that traffic accidents in Europe in 2014 accounted to nearly loss of lives of about 25,700 people and causing injury to another 200,000. Therefore, vehicular networks are intended to reduce accidents such as, lane changing warnings by implementing road safety applications. Also, vehicular networks take into consideration other prime areas of concern such as, provision of infotainment applications and efficient traffic management. In general, vehicular networks consist of two different modes of communication: V2V and V2I. The combination of both these two types of modes of communication results in the V2X technology. Figure 1 shows an illustrative example of V2X communication (i.e., V2I and V2V communications). Vehicles using V2V communications are provided with Wireless Access in Vehicular Environments (WAVE) [24] having no centralized control, rather communication is done in an adhoc manner. V2X communication suffers from the fact that, it provides limited connectivity of vehicles, particularly, in locations where vehicles become sparse. While V2I communication uses fixed infrastructure components on roads, namely Road Side Units (RSUs) for Internet connection by vehicles or data exchange. The RSUs in general are base stations placed at intersections of roads on places like, petrol pumps and bus stops. The RSUs communicate with the OnBoard Unit (OBU) in vehicles [25] for receiving and transmitting various road conditions such as, traffic calculation from and to adjacent vehicles while they are on the move [26]. Due to the reliable characteristics of V2I communication, it is very much appropriate with respect to real-time applications. In addition, V2I has the capability of creating multihop communication routes for exchanging/forwarding data with/to other vehicles [27]. V2I communication is advantageous for several applications like, payments, infotainment applications, and efficient road utilization. Research on vehicular networks and communications is receiving overwhelming attention globally. Several car companies together with government institutions are making huge investments on the role of V2X communication. Presently, the European Union, US Department of Transportation and Japan are running several research projects on V2X communication. All these projects are undertaken with the commonality objective of betterment of on-road safety.

147

2.2. V2X Communication Technologies

114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145

148 149 150 151 152 153

The use of standardized protocols for the development in vehicular technology have resulted from the standardization initiatives undertaken for vehicular networks. Examples of such vehicular network standards are DSRC and WAVE. The main aim of these protocols consist of showcasing the communication architecture, frequency sharing, application management, security algorithms and messaging. For providing connectivity to V2X services in 5G systems and LTE network, at present, cellular systems are evolving. The involvement 4

CH 182 5.91

5.90

CH 180

High Power. Long Range 

CH 184 5.92

Service Channels (SCH) 

Control Channel  (CCH)  5.88

CH 178 5.89

CH 176

5.87

Service Channels (SCH) 

Accident Avoidance, Safety of life 

CH 174

5.86

5.85

CH 172

Frequency (GHz)

Figure 2: DSRC Channel Spectrum

154 155 156 157 158 159

160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193

of cellular systems in providing connectivity to V2X is mainly because of high data rates, low latency, controlled QoS, and reliability of such system that provide for wider coverage capacity and global deployment [28, 29]. To be more specific, V2X services in LTE network (release 14 and 15), along with enhanced V2X (eV2X) in the upcoming release 16 [30] are specified by the 3GPP standardization body. Description of important communication standards for vehicular networks are given below. 2.2.1. Dedicated Short Range Communication (DSRC) The DSRC technology has wide range applications in the context of V2X communication, mainly, in areas related to safety. In 1999, the USA Federal Communication Commission, developed and standardized the DSRC technology that originated from IEEE 802.x family [2]. Different standardization bodies such as, IEEE 1609.x [17], IEEE 802.11p [31], ETSI ITSG5 [32] developed different DSRC communication standards. V2V and V2I communications are supported by the aforementioned standards whose designs are based on Carrier Sense Multiple Access with Collision Avoidance (CSMA CA) mechanism [33]. Therefore, the DSRC technologies are very much specific to the region where they are used and also depend on the supporting standard, the assigned spectrum band, and the V2X application. DSRC utilizes the 5.9 GHz licensed spectrum and consists of seven channels as shown in Figure 2. Each of the seven channels have a bandwidth of 10 MHz. Out of the seven channels, two channels located at the end of the spectrum, are kept for dedicated usages. The channel in the center, which is the Control Channel (CCH) is used for applications related to safety. The CCH is responsible mainly for providing communication safety only. The remaining channels in the bandwidth are referred to as the service channels. Both non-safety and safety purposes use the service channels. The DSRC standardization followed in the regions of USA, Europe and Japan, differs to some extent with respect to bandwidth allocation, rate of data transmission, radio frequency selection and coverage. Currently, some DSRC bands are utilized for specific scenarios like, electronic toll collection. In Europe, North America and Japan, the bandwidths of 57955815 MHz, 902-928 MHz and 5770-5850 MHz, respectively, are presently in use, while the remaining allocated spectrum in DSRC remains unutilized. Different standardization bodies are responsible for developing the DSRC standards, e.g., IEEE provides for standardization of DSRC in North America, in Europe, the European Telecommunication Standards Institute, while in Japan, the Association of Radio Industries and Businesses, provide the required DSRC standardization. Figure 3 shows a typical communication stack for DSRC consisting of two prime planes, namely data plane and management plane. Data plane performs the task of data processing, e.g., addition or deletion of frame headers. Data Service Access Points (DSAP) describe correct interfaces in between various data stacks. Communication commands, as for example, channel switching, synchronization are executed by the management plane. A part of the DSRC standard is focused on describing Management Service Access Point (MSAP) with respect to every entity. Standardizing Service Access Points (SAPs) allow plugging of various 5

Resource Manager  Safety Applications

Non­Safety Applications API

Security

WSMP WME

UDP

TCP IPv6

MLME Extension

Multichannel Ooperation

MLME

WAVE Lower MAC

PLME WAVE PHY Management Plane

OSI Model Layer 4    OSI Model Layer 3    OSI Model Layer 2   

OSI Model Layer 1   

Data Plane

Figure 3: DSRC Communication Stack

194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229

units. For example, the SAP between WSE and WME as shown in Figure 3 finds mention in both 1609.3 [34] and 1609.2 [35]. The applications of DSRC use UDP/TCP interface stack. The DSRC communication stack also consists of the WAVE Short Message Protocol (WSMP). WSMP packets may need special requirements, in the form of using a particular data-rate or power during transmission. Before transmission of every packet, data rate and radio power are adjusted by checking the contents of each packet by the MAC and PHY layers [36, 37]. WSMP performs the additional task of implementing security policies along with responding to probable attacks [34] and monitoring traffic patterns. Another entity of the DSRC communication stack is the WAVE Management Entity (WME). The WME performs the task of defining the transmission channel along with the QoS priorities during the time when data frames are scheduled. Therefore, these priorities provide the capability of transmitting emergency safety messages with minimum delay. The WME also does the jobs of managing of handling of safety messages, frame queuing and priority channels. The WME handles the processing of specific tasks in coordination with other design entities. The management of key management and data encryption mechanisms are done by the WAVE Security Entity (WSE). Several efforts were undertaken by governments, industrial organizations, academic and research institutes, and standardization bodies, to overcome the limitations faced by DSRC while implementation in V2X applications. Despite the use of DSRC in V2X, this technology faces certain limitations. The vehicular networks are highly dynamic in nature, which also causes severe problems for maintaining the network path between the gateway and the vehicle. The DSRC applications in V2X networks that highly depend on real time data becomes restricted due to these limitations. Also, the performance of DSRC is degraded by the use of CSMA/CA technique. For example, in a highly dense scenario, the channel contention increases to a great extent, resulting in performance deterioration of IEEE 802.11. The safety applications in V2X, mostly rely on broadcast communication. The degraded performance of DSRC with increase in vehicle contention, makes it highly unsuitable for broadcast communication, though safety applications in V2X are mainly based on message broadcasting. But recent research works have revealed poor performance of DSRC with respect to reliable and efficient V2X communication [2, 38]. The poor performance of DSRC arises due to chances of high collision, specially in situations having excessive density of vehicles. Further, the DSRC technology is deficient in several factors such as, unbounded delays, scalability issues, and lack of deterministic QoS support. Therefore, for V2X applications that are delay-sensitive, DSRC is not a good choice for them. V2V safety applications are allocated with limited bandwidth in the DSRC frequency spectrum, which is insufficient for 6

Resource Manager IEEE 1609.1  UDP/TCP

Security   Services IEEE 1609.2   

WSMP

IPV6

WME IEEE 1609.3 

LLC Multichannel Operation IEEE 1609.4  WAVE MAC  IEEE 802.11p 

MLME

WAVE PHY  IEEE 802.11p 

PLME

Figure 4: WAVE Architecture

230

231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265

satisfying the excessive traffic demand for V2V in future [17]. 2.2.2. Wireless Access in Vehicular Environments (WAVE) The DSRC is devised from IEEE802.11a standard. In DSRC, the main change was done at the physical layer. The change involved suppression of the authentication process for speeding up the selection processes and network discovery. But, DSRC faced several overheads that are inherited from the MAC layer and these constraints made it tough for rapid data exchange that is very much necessary for vehicular networks [39]. To overcome this problem, the American Society for Testing and Materials (ASTM) working group, ASTM 2313, transferred the DSRC to IEEE802.11p WAVE, where integration of both the physical and MAC layers are done [39]. Two classes of devices are defined in WAVE: RSU and OBU. The RSU is primarily used as a movable device, whereas the OBU is mainly used as a static device. WAVE uses orthogonal frequency division multiplexing for signal division into a number of narrow band channels. The WAVE architecture is developed on the IEEE 802.11 standard [40, 41]. Layer 1 and a part of layer 2 of the protocol stack represents the WAVE architecture (see Figure 4). The distinguishing factors in the operating environment of an IEEE 802.11 wireless local area network and a vehicular network led to the development of another standard, called as IEEE 802.11p [42]. The developed standard of IEEE 802.11p denotes the data transmission part of the protocols together with the management tasks allied with the corresponding layer. In Figure 4, the blocks the MAC Layer Management Entity (MLME)and Physical Layer Management Entity (PLME) represent the management tasks. The IEEE 80.11p is the final version of this technology and uses the frequency bandwidth of 5.9 GHz. Development of the physical and data link layers already exists in the IEEE 802.11p standard, while the development in the upper layers are done by IEEE P1609 [43]. The architecture of WAVE is made up of the main components of resource manager, multichannel operation, WAVE short message protocol at the network layer and IEEE 802.11p at the underlying layers. Both IP and non-IP applications are supported by WAVE. The physical properties of the transmission channel are controlled by the applications using the WSMP protocol in non-IP applications. The two device topologies required by WAVE are OBUs and RSUs. RSUs are static entities on the road side while OBUs are placed inside vehicles and are able to communicate with other RSUs and OBUs. Both the RSUs and OBUs possess the capability of organizing themselves to form smaller networks referred to as Wave Basic Service Set (WBSS). The WBSS comprises of either only OBUs, or combination of RSUs and OBUs. A service channel is used by all the members for communication. The architecture of WAVE is made up of 2 stacks, having common layers between them. The first stack is used for IP communication, while the second one is used for WSMP. The 7

CH 184 5.92

CH 182 5.91

5.89

CH 180 5.90

CH 178

5.88

CH 176

HALL Channel 

Service Channels (SCH) 

Control Channel (CCH) 

Service Channels (SCH) 

CH 174 5.87

5.86

5.85

CH 172

Frequency (GHz)

Figure 5: WAVE Channel Spectrum

266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287

288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305

common layers of the two stacks are the data link and physical layers, while they differ with respect to transport and network layers. The use of the two protocol stacks is from different perspectives. The first stack supports low priority communication such as, TCP/UDP. The second stack facilitates higher priority communication that requires low error as well as low latency. The IEEE 802.11p defines the data transmission of the protocols along with the management functions of physical and data link layers. The WAVE units may need division of their time between the SCHs and the CCH. This necessitates the inclusion of a sublayer at the level of the OSI layer 2 in the WAVE protocol stack, for dedicated control of the multichannel operation that IEEE 1609.4 specifies for this sublayer. The IEEE 802.2 standard is followed by the logical link control layer, that is the remaining part of OSI layer 2. For the level of OSI layers 3 and 4, IEEE 1609.3 is responsible for specifying the WSMP and defines the inclusion of UDP, TCP and IPv6 in the systems. The defined set of management functions are utilized for providing networking services. The IEEE 1609.1 and IEEE 1609.2 supports the resource manager and security service block, respectively. Certain advantages of the 802.11 standard makes it suitable for usage in the vehicular domain. The IEEE 802.11 is a stable standard, and therefore supports interoperability between vehicles of various companies as well as the various road side infrastructure placed at diverse locations. The WAVE channel spectrum is shown in Figure 5. Inspite of the efforts invested for the improvement of the WAVE functions for satisfying the dynamic nature of vehicular networks in terms of high-speed and varying topology, a recent study in [44] have identified different challenges that need attention in future research. 2.2.3. Long Term Evolution (LTE) The 3rd Generation Partnership Project (3GPP) undertook the standardization process of Long Term Evolution (LTE)-based V2X for providing support for solutions related to V2X communications. The standardization of LTE also benefited from the deployment of LTE system worldwide as well as its rapid commercialization. The Chinese vehicular communication industry widely made use of LTE-based V2X. The 3GPP standardization progress redefined the LTE-based V2X as LTE V2X. The LTE release 14 [45] contains more than 30 studies which includes LTE-V2X. At present, preference is given to LTE mobile networks for communication between the road side infrastructure and vehicles. The advantages of LTE in relation with V2X communication are that, it provides greater mobility support, high network capacity and greater coverage when compared with 802.11p, but has the drawback of higher latency under the influence of increased network load [46, 47]. End users are made available with real broadband by the use of small LTE base stations that form micro cells. V2X communication is facilitated using the micro cells over LTEenable smart phones or vehicular on-board units [46]. The Qualcomm’s Snap-dragon X5 LTE modem is an example of LTE OBU. With the standardization of LTE-V2X, the V2X communication is also being aided with the LTE device-to-device. The 3GPP SA1 has initiated the beginning of Release 14 LTE-V2X SI from February 2015 with backup from a 8

