Pof: Proof-Of-Following for Vehicle Platoons
Total Page:16
File Type:pdf, Size:1020Kb
Verification of Platooning using Large-Scale Fading Ziqi Xu* Jingcheng Li* Yanjun Pan University of Arizona University of Arizona University of Arizona [email protected] [email protected] [email protected] Loukas Lazos Ming Li Nirnimesh Ghose University of Arizona University of Arizona University of Nebraska–Lincoln [email protected] [email protected] [email protected] Abstract—Cooperative vehicle platooning significantly im- I am AV proves highway safety, fuel efficiency, and traffic flow. In this 2 and I follow AV model, a set of vehicles move in line formation and coordinate 1 acceleration, braking, and steering using a combination of path physical sensing and vehicle-to-vehicle (V2V) messaging. The candidate verifier authenticity and integrity of the V2V messages are paramount to platooning AV AV safety. For this reason, recent V2V and V2X standards support 2 distance 1 the integration of a PKI. However, a PKI cannot bind a vehicle’s digital identity to the vehicle’s physical state (location, velocity, Fig. 1: Platooning of AV1 and AV2: The AV1 acts as a verifier etc.). As a result, a vehicle with valid cryptographic credentials to validate AV2’s claim that it follows the platoon. can impact platoons from a remote location. In this paper, we seek to provide the missing link between the However, the complex integration of multi-modal physical physical and the digital world in the context of vehicle platooning. sensing, computation, and communication creates a particu- We propose a new access control protocol we call Proof-of- larly challenging environment to safeguard. The safety of the Following (PoF) that verifies the following distance between a platoon relies on the veracity of the V2V messages exchanged candidate and a verifier. The main idea is to draw security from the common, but constantly changing environment experienced between platoon members, as falsified messages about ac- by the closely traveling vehicles. We use the large-scale fading celeration, location, and velocity can lead to life-threatening effect of ambient RF signals as a common source of randomness accidents, damage to high-value cargo, and monetary loss [24], to construct a PoF primitive. The correlation of large-scale fading [30], [58]. The key security questions for a platooning appli- is an ideal candidate for the mobile outdoor environment because cation are: (a) who is authorized to participate in the platoon it exponentially decays with distance and time. We evaluate our PoF protocol on an experimental platoon of two vehicles in and how is the identity of the platoon members verified? (b) freeway, highway, and urban driving conditions. We demonstrate how is the integrity of the V2V messages guaranteed? (c) how that the PoF withstands both the pre-recording and following is the veracity of V2V messages validated? attacks with overwhelming probability. Whereas some of these problems can be addressed with traditional information security methods (e.g., source authen- I. INTRODUCTION tication and message integrity), others such as access con- Cyber-physical systems (CPSs) enable a plethora of tech- trol and verification of V2V messages cannot be achieved nological innovations that will dramatically improve everyday cryptographically. To demonstrate this shortcoming, consider life. One prime CPS example is autonomous driving systems the scenario of Fig. 1 where AV1 is followed by AV2: (ADSs) for coordinating a set of autonomous vehicles (AVs) Existing wireless standards, including the IEEE 1609.2 for arXiv:2107.09863v2 [cs.CR] 24 Sep 2021 safely, securely, and efficiently [49], [52]. In ADS, multi- V2V communication [20] and the more recent 3GPP TS ple connected vehicles use on-board sensors and vehicle-to- 33.185 for Cellular Vehicle-to-Everything [3] recommend the vehicle (V2V) communications to coordinate their actions and use of a public key infrastructure (PKI). Using the PKI, the improve on safety, fuel-efficiency, traffic flow, and driving two vehicles can mutually authenticate and exchange messages convenience [6]. When applied on a single lane, this coop- whose integrity and confidentiality are guaranteed. eration model is referred to as cooperative adaptive cruise However, the PKI cannot bind a vehicle’s digital identity control (CACC) and can be used to form semi-autonomous, or to the vehicle’s physical location and state. This allows AV2 autonomous vehicle platoons [25], [28], [48]. Several works to impersonate “ghost” vehicles [7], [16], inject false data have shown that the V2V messages exchanged between pla- from remote locations without following AV1, and ultimately toon members can significantly reduce the platoon following jeopardize the safety and efficiency of the platoon. Note that distance (from 2 seconds to as much as 0.5 seconds), without even if AV1 uses its physical sensors to cross-validate the compromising the platoon safety [27], [43], [51]. information contained in m, this verification cannot serve as a valid proof. For