Misbehavior detection: Trustworthy V2X communications
Connected mobility, with its focus on the best possible functional and road safety, is possible only through vehicle-to-everything (V2X) communications – when vehicles and infrastructure communicate with one another. V2X constantly provides connected vehicles with a vast amount of information for making decisions, automated or not, that are appropriate for the traffic. The cybersecurity of V2X communications is of central importance, as effective V2X data exchange relies on the information being accurate, trustworthy, and safeguarded against misuse.
PKI systems for Europe and North America
To ensure data security and privacy, V2X communications require a public key infrastructure (PKI) – the Security Credential Management System (SCMS) for North America (NA) and the Cooperative Intelligent Transportation System Credential Management System (CCMS) for Europe (EU). These PKI systems issue pseudonymous credentials that allow communicating vehicles and roadside equipment to trust only authorized senders. SCMS and CCMS have long been deployed in numerous V2X pilot projects and are set to provide the security framework for future national V2X infrastructures and beyond. (Figure 1)
Figure 1: The credential management system provides the infrastructure for secured V2X communications.
However, one critical aspect still needs to be included in the consideration and design of credentials in the future: misbehavior detection. Misbehavior occurs when invalid messages are sent to cause harm or gain an advantage on the road, or due to a misconfiguration or malfunction. Ideally, a vehicle that is guilty of such anomalous or abusive behavior by transmitting false data (e.g. incorrect vehicle location or speed, pretending to be multiple vehicles to manipulate traffic light timing, misinformation about other entities) will be actively removed from the V2X network until the cause of its misbehavior is identified and corrected.
Misbehavior detection: Detecting misuse and anomalies
At present, the V2X sector lacks a complete catalog of behaviors that can be classified as suspicious or as misbehavior. However, there are clues that can help identify a potentially offending V2X device:
- Use of expired or incorrect credentials (e.g. incorrect permission, geofence)
- Sending messages with false signatures, invalid or valid forged data (e.g. time, location, version number)
- Sending messages with fake and unauthorized information (e.g. to gain precedence)
In these cases, a V2X system consistently uses or transmits information that does not hold up against standard validation or is inconsistent with the receiver’s sensor readings. Misbehavior detection is comparatively easy here, as it can be detected and reported based on a single observation. In addition, data from multiple observers can be pooled to verify misuse or malfunction.
Misbehavior authority: Analyzing and correlating messages
Even if there is as yet no standard procedure by which a misbehavior authority (MA) in the backend can reliably determine whether a set of reports constitutes misbehavior, it can still apply several different instruments to do this. For example, the MA can correlate reports from multiple senders in the same geographic area to determine if the reports are likely to belong to the same vehicle. It also can search for distinctive features in reported messages that may be related, simply by looking for consistent anomalies it can trace back to a common source.
Once the MA has compiled misbehavior reports into groups likely to belong to the same vehicle, it contacts the appropriate PKI components to validate its findings. This way, the MA can then further refine its queries or decide whether there is actually a misuse or malfunction.
Figure 2: In a misbehavior authority (MA), detected anomalies converge, allowing them to be traced back to the common source and thus verified as actual misbehavior before being added to the revocation list.
Blocking and revocation process
Once misbehavior is detected and confirmed, the blocking and revocation process begins. Blocking declares the vehicle’s registration certificate invalid – as a result, authentication with the registration authority (RA) for requesting and downloading pseudonymous certificates is no longer possible. At the instruction of the MA, PKI components exchange information that links the registration certificate with the erroneous pseudonyms, thus blocking the affected system. In the North American PKI system, the certificate is also placed on the revocation list with corresponding information linking it to the other pseudonyms of the affected system. The vehicle’s onboard unit is subsequently no longer offered any services, preventing requests for new pseudonyms and the download of any previously requested pseudonyms. In short, the vehicle on the blocklist can no longer communicate with the PKI components.
However, blocking cannot prevent a vehicle from using pseudonyms that it has already downloaded. To inform other road users in the V2X network that certain pseudonyms have been revoked, therefore, the linkage information associated with the blocked vehicle must be added to the revocation list.
Secure V2X ecosystem
Within the context of future closely knit V2X communications and their PKI, new use cases will emerge for which current definitions of misbehavior may not apply. A well-designed system should facilitate the safe deployment and integration of new technologies, not constrain them. Furthermore, many V2X applications go beyond the simple sharing of data and enable road users to proactively request changes in behavior from other road users and infrastructure (e.g. emergency vehicle signal pre-emption). These are the reasons why having a coherent concept for misbehavior detection and its implementation will be important.