306 307 308 309 310 311 312 313 314 315 316 317

318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357

substantial number of companies [48]. In [49], the authors cited that hybrid approaches that combine LTE and 802.11p are also appropriate for V2X communication. The standardization required for supporting LTE-based V2X, is planned to be completed soon for obtaining improved system performance and responding to upcoming market potential [50, 51]. Some research projects and field tests are being conducted in some countries based on the development of LTE V2X standardization in 3GPP. For example, in China, official allocation of 20 MHz frequency is done for validation of LTE V2X in six pilot areas. One of the National Science and Technology special project in China is the standardization and prototype validation of the LTE project. Also, the next generation mobile networks alliance V2X task force and 5G automotive association was established in 2016. The LTE stakeholders and automotive industry are cooperating with each other for promoting V2X solutions based on new directions. 2.2.4. 5G Technologies for V2X The Fifth Generation (5G) systems are formulated as having the features of being highly flexible together with programmable end-to-end communication, computing infrastructures and networking [52]. All these features lead to enhanced performance with reference to throughput, reliability, mobility, latency and capacity as well as satisfying the diversified requirements from many services. These services are classified by the International Telecommunication Union (ITU) into specific use cases: (i) enhanced mobile broadband e.g., ultrahigh definition TV, (ii) massive machine-type communications e.g., metering, logistics, smart agriculture, and (iii) ultra-reliable and low latency communications e.g., autonomous driving, automated factory. Organizations such as the Third Generation Partnership Project (3GPP) [53], the Next Generation Mobile Network Alliance [54] and the 5G-Public-Private Partnership Association have incorporated the use cases described above in their own use case definitions. All the organizations have agreed upon the merging of the mobile broadband and vertical sectors into a common physical infrastructure that is accessible through network slices. A network slice is defined as a collection of the Core Network (CN) and Radio Access Networks (RANs) functions, that are configured in such a manner to adhere to the requirements of the functionalities of the use cases. The 5G systems are expected to assist new services required by emerging and important areas, such as V2X. The 5G capacity requirements need improvement in spectral efficiency, that motivates research on interference management for device to device communication. Irrespective of the specific performance requirements, the heterogeneity nature of the services, access networks and devices that 5G needs to support, will definitely raise significant modifications to the network architecture. To tackle such type of heterogeneity, flexibility is going to be the key characteristic of next generation networks. The flexibility required for the architecture is achieved by design, leveraging the network functions virtualization, software defined networking and cloud and edge computing fields. In one such work [55], authors described a generic software defined wireless network architecture, on the basis of a common core network and various RANs, together with a mobile network Software Defined Network (SDN) controller. The capabilities of RANs are increased with programming ability and the transport network constitutes of programmable switches and routers. Authors proposed two kinds of approaches. In the first approach, the authors implemented the standardized interfaces with the help of SDN controller. For the second approach, the Control Plane (C-Plane) functions are directly programmed into the SDN controller. Authors in [56] developed a 5G architecture using two network layers (L1 and L2), a radio network and a network cloud. The radio network provides a minimum set of L1 and L2 functionalities, while the network cloud is responsible for higher layer functionalities. Also, a protocol stack is formed from this architecture by combining the Access Stratum (AS) and Non-access Stratum (NAS) functionalities. On the user plane, RAN L2 and the gateway functionalities in the CN are merged to achieve dynamic network deployment. Another work [57] focuses on a 5G C-Plane to provide connectivity management as a service as well as maintaining mobility, handoff and routing management. 9

Table 1: V2X Applications

Application Type

Road Safety Applications

Traffic Management Applications Comfort and Infotainment Applications

Potential Benefits

Collision avoidance (safe distance), Road sign notifi-cations (curve speed warning), Incident management (emergency vehicle warning) Traffic management (intelligent traffic flow control), Road monitoring (vehicle tracking) Entertainment (music download), Comfort (parking booking)

Channel Models

Latency

DSRC, WAVE, Wi-Fi, cellular network

Very low, less than Very low 100ms

DSRC, WAVE, cellular network, ZigBee DSRC, WAVE, cellular network, WiMAX

Packet Loss Rate

Low

Low

Medium

Low

367

The RAN and CN functions are merged and implemented as running applications on one or more hierarchical controllers. Authors in [58] showcase new technologies such as mmWave and VVLC that are to be incorporated in the 5G V2X access architecture for supporting particular V2X use cases. It is expected that the new cmWave macro-cellular system will co-exist with LTE-based cellular system and also IEEE 802.11p. The macro-cellular network will perform the functions of providing increased coverage, high data rates and low latency for data and control information. The macro-cellular network will also connect with the small cells, RSUs and other infrastructural units. The new technologies will be able to support short-range high throughput communication that will form the integral part of the advanced 5G V2X system.

368

2.3. V2X Applications

358 359 360 361 362 363 364 365 366

369 370 371 372 373 374 375 376

377 378 379 380 381 382 383 384 385 386 387 388

389 390 391

In this section, we present the V2X applications in vehicular environments as illustrated through Table 1. V2X applications in vehicular networks consist of traffic management applications, road safety applications and comfort and infotainment applications. Examples of road safety applications include hazards warning on roads and driver assistance applications. While, traffic management applications include remote vehicle diagnostics, air pollution monitoring [24]. Infotainment applications consist of entertainment like music download and comfort related applications. The applications of V2X in vehicular networks are defined below. 2.3.1. Road Safety Applications These applications are related to assisting drivers with information about the various potential dangers and situations that are not visible to them [59]. These applications are of two types: time-critical applications and less time-critical applications. The time-critical applications, also referred to as hard safety applications are responsible for providing precautionary measures to avoid/minimize crashes or hazards. The hard safety applications, therefore, require decisions to be taken in real time. On the other hand, less time-critical applications or soft safety applications include information for enhancement of the safety awareness of the drivers. Therefore, the soft safety applications do not need to take immediate decisions. The primary challenge in the safety-related applications, lies in achieving typical low latency, which mostly varies from below 100ms in such scenarios [60]. The work in [61] provides information regarding safety-related applications on V2X safety applications. 2.3.2. Traffic Management Applications These applications provide for improvement of traffic management on roads. This improvement is facilitated by providing users assistance on traffic as well as making them aware 10

392 393 394 395 396 397

about the local traffic information. The information about road conditions are collected by a vehicle or RSU, which in turn transfers this information to other vehicles directly or indirectly. Examples of traffic management applications are speed management and cooperative navigation [17]. Vehicles receiving messages related to traffic management, should adopt necessary actions, maybe by following an alternative route for avoiding the underlying hazards.

410

2.3.3. Comfort and Infotainment Applications These applications assist in providing Internet access to the running vehicle for enabling passengers to avail seamless connection for continuation of their work without interruption. Different web applications are accessed by passengers as well as applications related to VoIP, video and navigation services [28]. Examples of such applications range from finding the nearest restaurant to locating the nearby gas station. The nature of these applications prevent them from strictly adhering to the communication constraints of packet loss or delay in packet transmission. These applications highly depend on the capabilities of V2X communication technologies. The RSUs enabled by WAVE provide for low latency for V2X communications. The advancement of cellular technologies has increased their chances of reducing the latency for safety applications [62].Recent studies on current version of LTE shows it to be capable of providing low transmission latency and having very high data rate [47]. These features of LTE make it highly suitable for safety applications.

411

3. V2X Security Challenges and Requirements

398 399 400 401 402 403 404 405 406 407 408 409

415

In this section, we discuss the security challenges and requirements in V2X. Particularly, in Section 3.1, we discuss the security challenges for V2X. In Section 3.2, we present the security requirements for V2X. We also provide for the attack classification in V2X in Section 3.3.

416

3.1. Security Challenges for V2X

412 413 414

417 418 419 420 421

422 423 424 425 426 427

428 429 430 431 432 433 434

V2X is widely used in several applications in vehicular communication. These applications include traffic safety applications along with infotainment applications that impose diverse requirements on supporting implementation of V2X in vehicular communication. These varied requirements lead to the development of research challenges. We list below the primary security challenges for V2X. 3.1.1. Dynamic Network Topology The dynamic nature of the network topology due to mobility in V2X is a major challenge that is difficult to handle, particularly with respect to security frameworks. The vehicles in general, move with high velocity, thereby making connections for short durations. So, adapting the security features with the quality of communication that is influenced by the high velocity vehicles becomes a huge task. 3.1.2. Network Scalability The V2X technology encompasses a large scale network of vehicles worldwide. V2X standards, for example, DSRC, does not need a global authority for governing purpose. The control management of a large network together with the security issues such as, certificate exchange etc. is quite a demanding task to accomplish. The security techniques that need prior information about vehicles/nodes that participate, are not appropriate for such networks.

11

435 436 437 438 439 440 441

442 443 444 445 446

447 448 449 450 451 452 453

454 455 456 457 458 459 460

461 462 463 464 465 466 467 468 469 470 471 472

473 474 475 476 477 478 479 480 481 482

3.1.3. Heterogeneity The heterogeneity of future vehicular networks, results out of implementation of various network infrastructures throughout the world. Thereby, the different manufacturers of the vehicles will implement the technologies based on their respective country’s security and privacy policies. So, it is quite evident that proper synchronization between the specific security features adopted by the different manufacturers and the V2X technology is hard to achieve. 3.1.4. Communication Latency Latency in V2X communication may result out of certain issues such as which information to collect and what to filter, which data should be processed, and what should be transmitted and received. Therefore, all the factors that relate to communication latency in V2X should be addressed so that safety and security critical situations are handled in real time. 3.1.5. Data Priority The V2X communication network should be able to able to prioritize data received from hundreds of nodes. The data processing should take into account prioritization, buffering and queuing techniques for ensuring a robust and efficient data communication link. The data received from security critical sectors must be handled with the highest priority, so as to prevent collateral damage in the network. Therefore, data priority must be handled with the highest importance, so as to prevent collateral damage in the network. 3.1.6. Adoption to Future Platforms The V2X communication and security architecture should be compatible with the upcoming future vehicular technologies. The integration of security and privacy features is based on the hooking concept that preserves the compatibility factor. The hooking concept places interlayer proxies at different points of the communication stack. So, only the intermediate layers need to be configured if there is need for transferring the security features to new platforms. 3.1.7. Attack Prevention Future vehicular communication is envisioned to support applications of various kinds and allied services. For enabling these activities, vehicles will have to transmit critical data, for example, vehicle identity, that requires maximum security for acceptance from the perspective of the total communication system. Attacks in V2X are broadly categorized into two types, viz., attacks on the system and attacks on the user. Examples of attacks on the user consist of congestion and vehicle crashes, or reducing user’s trust in the system because of message unreliability. Attacks on a V2X communication system consist of tracking instant locations for specific vehicles and false generation of misconduct reports from a vehicle, resulting in revocations or sanctions to innocent drivers. One solution for mitigating from the aforementioned attacks are designing specific PKI system for sustaining the high mobility feature of vehicular communication. 3.1.8. User’s Trust and Privacy In the system, ensuring the users’ trust is a major challenge to overcome. It is very much true that customers do not desire vehicles susceptible to privacy issues or traffic rules violations. Effective measures for protecting users’ privacy are by using cooperative intelligent transport system and PKI based solutions. Other techniques are by using group-based solutions or by decentralizing the key distribution process. The SeVeCom project [63] used frequently changing pseudonyms for making vehicle tacking difficult. Also, there are other techniques that depend on group signatures, where vehicles in close proximity are grouped together. So in grouping, only one signature is generated, resulting in protection of the anonymity and privacy of the group members [64, 65, 66]. But for the actual scenario, 12

483 484

485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503

504 505

506 507

508 509 510 511

512 513

514 515 516

517 518 519 520 521

522 523 524 525 526 527 528 529

the proposed solutions may not be good enough and therefore, techniques such as hybrid solutions are being looked into by present researchers. 3.2. Security Requirements for V2X V2X communication deals with communications related to both V2I and V2V. The entities involved in both of these communications are vulnerable to attacks prevalent in wireless networks. An example of an attacking scenario can be an attacker compromising a vehicle and triggering false hazard warnings, such as, dead end. The false warnings impact all the vehicles connected together in the communication stream. Similarly, the transmitted messages can be forged by attackers for misleading other vehicles in the network. All these examples illustrate the importance of meeting the security requirements in V2X communication for vehicular networks. Considering the broader perspectives that V2X communication handles, it is very much evident that attack exploitation is possible in a large scale. The major challenge lies in designing secure protocols for the correct detection and defense mechanisms against the attackers. To increase users’ trust in the capabilities of V2X, there is a need to develop trustworthy systems. These systems must meet the needs of the users of the system with respect to security, privacy, reliability, and integrity. The first major step in achieving trustworthiness is to properly and faithfully capture the security requirements. The security requirements vary depending on the different attack approaches. Instead of providing approach specific security requirements, we provide a generalized outline of the V2X security requirements in this section. • Authentication. It implies that the receiver is ensured of receiving messages form a genuine sender [67]. • Message Integrity. Integrity is preserved if the contents of the messages are not modified or altered while the message is being transmitted [68, 69]. • Access Control. It serves for granting access to specific services for the various network entities. The property of access control authorizes a node for performing actions in the network that are allowed, e.g., the network protocols that the node can execute [70]. • Message Confidentiality. This provides assurance for non-disclosure of message contents by unauthorized access [71]. • Availability. The services and protocols should remain functional even if faults occur. Therefore, the availability requirement guarantees secure, fault tolerant and protocols that are able to restabilize themselves after the exclusion of the fault [72]. • Privacy and Anonymity. V2X communication should provide for protecting the privacy of network users. The personal and private information of the customers should not be disclosed. Therefore, in the context of a broader area, privacy refers to information/data hiding, while anonymity is considered as a subset of privacy in vehicular networks. For the feasibility of the V2X technology, one of the impeding challenges is ensuring the interoperability among heterogeneous devices [73]. As a result, the 3GPP has worked on standardization for LTE protocol to fit the requirements and services of the V2X communications. 3GPP has focused on supporting different types of communications using one standard. The first release (Release 8) was in 2008, while The standardization of LTE Advanced Pro-(Release 14) finalized at the beginning of 2017 [74]. The security requirements needed in 3GPP are mutual authentication and authorization, confidentiality and integrity protection, replay protection, secure provisioning and storage and privacy [75]. In V2X, the security of 13

Attack Classification

Behavioral Pattern

Selfish Attacks ­ Message Spoofing ­ Movement Tracking ­ Repudiation Attack ­ Eavesdropping

Malicious Attacks

Attacks on Infrastructure

Attacks on Privacy

­ Location Disclosure Attack

­ Session Hijacking Attack

­ Identity Revealing

­ DoS Attack

­ DDoS Attack

­ Location Tracking

Attacks on H/W and S/W

Data Trust Attacks ­ Masquerade Attack ­ Replay Attack

­ Message Replay Attack

­ Spoofing and Forgery

­ Unauthorized Access

­ Message Tampering

­ Sybil Attack

­ MiM Attack

­ Tampering Hardware

­ Hidden Vehicle Attack

­ DoS Attack

­ Tampering Hardware

­ Malicious Code Attack

­ Brute Force Attack

­ Masquerade Attack

­ Illusion Attack

­ Repudiation Attack

­ Black Hole

Figure 6: Attack Classification for V2X

549

3GPP TS 33.401 [76] and TS 33.402 [77] will be applied. The security for broadcast authentication among the User Equipments (UEs) uses identity-based or certificate-based security solution. For authorization and accountability, public key cryptography and long-term certificates should be used. The data transfer between UEs and V2X control function depends on the Generic Authentication Architecture (GAA) access to network application function using 3GPP TS 33.222 [78]. Privacy can be achieved by use of either Pseudonymous Mobile Subscriber ID (PMSI) or encrypted International Mobile Subscriber Identity (IMSI). For Machine Type Communication (MTC), optimizations were introduced in Release 10 [79, 80] and further specifications added over the years under the name Cellular IoT in 3GPP. The features of MTC such as Power Saving Mode (PSM), Service Exposure, Monitoring of Devices, Group Communication and related congestion handling are documented in 3GPP TS 23.682. A new key functional entity, the Service Capability Exposure Function (SCEF) was introduced by MTC that allows the MTC service provider to influence certain 3GPP network services. The SCEF could either be part of the 3GPP network operator or belong to the service provider. Also, the application data between UEs and service capability server or between MTC application server is protected using the Generic Bootstrapping Architecture (GBA). GBA uses the 3GPP mechanisms for bootstrap authentication and key agreement for application security. GBA is restricted to user equipment initiated secure communication for UEs that provides backing for HTTP. The network initiated secure communication uses GBAPush, that is an extension of GBA [81].