instance, let AV2 request to form a platoon *Z. Xu and J. Li are co-first authors. with AV1 via m. Even if AV1 detects a following vehicle, AV1 has no means to bind the detected vehicle with m. Proof-of-following. In this paper, we seek to provide a new form of access control, which we call proof-of-following (PoF). A PoF aims at binding the digital identity of a candidate vehicle with the property of following a mobile verifier within typical platooning distance, referred to as the following dis- tance. PoF primitives prevent malicious vehicles that do not follow the platoon from remotely injecting messages either via long-range V2V communication or the V2I infrastructure. We emphasize that admitted platoon members that follow the Fig. 2: A platoon of three vehicles with AV3 acting as a platoon closely can still potentially inject false messages. The verifier. The candidate and the verifier execute a PoF by significance of the PoF lies in restricting access to physically sampling the ambient RF signals transmitted by the LTE eNBs. platooning members only, thus substantially increasing the adversarial effort for scaling a false injection attack. Without be standard equipment given the global momentum for the a PoF, a remote adversary could potentially join and impact adoption of the Cellular-V2X (C-V2X) 3GPP standard [2], many platoons simultaneously from a single remote location. [3], [35]. From a security perspective, RF signals decorrelate A PoF protocol provides similar access control to distance rapidly with distance and time, especially when mobility is bounding protocols [5], [8], [47] and proximity verification involved [13], [46]. Thus, predicting the instantaneous RF methods [10], [18], [29], [31], [57] with notable differences. environment other than pre-recording signals along a route A distance bounding protocol verifies that a prover is located or following at a large distance becomes impossible. within bounded distance from the verifier at one time instance Contributions. Our main contributions are as follows. without taking into account mobility and time. A PoF protocol • We define the Proof-of-Following (PoF) security primi- continuously verifies a physical distance bound over time tive for performing physical access control in the context while the involved entities are moving. Although a PoF can be of vehicle platooning. We develop a PoF protocol which implemented as a repeated application of distance bounding, enables a candidate vehicle prove to a verifier that it we are exploring a looser form of verification where the follows the verifier within the following distance. The distance bound does not need to be strictly met at every PoF protocol binds the “following” physical property time instance. This model readily corresponds to a vehicle to the candidate’s digital identity. The protocol enables platooning application where the distance between the pla- new vehicles to join a platoon and also the continuous tooning vehicles could naturally fluctuate. Moreover, distance verification of platooning for existing members. bounding protocols require UWB communications and custom • Our PoF protocol exploits the large-scale RF propagation hardware that has been optimized to minimize the modulation characteristics to correlate the motions of the candidate symbol size and any processing delays to remain secure [47]. and the verifier. We are the first to exploit the large- Main idea of PoF. The main idea of our PoF is inspired by scale fading property (mainly due to shadowing) as a a common car game called “I spy”. In I spy, one player (the new modality. It can accommodate typical platooning spy) chooses a visible object and announces it to other players distances (tens of meters [51]), and we show it is suitable with some attribute description (first letter, color, size). The for outdoor mobile settings due to the unpredictability other players have to guess the spied object. The game is ideal of the surrounding environment. Besides the RF spatial for car journeys because the visible objects are continuously correlation, we also utilize the temporal correlation. renewed. Similar to the common vision of co-travelers in • We demonstrate the security of our PoF protocol against the I spy game, if the candidate and verifier vehicles are an attacker that pre-records the RF environment along the platooning, they should see (sense) the same environment. route of the platoon, one that follows the platoon but at a Security is drawn from the rapidly changing environment longer distance, and one that partially follows the platoon. due to motion. Although several different modalities can be In addition, we show that our protocol is secure against used to sense the environment, we opt to measure ambient Man-in-the-Middle attacks when the verifier’s identity RF signals. Specifically, our PoF protocol exploits the large- is known to the candidate, and adapt our protocol to scale fading characteristics of RF propagation to correlate deal with unknown verifiers using commitments with a the moving paths of the platoon members.