550

3.3. Attacks in V2X

530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548

551 552 553 554 555

556 557 558 559 560 561 562

563 564 565 566 567 568

In this section, we make representation of Figure 6 for classifying the attacks in vehicular networks according to [82] on the basis of five categories: attacks based on the behavioral pattern, attacks on software and hardware, attacks on infrastructure, attacks on privacy and data trust attacks. Also, we present a comparative study of the different attacks on V2X in Table 2. 3.3.1. Attacks based on Behavioral Patterns These attacks are based on the behavioral patterns of the users. The objective of this attack type is to effect the behavior of the nodes for launching attacks. The attacks based on behavioral patterns are divided into two types: selfish attacks and malicious attacks. Selfish Attacks: These attacks perform selfish behaviour where nodes may not forward packets or do not perform verification function. Examples of selfish attacks prevalent in V2X along with probable solutions are given below. • Message Spoofing Attack. The attacker in spoofing attack provides incorrect location information to the vehicles in the network. It is worth mentioning that the position information of the vehicle must be accurate in vehicular networks. False information about vehicle location can lead to activities that are detrimental in such environments. Spoofing attacks may facilitate other attacks where vehicle identification is used as the tool for launching attacks. 14

569 570 571 572 573 574 575

576 577 578 579 580 581

582 583 584 585

586 587 588 589

590 591 592 593 594 595 596 597

598 599

600 601 602 603

604 605 606

607 608 609 610

611 612 613 614

– Solution Approach. For defending message spoofing attack, the possible solutions can be either by using vehicular public key infrastructure [83] for communication between vehicles, or by using sign warning messages [84] or forming group communications, or by including a non-cryptographic checksum with each sent message and applying plausibility checks on the receiving message [17]. Other solutions are by use of cryptographic certificate [85] or on-board radar [86], for assisting the vehicle in detecting the actual position of malicious vehicles. • Traffic Analysis/Movement Tracking Attack. In vehicular environment, traffic analysis or movement tracking attack is a threat to the privacy of users as well as confidentiality of transmitted messages. It is a passive form of attack, where the attacker listens over a network and then analyzes the data collected during the listening period. The results of data analysis are then utilized by the attackers for launching attacks in future. – Solution Approach. Research works for defending against traffic analysis attack mainly relies on privacy preservation which is ensured using anonymous key sets that are variable and change according to the driving speed or by using pseudonyms [85] or by the use of group signatures [87, 88, 89]. • Eavesdropping. This is a passive form of attack, where the attacker only listens to the communication medium without the victim being aware of it. The confidentiality of the transmitted messages are compromised in this attack. This attack facilitates in collection of certain useful information that may aid in vehicle tracking. – Solution Approach. The eavesdropping attack can be mitigated by using the privacy preservation techniques as mentioned above, as well as by data encryption. In [90], the authors proposed an asymmetric cryptography method by use of non-disclosure routing protocol while, the authors in [87] suggested the use of symmetric encryption for beacons for tracking prevention. Other works [91, 92, 93, 94] also implemented the security architecture in such a way, that, by the use of asymmetric and symmetric cryptography, thwarting of eavesdropping attack is achieved. • Repudiation. This attack results in loss of tracking events when a node denies any communication. – Solution Approach. For non-repudiation, the authors in [95] proposed the use of trusted hardware which will ensure any modifications in existing values and protocols only by legal users. Also, authors in [96], emphasized on authentication and verification of reading and updating data from the sensors. Malicious Attacks: Here, the attackers exhibit malicious activities in the network, such as, modification and replaying of messages. Existing malicious attacks in V2X with their solutions are described below. • Message Replay Attack. This attack is almost common in all types of networks. In this attack, an already sent message packet is replayed at regular intervals by the attacker. An instance can be of replaying the beacon frames by the attacker for tracing the location of the vehicles. – Solution Approach. Protection from replay attack is provided by the use of timestamp for sensitive packets [85] or by timestamping all messages using the broadcast time. Another technique is by digitally signing and incorporating the sequence number in every message [86]. 15

615 616 617

618 619 620 621 622 623 624 625 626 627 628

629 630 631 632 633 634 635 636 637

638 639 640 641 642 643

644 645 646 647 648 649

650 651

652 653 654 655 656

657 658

• Sybil Attack. In this attack, the attacker generates several vehicles on the road with identical identity. Thus the other vehicles on the road are duped and thereby, end up sending messages to false recipients, resulting in the benefit of the attacker. – Solution Approach. Several mechanisms are proposed in literature for mitigating sybil attack. Authors in [97] provided for deploying a centralized validation authority whose task is real time entity validation, directly or indirectly, by the use of temporary certificates. In [98], the authors used public key infrastructure for key distribution and revocation for defending against sybil attacks, while in [99] the authors proposed the use of approved certification. The location of vehicles is used for preventing sybil attack by authors in [69], where the logical locations of the vehicles are verified. On message reception, a vehicle checks the certificate, lifetime and location of the received message. If the received message is in logical location and correct, it is accepted by the vehicle, otherwise, the vehicle reports this untoward incident to the nearest certification authority. • Denial of Service (DoS) Attack. The DoS attacks comprise a group of attacks that target the network service availability. These attacks may severely impact the performance of applications in the vehicular networks. The attackers of such type can be either internal or external attackers. The primary objective of the attackers lie in disrupting the means of communication as well as disturbing normal services such that they are not available to legitimate users. An example of DoS attack is the flooding attack, where the attacker intentionally floods the control channel with a large volume of messages. Thus, OBUs and RSUs are unable to handle such huge amount of messages, resulting in network disturbances. – Solution Approach. The DoS attacks can be minimized through digital signatures [100] as well as by use of certain authentication methods [96]. An example of authentication used as a defensive mechanism against DoS attack is the Tesla++ where symmetric cryptography is utilized with delayed key disclosures. Authors in [101] proposed the method of using small lifetime public and private key pairs with a hash function in order to defending DoS attacks. • Malicious Code Attack. In this attack type, the malicious vehicles transmit malicious information in the form of codes, such as, virus, worm, spywares and Trojan horse with the objective of attacking the vehicle system or base stations. The malicious codes also have the ability of destructing the applications in vehicles and also hamper the services of the vehicles. This attack may also assist in obtaining information of trusted vehicles in V2X. – Solution Approach. Possible solution to defend malicious code attacks in V2X is through utilization of robust privacy preservation mechanism in the network. • Black Hole Attack. In this attack type, the attacker receives packets from the networks but denies participation in routing of the received data. This causes updation of the routing tables in an untimely manner. Therefore, legitimate users are prevented from receiving important information, generally due to the fact that the attacker declares itself to be a part of the network, though in reality it is not so. – Solution Approach. The black hole attack in V2X is mitigated using secure routing architectures and also by use of hybrid intrusion detection system.

16

Table 2: Comparative Study of Attacks on V2X

659 660 661

3.3.2. Attacks on Hardware (H/W) and Software (S/W) This section deals with attacks that are hazardous with respect to the hardware and the software of the different controlling units in the vehicle.

662

• Denial of Service (DoS) Attack. Already discussed above with possible solutions.

663

• Spoofing and Forgery Attack. Discussed earlier with existing solutions.

664 665 666 667 668

669 670 671 672 673 674 675 676

677 678 679

• Man in the Middle (MiM) Attack. This attack is viable in the vehicular network in different contexts. The attacker places itself between the two communicating pair of nodes, i.e., between the sender and the receiver. Also, the attacker takes control of the communication of the two communicating vehicles. The MiM attack violates the integrity, authenticity and non-repudiation issues in the vehicle networks. – Solution Approach. The MiM attack is thwarted using techniques such as, use of robust authentication methods and confidential communication with powerful cryptography [102]. Authentication schemes ensure trust and privacy, anonymity through small duration lived keys that change continuously [103]. Authors in [101] use a lightweight decentralized authentication technique in V2X for protecting genuine users from attacks based on transitive trust relationships. In [104], a novel cooperative message authentication provides users of vehicles for cooperative authentication of a group of message signatures. • Brute Force Attack. Though this type of attack is tough to execute in vehicular networks, due to resource constraints and short connection times, still it can affect such networks in certain scenarios. For example, the brute force attack can take place while 17

680 681 682

683 684 685

686 687 688 689

690 691 692

693 694 695 696 697

698 699 700 701

702 703

704 705 706

707 708 709 710 711 712 713 714

715 716 717 718

719 720

721 722 723 724

trying to compromise the network identity of the vehicle through a certain searching process. The confidentiality of messages and authentication processes may be hampered by launching brute force attacks. – Solution Approach. For preventing brute force attack, key generation algorithms and strong encryption techniques should be used that cannot be broken within a reasonable time frame [39], thereby denying unauthorized access. 3.3.3. Attacks on Infrastructure These attacks pose a danger to the different infrastructures related to the functioning of V2X technologies. Examples of such attacks are unauthorized access, hardware tampering etc. • Session Hijacking Attack. Generally, at the start of every new session, authentication is done. Later the hackers control the session among nodes resulting in what is known as the session hijacking attack. – Solution Approach. Defensive mechanisms for session hijacking attack include the use of trust authority and a public key infrastructure. The trust authority is aware about the actual identity of every node. Every time a vehicle communicates with a RSU, initially it validates its identity through the trust authority and subsequently shares the key with the vehicle. • Distributed Denial of Service (DDoS) Attack. DDoS attack is a type of DoS attack. In DDoS attack, one main attacker act as an attack manager along with the other attackers. DDoS attacks mainly cause network disturbances by flooding the network with messages. – Solution Approach. The DDoS attack can be mitigated using digital signatures and authentication mechanisms. • Unauthorized Access. In this type of attack, the network services are forcefully accessed by malicious entities without having the rights or privileges. This attack ultimately results in accidents, damage or spying of confidential data. – Solution Approach. Confidentiality guarantees unauthorized access to confidential information such as name, plate number and location. The most common technique used is by utilizing pseudonyms for preserving privacy in vehicular networks [105]. When using pseudonyms, every vehicle node has several key pairs with encryption. Different pseudonyms are used for message encryption or signing. The vehicle node is not connected with the pseudonyms but the appropriate authority has access to it. Vehicles are supposed to obtain the new pseudonym from RSUs before the earlier pseudonym expires. • Tampering Hardware. This attack is the outcome of some malicious employees of vehicle manufacturers, who, during yearly maintenance, try to tamper the hardware. The objective of this attack is to either gain access of or place special data from/in the vehicle. – Solution Approach. The Trusted Platform Module (TPM) can be used for defense against tampering of hardware [106]. • Masquerade Attack. The attacker uses a valid identity or mask to hide itself. It tries to create a Blackhole or generate invalid messages that seem to be obtained from authentic nodes. An attacker may pose as an emergency vehicle and compel other vehicles on the road to change lanes or reduce their speeds. 18

725 726

727 728 729 730

731 732 733

734 735

736 737

738 739 740

741 742 743 744 745 746

747 748 749 750

751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767

768 769 770

– Solution Approach. Masquerade attack is prevented by the use of non-repudiation techniques in V2X. 3.3.4. Attacks on Privacy These attacks violate the privacy of drivers of vehicles and the users of the vehicular networks. Examples of privacy attacks in the V2X scenario are identity revealing attack and location tracking attack. • Identity Revealing Attack. In this attack, the owner’s identity of a vehicle is at risk. The personal information of the owner is compromised, which may lead to serious consequences in future. – Solution Approach. The identity revealing attack is prevented through use of authentication framework with privacy preservation mechanisms. • Location Tracking. This type of attack tracks the location of a vehicle as well as the path followed by the vehicle during a certain period of time. – Solution Approach. The identity of the user is hidden from illegal access through anonymous and temporary keys. Therefore, the location privacy of the vehicle is maintained and the trajectory of the node cannot be tracked by malicious nodes. 3.3.5. Data Trust Attacks These attacks alter or modify the data in transit. Thus data integrity of message packets is at risk. Though this type of attack occurs in both V2I and V2V communications, it is more prevalent in the former. Examples of data trust attacks in vehicular networks are masquerading attack, replay attack, message tampering attack, hidden vehicle attack and illusion attack. • Message Tampering Attack. This attack results in modifying, altering, deleting or constructing the data that is already present. The attacker launches this attack by modifying or reconstructing a specific part of the message to fulfill its malicious intentions. – Solution Approach. Message tampering attack is resisted using similarity algorithm [107], data correlation [88] and challenge response authentication [96] methods. The similarity algorithm uses a reputation and trust management structure. The driver of a vehicle considers a message as true considering the trust of messages content between two vehicles. If the calculated trust value exceeds a predefined threshold, appropriate action is taken in the form of rebroadcasting the message or dropping it. The data correlation mechanism used in [88], is based on a security framework for providing a new group signature approach. This mechanism uses probabilistic signature verification, accountability, anonymity, authenticity, integrity, and access control approach for detecting the tampered messages generated from unauthorized nodes. Authors in [96] proposed a challenge response authentication method, where, digital signature and challenge response authentication are combined together. Upon receiving any message, the receiver transmits a challenge to the sender. The sender sends its timestamp and location for proving its authenticity in response. The reliability of the safety message is enhanced through the disclosure of the location of the vehicle that confirms the vicinity of the vehicle with the accident zone. • Hidden Vehicle Attack In this type of attack, false position alarms are generated by hidden vehicles that lead to accidents. The GPS does not works and therefore, results in cheating with GSP information which is also known as GPS spoofing [82]. 19

771 772

773 774 775 776 777

778 779 780 781 782 783

784

– Solution Approach. Defensive mechanism against hidden vehicle attack is possible by use of trust management scheme [108]. • Illusion Attack. This attack affects the integrity and data trust for vehicular communication. Here, false data is generated by the attackers. The false data generated by the attackers have free access in the network and rely on interaction with drivers for making decisions. The attacker gets attached with the network in an authentic manner, resulting in difficulty in its detection. – Solution Approach. The illusion attack is thwarted with the help of signature with positioning system so that authenticated location data is only accepted [109]. Also, differential monitoring can be implemented for identifying abnormal variations in position [85]. Authors in [110] calculate a reputation score for safety applications through analysis and filtering of received queries for detecting malicious positions. 4. Secure V2X Communication Techniques

791

This section presents an insight into the different categories of security approaches that were and are also currently being investigated for V2X communication. We classify the security approaches considered by the researchers based on the common approach techniques, into the following three categories: Symmetric Key Cryptography, Privacy Preservation and Message Authentication. In Section 4.1, we discuss works based on Symmetric Key Cryptography. Whereas, Section 4.2 presents the works on Privacy Preservation. Finally, in Section 4.3, we discuss the works on Message Authentication.

792

4.1. Symmetric Key Cryptography

785 786 787 788 789 790

793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818

Symmetric cryptography is considered to be less flexible in comparison to than asymmetric cryptography with respect to authentication capabilities. But, in terms of computational and communication overheads, symmetric key cryptography is considered as highly efficient. Symmetric key cryptography utilizes a Hash Message Authentication Code (HMAC) for authentication purposes. The message and a secret key are hashed by the signer. The secret key should be known to the verifier for the MAC verification by carrying out the same procedure on the message. Therefore, any node possessing the secret key is capable of producing genuine MACs. So, non-repudiation is not achieved as the sender accountability is not provided. Symmetric key cryptography in V2X provides the advantages of short generation and verification, together with minimized security overhead [111]. The deficiencies of asymmetric cryptography that range from deployment and maintenance of certified infrastructure, may be replaced by the simpler symmetric key cryptographic schemes. An example can be of every OBU possessing the same secret key that is preinstalled or having a set of shared secret keys [112]. The research works dealing with symmetric key cryptography in V2X communication are discussed below. Zhang et al. [113] developed a message authentication technique named as RAISE that was aided by RSUs. In this work, the RSUs take the responsibility for verification of authenticity of messages received from the vehicles. After verification, the RSUs send back the notifications to the respective vehicles. Upon detection of a nearby RSU, vehicles initiate to connect to that particular RSU. This is followed by a mutual authentication process and the RSU establishes itself with a shared secret key. The RSUs also allocate a pseudo ID that is shared among other vehicles. The pseudo ID helps the RSU in identifying the vehicle that sent the message and also in verifying the message authentication. Every vehicle produces a symmetric-keyed HMAC with the help of the symmetric key. Next, the vehicle broadcasts a message, which is signed by symmetric HMAC code. The broadcast message received by other vehicles is verified by using the authentication verification generated by the RSU. The 20

853

RSU has the ability of authenticating the message as it possesses the HMAC encryption keys shared with other vehicles. Authors also use the anonymity approach for protecting the users identification privacy. The privacy protection of identification is done in such a manner that the attacker is unable to relate a message with a specific vehicle. The k anonymity procedure adopts to combine k vehicles. Here, the RSUs allocate a joint pseudo ID to the k number of vehicles. The communication between the RSUs and the vehicles is done using the same pseudo ID. Therefore, a particular vehicle route remains unidentified by the attacker. Authors claim that their scheme has less overhead constraints compared to other existing works. Lyu et al. [114] designed an efficient broadcast authentication technique for vehicular communication. The scheme is primarily designed using symmetric cryptography to make it efficient and lightweight. The proposed scheme depends on symmetric cryptographic functions such as MACs and hashes and also the basic TESLA scheme. For providing immediate authentication, the sender broadcasts a MAC prior to sending the beacon. The receiver produces a short size MAC from the received MAC using a secret key. The short size MAC is used for minimizing the risks of memory-based DoS attacks. Authors demonstrate that their scheme is capable of delivering messages with low latency and small storage overhead. Privacy preserving authentication in vehicular networks is achieved by using symmetric random key-sets in [112]. In this work, every legible user is provided with a random key-set. The key-set consists of k number of keys obtained from a centralize key pool. Every key is shared among many users. The user validity is shown by authentication of a set of a keys. The authors also analyze key management issues such as key revocation and key distribution. The probability of sharing a single key with a set of members highly increases, if the key pool size and the size of the keys held by the members are chosen appropriately. This property is utilized in this approach for authentication purpose by the RSU. In some cases, such as, requirement of real-time response, the RSU has the ability of increasing the number of keys needed for authentication. This flexible feature of RSUs narrows down the range of potential adversaries. The RSU creates a challenge message upon receiving the verification request from the vehicle. The creation of the challenge message is done through encrypting a random secret by the set of keys denoted in the request. Cipher block chaining mode with multiple encryption keys is used for the encryption. If invalid or revoked keys are detected by the RSUs, the authentication fails immediately. The proposed protocol also supports vehicle anonymity by taking the benefit of key sharing between varied random sets. Theoretical analysis of the proposed scheme proves its efficiency as a privacy preserving authentication technique through symmetric cryptography.

854

4.2. Privacy Preservation

819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 850 851 852

855 856 857 858 859 860 861 862 863 864 865 866 867 868 869

Another technique used for securing the vehicular communication in V2X is privacy preservation. This technique involves the preservation of privacy of both the driver and the vehicle. with reference to the context of vehicular communication, privacy refers to the condition where the user of the vehicle is given the right of which information is sent by the OBU and for what time the information will exist. The following works describe such methods in V2X communication that take care of privacy preservation in such systems. Chim et al. [115] designed a scheme for satisfying the privacy needs in vehicular communication. The authors formulated the scheme based on software solutions, where two shared secrets are required for privacy preservation. The proposed scheme is capable of handling messages sent by random vehicles, also allows vehicles that know each other in prior to build groups. The vehicles that form groups are provided for secure message transmission among themselves. The solution provided in this work, basically relies on software and does not depends on any hardware. The proposed scheme is also based on bilinear pairing, similar to [116]. The number of steps of the pairing solution used in [116], is reduced in this work to make it computationally intensive. The proposed scheme consist of modules comprising 21

870 871 872 873 874 875 876 877 878 879 880 881 882 883 884 885 886 887 888 889 890 891 892 893 894 895 896 897 898 899 900 901 902 903 904 905 906 907 908 909 910 911 912 913 914 915 916 917 918 919 920 921 922

of initial handshaking, message signing, real identity tracking and revocation, group key generation and group message signing and verification. The first module of initial handshaking is executed when a vehicle wants to establish a connection with a new RSU. The Trusted Authority (TA) is responsible for assisting in vehicle authentication as well as for sharing the information of the vehicle’s identity with the RSU. For messages received from arbitrary vehicles, the modules of message signing, batch authentication, and real identity tracking and revocation are followed. The message signing module consists of creation of a pseudo identity along with the signing key. Before the vehicle needs to transmit a message, it must perform the action of message signing. In the batch verification module, the RSU performs verification of a set of messages with help of two pairing procedures in a batch method. If the presence of any invalid signature is detected in the batch messages, a notification is broadcast through bloom filter. The real identity tracking and revocation module consists of obtaining the actual sender identity of a message by the TA. Group messages use the modules of group key generation and group message verification and signing. The group key generation module is utilized by the TA for generating the secret key of the group, which is further forwarded by a RSU. The group message signing and verification module assists the group members in generating a group message and also helps in verification of the signature without the need of the RSU. The authors perform security analysis to demonstrate their scheme’s efficacy for message integrity, authentication and privacy preservation of identity. Lu et al. [117] proposed an efficient conditional privacy preservation technique for securing vehicular communication. The proposed technique comprises of four parts which are system initialization, OBU short-time anonymous key generation, OBU safety message generation and sending, and OBU fast tracking algorithm. In the system initialization phase, the trusted authority produces the bilinear parameters with the help of k. Two cryptographic functions are also chosen by the trusted authority. An OBU having a particular identity and pseudo-id, requests the RSU for a short-time anonymous key-pair. The OBU sends the safety message with privacy preservation having a time validity, in the OBU safety message sending phase. Any disputed safety message is discarded in the OBU fast tracking algorithm phase. This protocol supports conditional privacy preservation as no OBU is able to expose the actual identity or generate the moving track attack using safety messages. Performance evaluation of the scheme shows its efficiency for supporting conditional privacy. In [118], the authors developed a privacy-protection defense mechanism for network authorities for treating misbehaviors during VANET access. An identity-based cryptosystem is employed that does not require certificates for authentication. A pseudonym-based scheme is used here, for ensuring the user privacy and traceability of the vehicle. The privacy preserving defensive mechanism is built upon the threshold authentication. If there is any extra authentication beyond the limit, it will result in annulment of the misbehaving users. The unique feature of this scheme is that, certain types of misbehaviors do not result in revocation. Example of one such type of misbehavior can be of malfunctioning hardware. The pseudonym based privacy preservation consists of two steps: pseudonym generation and pseudonym authentication. The pseudonym authentication is basically concerned with safeguarding the privacy. A vehicle needs o update its credentials quite frequently for preserving privacy. Pseudonyms provide for hiding the actual identity of the vehicles, so that neighboring vehicles and RSUs are unable to decipher the sender of a certain message. Authors provide analyses to show that the predefined security objectives of privacy, traceability, non-frameability, along with efficient storage and communication are satisfied by this scheme. To overcome the drawbacks of existing state-of-the-art schemes on privacy preservation in vehicular communication, the authors in [119] developed a secure distributed key management framework for supporting privacy preservation. The privacy preservation mechanism adopted in this work is based on group signature. The key management framework comprises of two phases: key distribution phase and the regular broadcast phase. In group signature, the group members sign messages under the group name. Here, a group consists of a group 22

923 924 925 926 927 928 929 930 931 932 933 934 935 936 937 938 939 940 941 942 943 944 945 946 947 948 949 950 951 952 953 954 955 956 957 958 959 960 961 962 963 964 965 966 967 968 969 970 971 972 973 974 975

public key and several private group keys. The message which is signed by any group private key is verified with the help of the help of the unique group public key. This procedure does not expose the identity of the signatory. The respective authorities possess a tracing key that is used for obtaining the group private key from the signature. If only one user is allocated one group private key, the signatory’s identification is revealed after authorities obtain its group private key. The group signature considered is short for providing lesser communication overhead. In [120], the authors developed a privacy protection mechanism that ensures both robustness and scalability in vehicular networks. In this work, authors view the vehicular networks as made up of nonoverlapping subnetworks. These subnetworks are local confined within a geographic location and called as cell. Every cell consists of a server that has a list of valid pseudonyms for use in the cell. The cell’s ID and the random host ID are present in each pseudonym. The cell ID is utilized as a geographic network prefix ID as well as the mask ID. The mask ID is responsible for specifying the highest number of vehicles present within the cell. The host ID performs the task of identifying the vehicle when it is in the cell. Initially, the vehicle encrypts a request with the help of the pseudonym server’s public key. Only vehicles that request pseudonyms are issued those pseudonyms. The pseudonyms serve the purpose of concealing the identity of the vehicles. The pseudonyms may hide either the host name or IP address or both of the vehicles. The vehicle also uses a random number, i.e., a secret key for uncovering the new pseudonym. On receiving the pseudonym request, the server decrypts the message using its private key. After this, the vehicle is authenticated by the pseudonym server. Once the vehicle is authorize to obtain the pseudonym, an available random pseudonym is transmitted to the vehicle, once the vehicle is eligible to receive the pseudonym. Simulation results reveal the competency of the scheme in preserving the vehicle’s privacy. Li et al. [121] proposed a mechanism to take care of both reputation management and privacy protection in vehicular networks. The scheme adopts a localized model for enabling efficient reputation management in vehicular networks. The model used here provides every node a neighbour-certified reputation label for having a knowledge of its reputation background. Also, the 1-hop neighbours are equipped with having the reputation opinion for recent behaviours of the nodes. Privacy preservation of reputation manifestation is done following a conditional reputation discretization algorithm. The reputation label update algorithm consists of three phases: reputation segment aggregation, reputation label update and revocation notification broadcast. In the reputation segment aggregation phase, a node broadcasts a query message to all its neighbours for obtaining their reputation segments. The secure message formats designed in this phase ensures data integrity and authenticity. The reputation label update phase that follows, allows for the node to calculate its new reputation label. The messages used in this phase follow formats that protect privacy and message integrity. The revocation notification broadcast phase is used for ensuring that a node has only one valid reputation label. The proposed scheme is resilient to several attacks against privacy. An identity-based conditional privacy preserving technique was proposed in [122] for vehicular networks. The scheme is based on elliptic curve cryptography. This work does not use bilinear pairing and for performance improvisation, uses batch verification function. The three phases of the scheme are: the system initialization, the anonymous identity generation and message signing, and the message verification. The system initialization phase consists of generation of the system parameters by the trusted authority. The trusted authority is liable for pre-loading the system parameters into the tamper-proof device of every vehicle and transmits the same to all RSUs. In the second phase, the tamper-proof device of the vehicle produces a digital signature of a message and an anonymous identity. The anonymous identities, message and digital signature are broadcast by the vehicle to neighbouring vehicles and RSUs. The message verification phase provides for verifying the validity of the received messages by a RSU or a vehicle. Here, for one message, single verification is done, whereas, 23

976 977 978 979 980 981 982 983 984 985 986 987 988 989 990 991 992

993 994 995 996 997 998 999 1000 1001 1002 1003 1004 1005 1006 1007 1008 1009 1010 1011 1012 1013 1014 1015 1016 1017 1018 1019 1020 1021 1022 1023 1024 1025 1026 1027

for multiple messages, batch verification is followed. The authors demonstrate the capability of their scheme for its low communication and computation costs in vehicular networks. Zhang et al. [123] proposed a lightweight privacy preserving mechanism for proofs of vehicle locations. A vehicle is able to prove that its location claims match with its historical locations. The proposed solution necessitates the RSUs of continuously broadcasting packets, that are specific to functions of location proofs. The packets containing information about location proof functions are termed as VPackets. An user has to exhibit the accurate RSS pattern of the VPackets transmitted by the RSU, if he claims data collection at a particular place. The correct RSS pattern is obtained only if the vehicle has really passed through the claimed location. Thus, malicious attackers are prevented from location proof collection, statistically. The scheme is lightweight, considering the fact that RSUs generate location proof by only broadcasting packets. Therefore, the scheme is scalable as well, because in busy vehicular environment, many cars may be requesting location proofs simultaneously. No information associated to a user’s identification is exposed here. Since, no cryptographic keys are linked with the user, and therefore, there is no method of tracing users reporting data to the transport system. Simulation results prove that the location privacy of users are protected. 4.3. Message Authentication Message authentication methods for securing V2X communication involves various techniques such as, use of group-oriented signature schemes, distributed authentication protocol and through revocation verification method. Some of the works that discussed how message authentication is used for securing V2X are given below. The work in [124] devised a mechanism to address the challenge of traditional exhaustive authentication in large vehicular networks. The authors proposed a cooperative and efficient authentication technique for vehicular networks. The scheme takes into account repetitive authentication on the same message by various vehicles. Reduction in repetitive authentication leads to minimization of authentication overhead as well as authentication delay. A set of neighbouring vehicle users execute the scheme. Lowering repetitive authentication is achieved through minimum inter-vehicle coordination. A cooperative authentication mechanism is proposed by the authors, where, inter-vehicle interaction is not required. Authors perform exhaustive simulations for identifying the optimal strategy using different parameter settings. The cooperative authentication mechanism considers x vehicles in an area that are able to communicate directly with one another. The vehicles are made available with y messages. Each of these y messages contains a signature and an unique index. The x vehicles authenticate the y messages by verifying the signatures attached with the messages. Authors analyzed the overheads resulting due to non-cooperative and cooperative authentication cases. Every user picks and verifies some original signatures and produces an integrated signature as a result of its own authentication effort. The user is also responsible for generating an authentication proof, for actually proving the verification of the original signature by it. The authentication proof generated by the user is shared with the public. The authentication proof is used as an evidence and sent to the RSU whenever the user communicates with the RSU. On receiving the authentication proof, the RSU verifies the evidence validity and the user is rewarded with new tokens. The user uses the new tokens for verifying the efforts of cooperative authentication in the successive time slots. Authors also show the capability of their scheme in thwarting free-riding attacks by selfish vehicle users. Zhang et al. [125] presented a decentralized group-authentication technique, where each RSU maintains the group, instead of a central authority. Each RSU is accountable for maintaining and managing the vehicles within its communication range as on-the-fly group. The vehicles that join the group, transmit vehicle-to-vehicle messages anonymously. The V2V messages are verified instantly by the vehicles in the same group and other neighbouring groups as well. A third party intervention is introduced if any false message is identified. 24

1028 1029 1030 1031 1032 1033 1034 1035 1036 1037 1038 1039 1040 1041 1042 1043 1044 1045 1046 1047 1048 1049 1050 1051 1052 1053 1054 1055 1056 1057 1058 1059 1060 1061 1062 1063 1064 1065 1066 1067 1068 1069 1070 1071 1072 1073 1074 1075 1076 1077 1078 1079 1080

Here, the vehicles request the RSU for sending a secret member key without the knowledge of other vehicles. The RSU secretly transmits the secret member key to the vehicles. The vehicles are then able to send messages anonymously on the group’s behalf. The members of a group are enabled to sign on behalf of the group with the help of group signatures. The signature is verified by every member in the group, with the help of the group public key. But the identity of the signatory is not disclosed, except the group manager. Most of the messages are not needed to be forwarded as they are generally about the regular driving status information. The vehicles only forward important messages after signing them. The message is then forwarded to other vehicles in the areas serviced by the present user and its neighbours. The scheme is robust in the sense that, if some RSU breakdown, only the vehicles entering the areas of those RSUs are affected. Simulation results prove the scheme to satisfy the scalability and robustness issues. Biswas et al. [126] proposed a safety message authentication algorithm for vehicular networks. In this algorithm an efficient revocation checking process is used instead of certificate revocation lists checking. The revocation checking procedure is a keyed HMAC. The OBUs that are not revoked share the key for calculating the HMAC. The HMAC function used for the revocation process is very fast and secure. The message authentication is done following three phases that occur consecutively. The phases consist of checking of the sender’s certificate verification, sender’s revocation status and verification of the sender’s signature. In the first phase, the authors use the cipher block chaining advanced encryption technique and secure hash algorithm as the HMAC function. In the second and third phases, the authors use elliptic curve based digital signature technique for checking the certificate’s authentication and the sender’s signature. The scheme is also resistant to common attacks and significantly minimizes the message loss ratio. Brechtet al. [127] worked on the Security Credential Management System (SCMS) for V2X communication that has been adopted by the USDOT and developed by the Crash Avoidance Metrics Partners LLC. The SCMS is evolving as a public key infrastructure for V2X security. It is related with issuing digital certificates to vehicles and infrastructure devices that participate for providing the necessary trustworthy communications for safety and mobility applications in V2X. The SCMS is responsible for supporting the four main use cases of bootstrapping, certificate provisioning, misbehavior reporting and revocation. The objective is to provide security and privacy of vehicles to the maximum level. To achieve privacy to a reasonable extent, vehicles are issued pseudonym certificates and multiple organizations are responsible for generation and provisioning of those certificates. As a substantial amount of pseudonym certificates exist for each vehicle, the main challenge is to provide the capability of efficient revocation of misbehaving or malfunctioning vehicles. Here, every device receives two types of certificates, one is the long-term enrollment certificate that is responsible for validating devices in the system and the other is the multiple pseudonym certificates, that have short validity [128]. The SCMS generally depends on the following entities: Pseudonym Certificate Authority (PCA) which is responsible for issuing pseudonym certificates to devices, Registration Authority (RA) that performs the task of receiving and validating requests for batches of pseudonym certificates from devices that are identified with the help of their enrolled certificates. These requests are forwarded individually to the PCA such that the requests linked to different devices are shuffled together, Linkage Authority (LA) is responsible for generating random bit strings that are appended to certificates for efficient certificate revocation and Misbehavior Authority (MA) that identifies the misbehavior patterns of devices and whenever needed revokes them. The two major procedures provided by the SCMS involve the entities in different roles. The first procedure is the butterfly key expansion that enables issuing of pseudonym certificates and the key linkage procedure that allows efficient revocation of malicious vehicles. Misbehavior detection enables detection of malicious nodes as well as detection of defective nodes. It is very much evident that misbehavior detection is closely related with V2X applications, as applications reflect the true results of a certain application packet. Brechtet 25

1081 1082 1083 1084 1085 1086 1087 1088 1089 1090 1091 1092 1093 1094 1095 1096 1097 1098 1099 1100 1101 1102 1103 1104 1105 1106 1107 1108 1109 1110 1111 1112 1113 1114 1115 1116 1117 1118 1119 1120 1121 1122 1123 1124 1125 1126 1127 1128 1129 1130 1131 1132 1133

al. [129] considered misbehavior detection technique for message authentication for vehicular networks. Misbehavior is a term which is commonly used in network security discussed in the context of malicious attackers and malicious nodes. Attacker nodes or malicious nodes transmit erroneous message with malicious intentions. Therefore, detecting such nodes that act abnormally or misbehave is referred to as misbehavior detection. The messages sent by the malicious nodes are deceptive and responsible for causing deceptive attacks. These nodes are capable of avoiding detection and sabotage other nodes in the network to transmit their erroneous messages. Mainly denial of service attacks and attacks on routing fall under this category. Detection mechanisms can be classified as local, cooperative and global detection. Local detection is defined as the detection that checks internal consistency, and as an option the vehicle sensors for measuring the correctness. Cooperative detection on the other hand takes into account collaboration between vehicles and also among RSUs. Finally, global detection refers to the detection that happens to some extent with the support from a back-end system. Quite often the detection mechanisms operate locally, making them invariant to Sybil attacks. Therefore, it becomes a difficult task for attacker identification due to the limited availability of information. Some schemes exist that perform detection based on cooperation. They are generally of the form consistency and trust-based detection mechanisms. These detection mechanisms work by depending on honest majority and message exchanges among participants for detecting discrepancies and identifying malicious participants. Schemes utilizing reputation mechanism use cooperative and global detection mechanisms for performing report or revocation. The authors in classified misbehavior detection as node-centric mechanism and data-centric mechanism. Node-centric mechanisms are mechanism that are mainly involved with the network participants. The verification process generally involves monitoring the behavior of a node based on metrics such as, packet frequencies, correctly formatted messages to decide on the trust value of the node. In case of data-centric approach, the contents of the message are verified to determine the message validity. The authors also classified the misbehavior detection based on the mechanisms used for analyzing the messages according to the source from where the message is being received. Considering this sort of misbehavior detection, mechanisms employed are analyzing messages coming from a single vehicle and those that deduce misbehavior from multiple vehicles. So, in this case messages are compared between those coming from a single source and those coming from multiple sources. The detection mechanism applied for detecting messages coming from a single source is referred to as autonomous detection, while those from multiple sources is referred to as collaborative detection. The node-centric misbehavior detection is classified into two types: behavioral and trust-based. The behavioral node-centric misbehavior detection employs the patterns in the behavior of some specific nodes. These mechanisms consider information related to the number of messages transmitted by a node or the correctness of the format of the transmitted messages. The misbehavior node-detection is centered only around the nodes and does not consider data semantics. An example of the behavioral misbehavior node detection is the concept of Watchdog that was introduced in mobile ad-hoc networks for security of routing. The trust-based mechanism considers the fact that several nodes in the network are honest, and sufficient infrastructure is available for removal of malicious nodes. The trust-based mechanism involves reputation systems that rate node behavior over a period of time. They also employ voting schemes that allow vehicles to vote on the correctness of the information. The trust-based mechanisms quite often depend on other detection mechanisms for input for updating the reputation of nodes in the network. One advantage of the trust-based mechanism is that they simplify the revocation process. The data-centric misbehavior detection is divided into two types: consistency-based detection and plausibility-based detection. The consistency-based detection uses the relation between packets, particularly from multiple partners for determining the trust of the newly received data. Pairwise comparison of messages from vehicles are also considered as consistency-based. The advantage of consistency-based detection is that only limited domain knowledge is needed for evaluating suitable schemes. The plausibility-based detection 26

1142

employs a specific underlying data model for verifying whether the transmitted information is aligned with the chosen data model. The plausibility-based detection makes it possible for a very fast analysis of the received packets, that is performed by considering packets from individual senders. Testing of the information in the packets is either done against a model prediction or the model is used for judging whether the information is a plausible next step based on the selected model. This mechanism can directly obtain the plausibility of the message in a probability, that can be input for other detection mechanisms. One of the main advantages of plausibility-based detection is that the mechanisms are always applicable, even in case when an honest majority is not present.

1143

5. Implementation Projects on V2X

1134 1135 1136 1137 1138 1139 1140 1141

1144 1145 1146 1147 1148 1149 1150 1151 1152

1153 1154 1155 1156 1157 1158 1159 1160 1161 1162 1163 1164 1165 1166

1167 1168 1169 1170

1171 1172 1173

1174 1175 1176

1177 1178 1179 1180

The widespread emergence of V2X technologies in the connected car and intelligent transport systems paradigms initiated several projects in relation to these topics. This section provides for brief descriptions of the projects on V2X that are completed or ongoing on a global scale. The completed/ongoing projects are categorized based on their target applications. Following this, the projects discussed here are classified by researchers as those worked/working on road safety applications (Section 5.1), the others that provided/providing for traffic management applications (Section 5.2) and the third type of projects that concentrated on driver and passengers comfort along with infotainment (Section 5.3). We also present an overview of the project implementations in Table 3. 5.1. Road Safety Application Projects Projects on road safety issues mainly deal with supporting the road network with adequate prior information for avoidance and prevention of road accidents. The vehicles on roads are responsible for collecting information about the local traffic conditions, the current weather etc, using various technologies such as cameras, sensors and so on. The groups of vehicles then share the collected information using V2X technologies for aiding efficient driving and management of traffic conditions. The data collected by the vehicles may also be processed by roadside infrastructure units. The processed data is then sent to other vehicles for improving the traffic conditions. Examples of projects that dealt with road safety applications are Safe and Intelligent Mobility field Test Germany (SIMTD) [130], Cooperative vehicle infrastructure systems for advanced esafety applications (COVER) [131], Cooperative cars and road for safer and Intelligent Transportation System (CopITS) [132], Preparing Secure Vehicle-to-X communication Systems (PRESERVE) [133]. Brief discussions of the above mentioned projects are provided below. • SIMTD. The main goal of SIMTD was to evaluate V2X communication in real world scenarios for cooperative applications. Equipped vehicles were provided by automaker partners for the testing. The project location was in Germany and it started in the year 2008 and was completed in 2013. • COVER. The major focus of COVER was cooperative early information and V2I applications like intelligent speed adaptation (dynamic and static speed limits). The project started in the year 2009 and ended in 2016. • CopITS. The major objective of this project was designing advanced communication algorithms for increasing data transfer rate in V2I and V2V applications. The project location was in Qatar. CopITS started in the year 2010 and ended in 2014. • PRESERVE. To design, implement, and test a secure and scalable V2X Security Subsystem for realistic deployment scenarios were the objectives of the PRESERVE project. Investigation of several significant scalability and feasibility issues was done using field testing. The project started in 2011 and ended in 2015. 27

Table 3: Overview of Project Implementations

1182 1183 1184 1185 1186 1187 1188 1189 1190

1191 1192 1193

1194 1195

1196 1197 1198 1199 1200

Number of Partners

Country

Application Type

17

Germany

Road Safety

Information N/A

Germany

Road Safety

29

Japan

Road Safety

Information N/A

Qatar

Road Safety

06

Netherlands

Road Safety

20

France

Traffic Management

51

Italy

Traffic Management

Duration

Budget

SIMTD

2008- 2013

69 million euros

BMW Connected Car

2015-2017

Information N/A

SmartWay

2004-2010

Information N/A

CopITS

2010-2014

Information N/A

PRESERVE

2011-2015

5.4 million euros

SCORE@F

2010- 2013

5.6 million euros

SAFESPOT

2006- 2010

38 million euros

METIS

2012- 2015

27 million euros

Investigated the requirements for 5G mobile and wireless systems

26

METIS-II

2015-2017

8 million euros

Developed the overall 5G radio access network design

23

Information N/A

Customers to receive the Twitter style messages about the car, and also communicate with friends and family via Facebook and Twitter while on the drive

02

Toyota Friend

1181

Main Objective

Project

2011-2013

Built the first car-to-X communication cooperative control center Design of a concept car enabled with Internet connection Performed on road tests in 2007 to verify the system function of roadside and onboard unit. Also provided basic services, such as, dynamic route guidance, assisted safe driving Developed advanced communication protocols for enhanced data transfer Performed field tests to verify important scalability and feasibility issues Focused on traffic efficiency management and road safety. Also developed and demonstrated use cases, such as, cooperative navigation and Internet access Improved road warning applications

Europe, (Coordinator: Ericsson, Sweden) Europe, (Coordinator: Ericsson, Sweden)

Japan

Comfort and Infotainment

Comfort and Infotainment

Comfort and Infotainment

5.2. Traffic Management Application Projects The main objective of these applications are refining the traffic management process on roads by updating local traffic information and providing traffic assistance to users. A vehicle or RSU performs the task of collecting information about traffic scenarios. This information is forwarded to another vehicle, directly or through a remote server, choosing a path that optimizes travel time. Examples of traffic applications include speed management and co- operative navigation. In response to traffic management messages, the steps would be either go forward carefully or provide alternate routes to evade dangerous possibilities. Examples of projects on traffic management applications include, Systeme Cooperatif Routier Experimental@France (SCORE@F) [134], SAFESPOT [19]. • SCORE@F. The launching of the project took place in September 2010. The prime objective of the project was V2X standards validation and application development. The project was completed in 2013. • SAFESPOT. This was an European funded project which focused on improving vehicle applications for danger warnings, such as, cross traffic or hidden vehicles. 5.3. Comfort and Infotainment Projects Projects related to comfort and infotainment are fast gaining momentum in today’s world. Many projects dealing with passengers’ comfort are researching for the betterment of such services. The prime objective of these projects are providing uninterrupted Internet services while on the move. The passengers’ were able to access their electronic files online both 28

1201 1202 1203 1204 1205 1206 1207

1208 1209

1210 1211 1212

1213 1214 1215

1216 1217 1218 1219

1220 1221 1222 1223 1224 1225 1226 1227

1228

1229 1230

1231 1232 1233 1234 1235 1236 1237 1238

1239 1240 1241 1242 1243 1244 1245

at home and office. Also, smart home solutions are provided by enabling the passengers to control and manage multiple appliances such as door locks, home security and controlling of the lights. These projects mostly use the standardized WAVE protocol. Typical examples of flagship projects related to comfort and infotainment are Mobile and wireless communications Enablers for the Twenty-twenty Information Society (METIS) [27], COMmunications for eSAFETY (COMeSAFETY) [135], SmartWay [136], Toyota Friend [137] and BMW Connected Car [138]. We provide short discussions of these projects below: • METIS. This project was developed for identifying the needs for 5G wireless systems. The project was initiated in Europe in 2010 and was completed in 2015. • COMeSAFETY. This project was setup in Europe for supporting the e-Safety environment and co-ordinating research results execution attained from ITS present on European roads. The starting year of the project was 2006 and it ended in 2010. • SmartWay. Japan initiated this project in 2004 for providing traffic and travel related information and electronic toll related communication. The project was completed in the year 2010. • Toyota Friend. This project will provide for connecting through social networks and maintenance updates for the owners of Toyota’s electric vehicles, through a application available on smartphones, mobile devices or tablet PCs. The project was initiated in Japan in 2011 and it is ongoing till date. • BMW Connected Car. The objective of this project is designing a model vehicle enabled with Internet connectivity. The project started in 2012 in Germany and is still undergoing development. Currently, a consortium called OmniAir is being developed, where the issues of interoperability are expected to be taken care of. The OmniAir consortium plays a vital role in developing technical arrangements required by the industry. The number of participating members of OmniAir is greater than 40 and it is playing a vital role in interoperability testing. Vendors from throughout the world are joining together to validate interoperability. 6. Open Issues This section presents number of areas related to V2X, particularly with security that can be focused upon as future research directions. • Security and Interoperability of End Entity Devices. Proper synchronization between the different specifications developed by the various car manufacturers are needed for ensuring interoperability of end entity devices. To take care of security and interoperability of end entity V2X devices, the industry is paying attention towards certain consortium such as, the OmniAir Consortium to develop technical specifications. The role of OmniAir in interoperability testing is increasing rapidly and it has more than 40 participating members. Prior to engaging in OmniAir’s certification process, vendors around the world are joining hands to verify interoperability. • Protection of End Utility Production Keys. The car industry has been discussing on the issue of the ability of protection of the production keys within an end entity. Protecting the reliability of the end entity as well as V2X signing keys is done by use of secure boot, separation and secure updates and power on self-tests. This topic is gaining importance in the perspective of connected car technology. Both certification as well as the merit of every security feature is being judged based on the US Federal Information Processing Standard for obtaining the best outcome. 29

1246 1247 1248 1249 1250 1251 1252 1253

1254 1255 1256 1257 1258 1259

1260 1261 1262 1263 1264

1265 1266 1267 1268

1269 1270 1271 1272 1273 1274 1275

1276 1277 1278 1279 1280 1281

1282 1283 1284 1285 1286 1287 1288 1289

1290 1291 1292 1293

• Bootstrapping. The general approach that is followed in bootstrapping, i.e., how to initialize the key of a new unit is clear. But, the procedure of implementing bootstrapping in the scenario when there are numerous car manufacturers and part suppliers is still not clear. All unit producers must ensure implementing bootstrapping mechanisms that are compatible with their production process. Also, the adopted mechanism require fulfilling the minimum required security so as to ensure that no illegible units are inducted into the system. The minimum requirements include cryptographic and organizational aspects as well as policy regulations. • Security Policies. Policies that define ground rules are needed for supporting security mechanisms. There is requirement of security policies for revocation of DSRC units in particular. Specific conditions are required to be defined under which a DSRC unit is revoked, and how reinstallation is performed after revocation. Security policies include limited use of DSRC transmissions for unspecified reasons and also fulfilling the minimum requirements of the DSRC units. • Rapid Information Spreading. Data in V2X systems can be distributed using V2V multihop communication, where, DSRC units rebroadcast received data after reception. Initial research in this area showed the capability of a single RSU in a metropolitan area of spreading a CRL within a few hours. But such mechanisms must adhere to reliability and counter channel congestion. • Geo-Networking. In the US and Europe, V2X safety applications are now the primary objective of security projects. But for extended application that are considered, as for example, multihop geo-networking applications, security mechanisms are required to be refined for such applications. • Infrastructure Development. Ubiquitous connectivity is a prerequisite for successful implementation of V2X technologies. The V2X technology requires a sophisticated network infrastructure as well as demands upgradation of all roads, roadside units, and overall infrastructure for its proper implementation. As more and more cars are communicating wirelessly, the absence of an appropriate infrastructure would hinder the value of services provided by the technology. Therefore, research on infrastructure development that caters to the need for V2X technology is of prime importance. • Reducing the Overall Cost of Acquisition. It is very much evident that the cost of implementing sophisticated V2X technologies in the car increases the cost of the vehicle. Also, upgradation of cities and creating awareness amongst first time buyers adds to the overall cost of deploying the V2X technology and acquiring customer. Proper measures should be taken for reducing the overall cost of acquisition, so that deploying V2X technologies can be done more efficiently in the future. • Threat to Data Security. With the increase in the number of cars getting connected wirelessly, this also provides easy access to hackers for manipulating car data. As for example, the social networking credentials can be obtained by hacking the infotainment systems and hacking phone and message logs through smartphones. Therefore, for ensuring data security of vehicles, it must be capable of tackling various remote surface attacks. It is predicted that the number of connected cars is supposed to become 240 million globally and absence of a universal standard for security of connected cars can complicate deploying security features in future. • Removing Ambiguity over Communication Technologies. At present, there are three proposed protocols for communication between connected cars-DSRC, Cellular, and Hybrid. While United States Department of Transportation proposed a mandate for use of DSRC, the European Union is more keen on developing mass deployment 30

1294 1295 1296 1297 1298 1299

1300

of hybrid communication system. Alliances have been formed between the industry participants and national bodies across various levels of stakeholders in the connected car industry to promote various communication technologies. The pros and cons of each of the proposed technology have slowed down the process of implementation of V2X technology on a larger scale. Therefore, a unified consensus needs to be reached for gaining the maximum benefit out of implementation of V2X technology. 7. Conclusion

1314

In this survey, we investigate the security issues and challenges in V2X. We provide a comprehensive survey of the underlying concept of V2X together with the standardization techniques currently in use for communication. We first provide a brief introduction of V2X in vehicular communication and introduce the significance of V2X in todays world. Further, we briefly describe the V2X applications, followed by discussion on security challenges and requirements in V2X. Also, we discuss the threats that V2X is vulnerable to and the possible solutions to these threats. Afterward, we surveyed the number of potential works that developed security approaches for defensive mechanisms in V2X. Next, we elaborate on the projects that carried out activities in relation to V2X. Finally, potential research directions for security issues in V2X are identified. This analysis of security issues and challenges in V2X will introduce promising perspectives and new methodologies for future research in V2X security. We believe that in this survey we have focused on the required initiatives for understanding the importance of V2X security in vehicular communication with ease, and provide a solid understanding for future research works carried out in this area.

1315

Acknowledgment

1301 1302 1303 1304 1305 1306 1307 1308 1309 1310 1311 1312 1313

1317

This work is partially sponsored by Huawei Innovation Research Program (HIRP): Secure Remote OTA Updates for Connected Cars of Huawei Technology Co. Ltd., China, 2018.

1318

References

1319

References

1316

1320 1321

1322 1323 1324

1325 1326

1327 1328

1329 1330

1331 1332 1333

[1] S. Arslan, M. Saritas, The effects of ofdm design parameters on the v2x communication performance: A survey, Vehicular Communications 7 (2017) 1–6. [2] K. Abboud, H. A. Omar, W. Zhuang, Interworking of dsrc and cellular network technologies for v2x communications: a survey, IEEE Trans. on Vehicular Technology 65 (2016) 9457–9470. [3] NHTSA, NHTSA studies vehicle safety and driving behavior to reduce vehicle crashes., Accessed on August 30, 2019. [Online]: https://www.nhtsa.gov/research-data. [4] NHTSA, https://one.nhtsa.gov/nhtsa/whatis/planning/2020Report/2020report.html, Technical Report, NHTSA, 2019. [5] P. Merias, Study on LTE-Based V2X Services (Release 14) Technology, Technical Report 3GPP TR 36.885, Specification Group Service System Aspects, 2016. [6] H. T. Cheng, H. Shan, W. Zhuang, Infotainment and road safety service support in vehicular networking: From a communication perspective, Mechanical Systems and Signal Processing 25 (2011) 2020–2038.

31

1334 1335 1336 1337

1338 1339 1340 1341 1342

1343 1344 1345

1346 1347 1348 1349

1350 1351 1352

1353 1354

1355 1356 1357 1358

1359 1360 1361 1362

1363 1364 1365

1366 1367 1368

1369 1370 1371 1372

1373 1374

1375 1376 1377

[7] V. S. C. Consortium, Vehicle safety communications project: Task 3 final report: identify intelligent vehicle safety applications enabled by DSRC, Technical Report DOT HS 809 859, National Highway Traffic Safety Administration, US Department of Transportation, Washington DC, USA, 2005. [8] F. Ahmed-Zaid, F. Bai, S. Bai, C. Basnayake, B. Bellur, S. Brovold, G. Brown, L. Caminiti, D. Cunningham, H. Elzein, K. Hong, Vehicle safety communicationsapplications (VSC-A) final report, Technical Report DOT HS 811 492A, National Highway Traffic Safety Administration, US Department of Transportation, Washington DC, USA, 2011. [9] R. Baldessari, B. Boedekker, M. Deegener, A. Festag, W. Franz, C. C. Kellum, T. Kosch, A. Kovacs, M. Lenardi, C. Menig, T. Peichl, Car-2-car communication consortium manifesto, DLR Electronic Library 3 (2011) 4. [10] J. Harding, G. Powell, R. Yoon, J. Fikentscher, C. Doyle, D. Sade, M. Lukuc, J. Simons, Wang, Vehicle-to-vehicle communications: Readiness of V2V technology for application, Technical Report DOT HS 812 014, National Highway Traffic Safety Administration, Washington DC, USA, 2014. [11] Visiongain, Automotive vehicle to everything (v2x) communications market 20162026, Accessed on October 15, 2018. [Online]: http://www.lelezard.com/en/news10550352.html. [12] Ertico, Together we bring intelligence into mobility, Accessed on October 15, 2018. [Online]: http://ertico.com. [13] NTU Media Release, Paving the way for Singapore’s future land transport system, Accessed on October 12, 2018. [Online]: http://media.ntu.edu.sg/NewsReleases/Pages/newsdetail.aspx?news=d04667908dc3-47c2-854b-e1c15efc02b1. [14] KDDI, Toyota and kddi to jointly promote establishment of global communications platform to support car connectivity, Accessed on October 12, 2018. [Online]: https://global.kddi.com/company/news/detail/toyota-and-kddi-globalcommunications-platform-to-support-car-connectivity.html. [15] Shanghaidaily, Autonomous connected cars on their way, Accessed on October 12, 2018. [Online]: http://www.shanghaidaily.com/business/biz-special/Autonomousconnected-cars-on-their-way/shdaily.shtml. [16] W. Viriyasitavat, M. Boban, H. Tsai, A. Vasilakos, Vehicular communications: survey and challenges of channel and propagation models, IEEE Vehicular Technology Magazine. 10 (2015) 55–66. [17] G. Karagiannis, O. Altintas, E. Ekici, G. Heijenk, B. Jarupan, K. Lin, T. Weil, Vehicular networking: a survey and tutorial on requirements, architectures, challenges, standards and solutions, IEEE Communications Surveys & Tutorials 13 (2011) 584– 616. [18] S. Biswas, M. M. Haque, J. V. Misic, Privacy and anonymity in VANETs: a contemporary study, Ad Hoc & Sensor Wireless Networks 10 (2010) 177–192. [19] C. Weise, V2x communication in europe-from research projects towards standardization and field testing of vehicle communication technology, Computer Networks 55 (2011) 3103–3119. 32

1378 1379

1380 1381

1382 1383

1384 1385 1386

1387 1388 1389

1390 1391

1392 1393 1394

1395 1396 1397 1398

1399 1400

1401 1402 1403

1404 1405 1406

1407 1408 1409 1410 1411

1412 1413 1414 1415 1416

1417 1418

1419 1420

[20] M. Muhammad, G. A. Safdar, Survey on existing authentication issues for cellularassisted v2x communication, Vehicular communications 12 (2018) 50–65. [21] USDT, Intelligent transportation systems joint program office, Accessed on October 15, 2018. [Online]: https://www.its.dot.gov/. [22] K. Dar, M. Bakhouya, J. Gaber, M. Wack, P. Lorenz, Wireless communication technologies for its applications., IEEE Communications Magazine 48 (2010) 156–162. [23] EC, Road safety in the European Union trends, statistics and main challenges, Accessed on October 15, 2018. [Online]: https://ec.europa.eu/transport/road safety/sites/roadsafety/files/vademecum 2018.pdf. [24] K. Zheng, Q. Zheng, P. Chatzimisios, W. Xiang, Y. Zhou, Heterogeneous vehicular networking: A survey on architecture, challenges, and solutions, IEEE Communications Surveys & Tutorials 17 (2015) 2377–2396. [25] Y. Yang, Z. Wei, Y. Zhang, H. Lu, K. K. R. Choo, H. Cai, V2x security: A case study of anonymous authentication, Pervasive and Mobile Computing 41 (2017) 259–269. [26] Y. H. Cheng, S. J. Kao, F. M. Chang, A fast safety message transmission mechanism for heterogeneous vehicular networks, Applied Mathematics and Information Sciences 9 (2015) 219–228. [27] A. Osseiran, F. Boccardi, V. Braun, K. Kusume, P. Marsch, M. Maternia, O. Queseth, M. Schellmann, H. Schotten, H. Taoka, H. Tullberg, A fast safety message transmission mechanism for heterogeneous vehicular networks, IEEE Communications Magazine 52 (2014) 26–35. [28] G. Araniti, C. Campolo, M. Condoluci, A. Iera, A. Molinaro, Lte for vehicular networking: a survey, IEEE Communications Magazine 51 (2013) 148–157. [29] T. Toukabri, A. M. Said, E. Abd-Elrahman, H. Afifi, Cellular vehicular networks (cvn): prose-based its in advanced 4g networks, in: Proc. of IEEE 11th International Conference on Mobile Ad Hoc and Sensor Systems (MASS), IEEE, 2014, pp. 527–528. [30] S. Chen, J. Hu, Y. Shi, Y. Peng, J. Fang, R. Zhao, L. Zhao, Vehicle-to-everything (v2x) services supported by lte-based systems and 5g, IEEE Communications Standards Magazine 1 (2017) 70–76. [31] IEEE P802.11p, Draft Amendment to Standard for Information Technology Telecommunications and Information Exchange between Systems-Local and Metropolitan Area Networks-Specific Requirements-Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications-Amendment 7: Wireless Access in Vehicular Environment, IEEE P802.11p/D3.0, 2007. [32] ETSI, European profile standard for the physical and medium access control layer of intelligent transport systems operating in the 5 GHz frequency band, Accessed on October 15, 2018. [Online]: https://www.etsi.org/deliver/etsi es/202600 202699/202663/01.01.00 50/es 202663v0 10100m.pdf. [33] K. Lim, D. Manivannan, An efficient protocol for authenticated and secure message delivery in vehicular ad hoc networks, Vehicular Communications 4 (2016) 30–37. [34] IEEE P1609.3, Wireless access in vehicular environments (WAVE) networking services, IEEE P1609.3 D1.2, 2009. 33

1421 1422 1423

1424 1425 1426 1427 1428

1429 1430 1431

1432 1433 1434 1435

1436 1437 1438

1439 1440 1441 1442 1443

1444 1445

1446 1447

1448 1449 1450

1451 1452

1453 1454

1455 1456 1457

1458 1459 1460

1461 1462 1463

[35] IEEE P1609.2, IEEE P1609.2 trial-use standard for wireless access in vehicular environments - security services for applications and management messages, IEEE P1609.2 D07, 2009. [36] CCIR, International Radio Consultative Committee, Report 517, Standard Frequency and Time-Signal Emissions: Detailed Instructions by SWG-7 for the Implementation of Recommendation 460 Concerning the Improved Coordinated Universal Time (UTC) System, Technical Report, International Telecommunication Union, Radio Communication Bureau, 1998. [37] C. Cseh, Architecture of the dedicated short-range communications (dsrc) protocol, in: Proc. of 48th IEEE Conference on Vehicular Technology Conference (VTC), volume 3, IEEE, 1998, pp. 2095–2099. [38] L. Hu, J. Eichinger, M. Dillinger, M. Botsov, D. Gozalvez, Unified device-to-device communications for low-latency and high reliable vehicle-to-x services, in: Proc. of 83rd IEEE Conference on Vehicular Technology Conference (VTC), IEEE, 2016, pp. 1–7. [39] S. Zeadally, R. Hunt, Y. S. Chen, A. Irwin, A. Hassan, Vehicular ad hoc networks (vanets): status, results, and challenges, Telecommunication Systems 50 (2012) 217– 241. [40] IEEE Computer Society LAN/MAN Standards Committee, IEEE Standard for Information Technology-Telecommunications and Information Exchange Between SystemsLocal and Metropolitan Area Networks- Specific Requirements-Part 11: Wireless LAN Medium Access Control (MAC) and Physical Layer (PHY) Specifications, IEEE Std 802.11, 2007. [41] R. Uzcategui, G. Acosta-Marum, Wave: a tutorial, IEEE Communication Magazine 47 (2009) 126–133. [42] ASTM E2213-03, Conversion of ASTM E2213-03 to IEEE 802.11x Format, Doc. IEEE 802.11-04-0363-00-WAVE, 2004. [43] Y. J. Li, An overview of the dsrc/wave technology, in: Proc. of International Conference on Heterogeneous Networking for Quality, Reliability, Security and Robustness, volume 74 of LNICST, Springer, Netherlands, 2010, pp. 544–558. [44] N. K. Chaubey, Security analysis of vehicular ad hoc networks (vanets): a comprehensive study, International Journal of Security and Its Applications 10 (2016) 261–274. [45] 3GPP, LTE Release 14, Accessed http://www.3gpp.org/release-14.

on

October

15,

2018.

[Online]:

[46] G. Remy, S. M. Senouci, F. Jan, Y. Gourhant, LTE4V2X: lte for a centralized vanet organization, in: Proc. of IEEE Global Telecommunications Conference (GLOBECOM), IEEE, 2011, pp. 1–6. [47] A. Vinel, 3gpp lte versus ieee 802.11p/wave: Which technology is able to support cooperative vehicular safety applications?, IEEE Wireless Communications Letters 1 (2012) 125–128. [48] Z. H. Mir, F. Filali, Lte and ieee 802.11 p for vehicular networking: a performance evaluation, EURASIP Journal on Wireless Communications and Networking 2014 (2014) 1–15. 34

1464 1465

1466 1467

1468 1469

1470 1471

1472 1473 1474

1475 1476

1477 1478

1479 1480

1481 1482 1483

1484 1485

1486 1487

1488 1489

1490 1491

1492 1493 1494

1495 1496 1497 1498

1499 1500 1501

1502 1503 1504

[49] Y. Shi, Lte-v: a cellular-assisted v2x communication technology, in: Proc. of ITU Workshop, Huawei, China, 2015, pp. 1–16. [50] H. Seo, K. D. Lee, S. Yasukawa, Y. Peng, P. Sartori, Lte evolution for vehicle-toeverything services, IEEE Communications Magazine 54 (2016) 22–28. [51] S. Chen, J. Hu, Y. Shi, L. Zhao, Lte evolution for vehicle-to-everything services, IEEE Internet of Things Journal 3 (2016) 997–1005. [52] C. Campolo, A. Molinaro, A. Iera, F. Menichella, 5g network slicing for vehicle-toeverything services, IEEE Wireless Communications 24 (2017) 38–45. [53] 3GPP, Feasibility Study on New Services and Markets Technology Enablers, Stage 1, Technical Report TR 22.891 v.14.2.0, Technical Specification Group Services and System Aspects, 2016. [54] NGMN, Next Generation Mobile Networks, Technical Report White Paper, NGMN Alliance, 2015. [55] C. Bernardos, A. De La Oliva, P. Serrano, An architecture for software defined wireless networking, IEEE Wireless Communications 21 (2014) 5261. [56] P. Agyapong, M. Iwamura, K. W. Staehle D, A. Benjebbour, Design considerations for a 5g network architecture, IEEE Communications Magazine (2014) 6575. [57] V. Yazici, U. Kozat, M. Sunay, A new control plane for 5g network architecture with a case study on unified handoff, mobility, and routing management, IEEE Communications Magazine (2014) 7685. [58] M. Boban, A. Kousaridas, K. Manolakis, J. Eichinger, W. Xu, Use cases, requirements, and design considerations for 5g v2x, arXiv preprint arXiv:1712.01754 (2017). [59] T. Zhang, L. Delgrossi, Vehicle Safety Communications: Protocols, Security, and Privacy, volume 103, John Wiley & Sons, Canada, 2012. [60] G. Davis, V2I safety applications: an overview of concepts and operational scenarios, New Jersey State Chapter of ITS America, US, 2012. [61] K. Eccles and F. Gross and M. Liu, and F. Council, Crash data analyses for vehicle-toinfrastructure communications for safety applications, No. FHWA-HRT-11-040, 2012. [62] P. Belanovic, D. Valerio, A. Paier, T. Zemen, F. Ricciato, C. F. Mecklenbrauker, On wireless links for vehicle-to-infrastructure communications, IEEE Trans. on Vehicular Technology 59 (2016) 269–282. [63] F. Kargl, P. Papadimitratos, L. Buttyan, M. Muter, E. Schoch, B. Wiedersheim, T. V. Thong, G. Calandriello, A. Held, A. Kung, J. P. Hubaux, Secure vehicular communication systems: implementation, performance, and research challenges, IEEE Communications magazine 46 (2008) 110–118. [64] A. Benslimane, T. Taleb, R. Sivaraj, Dynamic clustering-based adaptive mobile gateway management in integrated vanet-3g heterogeneous wireless networks, IEEE Journal on Selected Areas in Communications 29 (2011) 559–570. [65] S. Ucar, S. C. Ergen, O. Ozkasap, Multihop-cluster-based ieee 802.11 p and lte hybrid architecture for vanet safety message dissemination, IEEE Trans on Vehicular Technology 65 (2016) 2621–2636. 35

1505 1506 1507

1508 1509

1510 1511

1512 1513 1514

1515 1516

1517 1518

1519 1520

1521 1522

1523 1524 1525

1526 1527

1528 1529

1530 1531

1532 1533 1534

1535 1536

1537 1538 1539

1540 1541

1542 1543

1544 1545 1546

[66] Z. Wang, L. Liu, M. Zhou, N. Ansari, A position-based clustering technique for ad hoc intervehicle communication, IEEE Trans. on Systems, Man, and Cybernetics, Part C 38 (2008) 201–208. [67] R. V. D. Heijden, Security architectures in v2v and v2i communication, in: Proc. 20th Student Conference on IT, University of Twente, Netherlands, 2010, pp. 1–10. [68] A. Y. Dak, S. Yahya, M. Kassim, A literature survey on security challenges in vanets, International Journal of Computer Theory and Engineering 4 (2012) 1–4. [69] G. Samara, W. A. Al-Salihy, R. Sures, Security analysis of vehicular ad hoc networks (vanet), in: Proc. of International Conference on Network Applications Protocols and Services, IEEE, 2010, pp. 55–60. [70] R. K. Sakib, Security issues in vanet, Ph.D. thesis, Department of Electronics and Communication Engineering, BRAC University, 2010. [71] V. L. Hoa, A. Cavalli, Security attacks and solutions in vehicular ad hoc net-works: a survey, International Journal on AdHoc Networking Systems 4 (2014) 1–20. [72] M. N. Mejri, J. Ben-Othman, M. Hamdi, Survey on vanet security challenges and possible cryptographic solutions, Vehicular Communications 1 (2014) 53–66. [73] A. Alnasser, H. Sun, J. Jiang, Cyber security challenges and solutions for v2x communications: A survey, Computer Networks 151 (2019) 52–67. [74] G. T. 23.285, Universal Mobile Telecommunications System (UMTS); LTE; Architecture enhancement for V2X Services, Technical Report version 14.2.0 Release 14, 3GPP, 2017. [75] X. Zhang, A. Kunz, S. Schrder, Overview of 5g security in 3gpp, in: IEEE Conference on Standards for Communications and Networking (CSCN), IEEE, 2017, pp. 181–186. [76] G. T. 33.401, 3GPP System Architecture Evolution (SAE): Security Architecture, Technical Report v.14.1.0, 3GPP, 2017. [77] G. T. 33.402, 3GPP System Architecture Evolution (SAE), Security aspects of non3GPP accesses, Technical Report v.14.1.0, 3GPP, 2017. [78] G. T. 33.222, Generic Authentication Architecture (GAA); Access to network application functions using Hypertext Transfer Protocol over Transport Layer Security (HTTPS), Technical Report v.14.0.0, 3GPP, 2017. [79] T. Taleb, A. Kunz, Machine type communications in 3gpp networks: potential, challenges, and solutions, IEEE Communication Magazine 50 (2012) 178184. [80] S. Husain, A. Prasad, A. Kunz, A. Papageorgiou, J. Song, Recent trends in standards related to the internet of things and machine-to-machine communications, Journal of Information and Communication Convergence Engineering 12 (2014) 228236. [81] G. T. 33.223, Generic Authentication Architecture (GAA); Generic Bootstrapping Architecture (GBA) Push function, Technical Report v.14.0.0, 3GPP, 2017. [82] H. Hasrouny, A. E. Samhat, C. Bassil, A. Laouiti, Vanet security challenges and solutions: a survey, Vehicular Communications 7 (2017) 7–20. [83] N. Jayalakshmi, R. Rajadurai, K. Indumathi, Vehicular network: properties, structure, challenges, attacks, solution for improving scalability and security, International Journal of Scientific and Engineering Research 4 (2013) 152–159. 36

1547 1548

1549 1550

1551 1552 1553

1554 1555 1556

1557 1558 1559

1560 1561 1562

1563 1564

1565 1566

1567 1568

1569 1570 1571

1572 1573 1574

1575 1576 1577

1578 1579

1580 1581 1582

1583 1584 1585

1586 1587

1588 1589

[84] J. Blum, A. Eskandarian, The threat of intelligent collisions, IT Professional 6 (2004) 24–29. [85] ETSI, ITS-security-threat, vulnerability and risk analysis, Technical Report TR 102 893 V1.1.1, ETSI, 2010. [86] G. Yan, S. Olaruis, M. C. Weigle, Providing vanet security through active position detection, Computer Communication, SI on Mobility Protocols for ITS/VANET 31 (2008) 2883–2897. [87] W. Whyte, A. Weimerskirch, V. Kumar, T. Hehn, A security credential management system for v2v communications, in: Proc. of IEEE Vehicular Networking Conference (VNC), IEEE, 2013, pp. 1–8. [88] J. Guo, J. P. Baugh, S. Wang, A group signature based secure and privacy-preserving vehicular communication framework, in: Proc. of IEEE Mobile Networking for Vehicular Environments, IEEE INFOCOM Workshop, IEEE, 2007, pp. 103–108. [89] F. M. Salem, M. H. Ibrahim, I. Ibrahim, Non-interactive authentication scheme providing privacy among drivers in vehicle-to-vehicle networks, in: Proc. of IEEE International Conference on Networking and Services, IEEE, 2010, pp. 156–161. [90] R. S. Raw, M. Kumar, N. Singh, Security challenges, issues and their solutions for vanet, International Journal of Network Security & Its Applications 5 (2013) 1–11. [91] K. Ploessl, H. Federrath, A privacy aware and efficient security infrastructure for vehicular ad hoc networks, Computer Standards & Interfaces 30 (2008) 390–397. [92] M. Raya, A. Aziz, J. P. Hubaux, Efficient secure aggregation in vanets, in: Proc. of 3rd International Workshop on Vehicular Ad-Hoc Networks, IEEE, 2006, pp. 67–75. [93] M. Abuelela, S. Olariu, K. Ibrahim, A secure and privacy aware data dissemination for the notification of traffic incidents, in: Proc. of 69th IEEE Vehicular Technology Conference (VTC), IEEE, 2009, pp. 1–5. [94] G. Calandriello, P. Papadimitratos, J. P. Hubaux, A. Lioy, Efficient and robust pseudonymous authentication in vanet, in: Proc. of 4th ACM International Workshop on Vehicular Ad-Hoc Networks, ACM, 2007, pp. 19–28. [95] D. Singelee, B. Preneel, Location verification using secure distance bounding protocols, in: Proc. of IEEE International Conference on Mobile Adhoc and Sensor Systems, ACM, 2005, pp. 1–7. [96] A. Dahiya, V. Sharma, A survey on securing user authentication in vehicular ad hoc networks, International Journal of Information Security 1 (2001) 1–9. [97] M. S. Al-kahtani, Survey on security attacks in vehicular ad hoc networks (vanets), in: Proc. of 6th IEEE International Conference in Signal Processing and Communication Systems, IEEE, 2012, pp. 1–9. [98] A. Rao, A. Sangwan, A. A. Kherani, A. Varghese, B. Bellur, R. Shorey, Secure v2v communication with certificate revocations, in: Proc. of IEEE Mobile Networking for Vehicular Environments, IEEE, 2007, pp. 127–132. [99] M. Raya, P. Papadimitratos, J. P. Hubaux, Securing vehicular communications, IEEE Wireless Communication 13 (2006) 8–15. [100] M. Raya, J. P. Hubaux, The security of vehicular ad hoc networks, in: Proc. of 3rd ACM Workshop on Security of Ad Hoc and Sensor Networks, ACM, 2005, pp. 11–21. 37

1590 1591

1592 1593

1594 1595 1596

1597 1598 1599

1600 1601 1602

1603 1604 1605

1606 1607

1608 1609 1610

1611 1612 1613

1614 1615

1616 1617 1618

1619 1620 1621

1622 1623 1624

1625 1626 1627

1628 1629

1630 1631 1632

[101] M. C. Chuang, J. F. Lee, TEAM: trust-extended authentication mechanism for vehicular ad hoc networks, IEEE Systems Journal 8 (2014) 749–758. [102] H. L. Vinh, A. Cavalli, Security attacks and solutions in vehicular ad hoc net-works: a survey, International journal on AdHoc Networking Systems 4 (2014) 1–20. [103] L. Song, Q. Han, J. Liu, Investigate key management and authentication models in vanets, in: Proc. of IEEE International Conference on Electronics, Communications and Control, IEEE, 2011, pp. 1516–1519. [104] R. Raiya, S. Gandhi, Survey of various security techniques in vanet, International Journal of Advanced Research in Computer Science and Software Engineering 4 (2014) 1–3. [105] Z. Tong, R. R. Choudhury, N. Peng, K. Chakrabarty, P2DAP- sybil attack detection in vehicular ad hoc networks, IEEE Journal on Selected Areas in Communications 22 (2011) 582–594. [106] G. Guette, C. Bryce, Using tpms to secure vehicular ad-hoc networks (vanets), in: Proc. of IFIP International Workshop on Information Security Theory and Practices, volume 5019 of LNCS, Springer, 2008, pp. 106–116. [107] P. Caballero-Gil, Security issues in VANET, Accessed on October 15, 2018. [Online]: http://cdn.intechopen.com/pdfs-wm/12879.pdf. [108] W. Li, H. Song, ART: an attack-resistant trust management scheme for securing vehicular ad hoc networks, IEEE Trans. on Intelligent Transportation Systems 17 (2016) 960–969. [109] L. He, W. T. Zhu, Mitigating dos attacks against signature-based authentication in vanets, in: Proc. of IEEE International Conference on Computer Science and Automation Engineering, IEEE, 2012, pp. 261–265. [110] R. Engoulou, Securisation des vanets par reputation des noeuds, Ph.D. thesis, Ecole Polytechnique de Montreal, Canada, 2013. [111] J. Y. Choi, M. Jakobsson, S. Wetzel, Balancing audibility and privacy in vehicular networks, in: Proc. of 1st ACM International Workshop on Quality of Service & Security in Wireless and Mobile Networks, ACM, 2005, pp. 79–87. [112] Y. Xi, K. Sha, W. Shi, L. Schwiebert, T. Zhang, Enforcing privacy using symmetric random key-set in vehicular networks, in: Proc. of International Symposium on Autonomous Decentralized Systems, IEEE, 2007, pp. 344–351. [113] C. Zhang, X. Lin, R. Lu, P. H. Ho, RAISE: an efficient rsu-aided message authentication scheme in vehicular communication networks, in: Proc. of IEEE International Conference on communications (ICC), IEEE, 2008, pp. 1451–1457. [114] C. Lyu, D. Gu, Y. Zeng, P. Mohapatra, PBA: prediction-based authentication for vehicle-to-vehicle communications, IEEE Trans. on Dependable and Secure Computing 13 (2016) 71–83. [115] T. W. Chim, S. M. Yiu, L. C. Hui, V. O. Li, SPECS: secure and privacy enhancing communications schemes for vanets, Ad Hoc Networks 9 (2011) 189–203. [116] C. Zhang, R. Lu, X. Lin, P. H. Ho, X. Shen, An efficient identity-based batch verification scheme for vehicular sensor networks, in: Proc. of 27th IEEE Conference on Computer Communications (INFOCOM), IEEE, 2008, pp. 816–824. 38

1633 1634 1635

1636 1637 1638

1639 1640 1641

1642 1643 1644

1645 1646

1647 1648 1649

1650 1651

1652 1653

1654 1655 1656

1657 1658 1659

1660 1661 1662

1663 1664 1665

1666 1667 1668

1669 1670 1671 1672

1673 1674 1675

[117] R. Lu, X. Lin, H. Zhu, P. H. Ho, X. Shen, ECPP: efficient conditional privacy preservation protocol for secure vehicular communications, in: Proc. of 27th IEEE Conference on Computer Communications (INFOCOM), IEEE, 2008, pp. 1229–1237. [118] J. Sun, C. Zhang, Y. Zhang, Y. Fang, An identity-based security system for user privacy in vehicular ad hoc networks, IEEE Trans. on Parallel and Distributed Systems 21 (2010) 1227–1239. [119] Y. Hao, Y. Cheng, C. Zhou, W. Song, A distributed key management framework with cooperative message authentication in vanets, IEEE Journal on selected areas in communications 29 (2011) 616–629. [120] G. Yan, S. Olariu, J. Wang, S. Arif, Towards providing scalable and robust privacy in vehicular networks, IEEE Trans. on Parallel and Distributed Systems 25 (2014) 1896–1906. [121] Z. Li, C. T. Chigan, On joint privacy and reputation assurance for vehicular ad hoc networks, IEEE Trans. on Mobile Computing 13 (2014) 2334–2344. [122] D. He, S. Zeadally, B. Xu, X. Huang, An efficient identity-based conditional privacypreserving authentication scheme for vehicular ad hoc networks, IEEE Trans. on Information Forensics and Security 10 (2015) 2681–2691. [123] Y. Zhang, C. Tan, F. Xu, H. Han, Q. Li, Vproof: Lightweight privacy-preserving vehicle location proofs, IEEE Trans. on Vehicular Technology 64 (2015) 378–385. [124] X. Lin, X. Li, Achieving efficient cooperative message authentication in vehicular ad hoc networks, IEEE Trans. on Vehicular Technology 62 (2013) 3339–3348. [125] L. Zhang, Q. Wu, A. Solanas, J. D. Ferrer, A scalable robust authentication protocol for secure vehicular communications, IEEE Trans. on Vehicular Technology 59 (2010) 1606–1617. [126] S. Biswas, J. Misic, V. Misic, Id-based safety message authentication for security and trust in vehicular networks, in: Proc. of 31st IEEE International Conference on Distributed Computing Systems (ICDCS) Workshops, IEEE, 2011, pp. 323–331. [127] B. Brecht, D. Therriault, A. Weimerskirch, V. Whyte, W.and Kumar, T. Hehn, R. Goudy, A security credential management system for v2x communications, IEEE Transactions on Intelligent Transportation Systems 19 (2018) 3850–3871. [128] M. Simplicio, E. Cominetti, H. Patil, J. Ricardini, M. Silva, The unified butterfly effect: Efficient security credential management system for vehicular communications, in: IEEE Vehicular Networking Conference (VNC), IEEE, 2018, pp. 1–8. [129] R. van der Heijden, S. Dietzel, T. Leinmller, F. Kargl, Survey on misbehavior detection in cooperative intelligent transportation systems, IEEE Communications Surveys Tutorials 21 (2018) 779–811. [130] S. A. Huss, A. Jaeger, H. Stuebing, simTD: safe and intelligent mobility field test germany; architecture and applications for car-to-car communication, in: Proc. of 48th ACM/EDAC/IEEE Design Automation, Workshop on Intra and Inter-Vehicle Networking: Past, Present, and Future, IEEE, 2011. [131] COVER, Semantic-driven cooperative vehicle infrastructure systems for advanced e-safety applications, Accessed on October 15, 2018. [Online]: https://cordis.europa.eu/project/rcn/80576 it.html. 39

1676 1677

1678 1679

1680 1681

1682 1683

1684 1685

1686 1687 1688

1689 1690 1691

[132] CopITS, Cooperative cars and roads for safer and intelligent transportation systems, Accessed on October 15, 2018. [Online]: http://www.copits.org. [133] PRESERVE, Preparing secure vehicle-to-x communication systems, Accessed on October 15, 2018. [Online]: http://www.preserve-project.eu/. [134] J. H. Wilbrod, G. Segarra, Systeme cooperatif routier experimental@ France, Technical Report, TEC 213, 2012. [135] COMeSafety, Communications for eSafety, Accessed on October 15, 2018. [Online]: http://www.ecomove-project.eu/links/comesafety/. [136] Smartway, Smartway Project Development, Accessed on October 15, 2018. [Online]: http://www.nilim.go.jp/lab/qcg/english/3paper/pdf/2005 11 itswc ss26.pdf. [137] Y. Kishiyama, A. Benjebbour, T. Nakamura, H. Ishii, Future steps of lte-a: evolution toward integration of local area and wide area systems, IEEE Wireless Communications 20 (2013) 12–18. [138] BMW, BMW ConnectedDrive, Accessed on October 15, 2018. [Online]: https://www.bmw.com.mt/en/topics/fascination-bmw/connecteddrive/overview.html.

40

1692

Declaration of interests ☒ The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper. ☐The authors declare the following financial interests/personal relationships which may be considered as potential competing interests:

1693

Amrita Ghosal obtained her Ph.D. degree in computer science and engineering from Indian Institute of Engineering Science and Technology, India in 2015. She received her M. Tech. degree in computer science and engineering from Kalyani Govt. Engineering College, India in 2006. She is currently a Postdoctoral Researcher at University of Padua, Italy. Prior to that, she was Assistant Professor in the Department of Computer Science and Engineering, Dr. B. C. Roy Engineering College, India. Her current research interests include security and privacy in wireless resource-constrained mobile device and smart grid, network modeling and analysis. She has published research works in reputed conference proceedings and journals in her field. She also has co-authored a number of book chapters.

Mauro Conti is Full Professor at the University of Padua, Italy, and Affiliate Professor at the University of Washington, Seattle, USA. He obtained his Ph.D. from Sapienza University of Rome, Italy, in 2009. After his Ph.D., he was a Post-Doc Researcher at Vrije Universiteit Amsterdam, The Netherlands. In 2011 he joined as Assistant Professor the University of Padua, where he became Associate Professor in 2015, and Full Professor in 2018. He has been Visiting Researcher at GMU (2008, 2016), UCLA (2010), UCI (2012, 2013, 2014, 2017), TU Darmstadt (2013), UF (2015), and FIU (2015, 2016). He has been awarded with a Marie Curie Fellowship (2012) by the European Commission, and with a Fellowship by the German DAAD (2013). His research is also funded by companies, including Cisco and Intel. His main research interest is in the area of security and privacy. In this area, he published more than 250 papers in topmost international peer-reviewed journals and conference. He is Area Editor-in-Chief for IEEE Communications Surveys & Tutorials, and Associate Editor for several journals, including IEEE Communications Surveys & Tutorials, IEEE Transactions on Information Forensics and Security, and IEEE Transactions on Network and Service Management. He was Program Chair for TRUST 2015, ICISS 2016, WiSec 2017, and General Chair for SecureComm 2012 and ACM SACMAT 2013. He is Senior Member of the IEEE.