Bachelor Thesis Bachelor's Programme in IT-Forensics and Information Security

Pushing Traffic into the Digital Age

A Communication Technology Comparison and Security Assessment

Digital Forensics, 15 credits

Halmstad 2020-05-27 Christoffer Krantz, Gabriela Vukota HALMSTAD UNIVERSITY

II

Pushing Traffic into the Digital Age

A Communication Technology Comparison and Security Assessment

Christoffer Krantz and Gabriela Vukota

Bachelor of Science with a major in Digital Forensics

School of information technology Halmstad University

Supervisor: Erik Järpe Examiner: Stefan Axelsson

III

IV PREFACE

We would like to thank Eric Järpe and Cristofer Englund for being instrumental in the direction this thesis took, as well as being available for discussions and feedback when it was needed. Additional thanks are directed to Dr Steven Logghe, Bas Heutinck and Erik Lindbloom who gave us valuable insight in how the technology is being used today and giving us additional lines of inquiry to further investigate.

V

ABSTRACT With the rapid advances of technology, digitisation of many facets of our existence is taking place in an attempt to improve everyday life. The automotive industry is following suit, attempting to introduce connected traffic technology that is meant to improve traffic fluidity and safety. To facilitate this, connected vehicles aim to create solutions for the sharing of information between other vehicles, infrastructure - such as traffic light controllers, and pedestrians.

In an attempt to further investigate the connected vehicle landscape of today, the thesis compared the two most prominent technologies, DSRC and cellular communication. An essential part of this comparison was highlighting the potential attacks that the two technologies could be exposed to. This was done in order to open up a discussion on what technology is the most suitable to focus on for the future both in terms of viability and security.

DSRC has been considered the prominent communication technology for connected vehicles, but the development has stagnated. As such, the ever-evolving cellular technology is looking like the superior technology. This, however, is reliant on 5G delivering the speeds, stability and security promised.

The state of constant vehicular connection is going to lead to many issues and concerns, both for the privacy of the individual but also the safety of the public. While connected traffic aims to solve a number of issues from traffic accidents to emissions - if the security of the communication is not constantly evolving to meet the rapid development of new technology, the consequences of connecting such a delicate system might nullify the potential benefits.

Keywords: connected vehicles, connected traffic, IoV, V2X, C-V2X, WAVE, DSRC, WiFi, cellular communication

VI

V TABLE OF CONTENTS

1. INTRODUCTION 1 1.1 History of Connected Vehicles 1 1.2 History of Traffic Light Controllers 3 1.3 Thesis Statement 3 1.3.1 Questions to Answer 4 1.4 Purpose 4 1.5 Problematisation of thesis statement 4 1.6 Demarcations 5

2. METHOD 6 2.1 Literature study 6 2.2 Comparing vehicular communication technologies 6 2.3 Interview 7 2.4 Problematisation of Method 7 2.5 Positioning of Method 7 2.6 Ethical standpoint 8

3. THEORY 9 3.1 Forms of Vehicle Connectivity 9 3.2 Connected Vehicles 10 3.2.1 Connected Vehicles Functions 11 3.2.2 Connected Vehicles Security 14 3.3 Traffic Light Communication 18 3.3.1 Connected Traffic Light Controllers 18 3.4 Vehicular Ad-hoc network 20 3.5 Dedicated Short Range Communication (DSRC) 21 3.6 Cellular Communication 22 3.6.1 How Does Cellular Communication Work? 22 3.6.2 Cellular Communication Challenges and its Solutions 24 3.7 Related work 25

4. RESULTS 27 4.1 Comparing DSRC and C-V2X 27 4.2 Security Challenges in Vehicular Communication 28 4.3 Possible Attacks on Connected Traffic 30 4.4 Examples of Current Industry Practices 34

5. DISCUSSION 36 5.1 Cellular Communication as The Preferred Technology 36 5.2 Keeping Security as The Main Focus 37 5.3 The Future of Connected Traffic 38 5.4 Ethical Aspects of Connecting Traffic 39 5.5 Future work 40

6. CONCLUSION 41

7. REFERENCES 43

VI

VII

DICTIONARY

CAN: Controller area network, a vehicle bus that allows microcontrollers and devices to communicate with each other’s applications without a host computer. C-V2X: Cellular vehicle-to-everything, describes a 3GPP standard communication ​ technology. DSRC: Dedicated short-range communication, the technology utilising WiFi for V2V ​ communication. ECU: Electrical control unit, any embedded system in automotive electronics that controls ​ one or more of the electrical systems or subsystems in a vehicle. IoT: of Things, the interconnection of devices via the internet. ​ IoV: Internet of Vehicles, subsection of IoT relating to connected vehicles. ​ ITS: Intelligent transportation system, systems that provide innovative solutions to improve ​ transportation. LTE: Long term evolution is a broadband for mobile ​ devices. OBD-II: On-board diagnostics, a system to provide diagnostic information about the various ​ other systems in a vehicle. : Telematics is the merger of and informatics. ​ V2X: Vehicle to everything, the umbrella term describing all different types of vehicle ​ communication. VANET: Vehicular ad-hoc network, spontaneous creation of vehicular wireless networks. ​

VIII 1. INTRODUCTION

The intended purpose of developing technology to become more and more digitalised is to deliver benefits that improve aspects of everyday life and increase security. One area that is receiving this treatment is connected traffic, an umbrella term for all technologies that are working together to digitise traffic. Some of those technologies are “Connected Vehicles” and “Connected Traffic Light Controllers” which are the main focuses of this thesis. They are vehicles and traffic infrastructure connected to the internet, allowing communication and sharing of data with and to other vehicles, infrastructure and personal wireless devices [1]. Looking at the security behind this type of communication is essential if the benefits it can provide is to outweigh the disadvantages. The potential risks involved, both individual privacy concerns and potential for interference that causes accidents, could be severe if the security falls behind in development.

1.1 History of Connected Vehicles

The first connected vehicles on the market were made by , working with Automotive when the OnStar was introduced in 1996 [2]. This was a safety system installed in cars of the DeVille, Seville and Eldorado models where the telematics system enabled voice calls to a call centre that contacted emergency responders when an was deployed. Over time, additional capabilities were introduced including GPS locations and the ability to have voice and data simultaneously.

A few years later, more connected vehicle services began to be introduced. Such as remote diagnostics by Continental in 2001. By 2003, vehicle health reports, turn-by-turn directions and network access devices were in the works. Data-only telematics in 2007, and access to Long Term Evolution (LTE) WiFi hotspots offered by A3 in 2014 as well as the first mass deployment of it, by General Motors.

By 2015, more than 1 million vehicles in the U.S. and Canada had Onstar 4G LTE [2]. That same year, OnStar celebrated over 1 billion requests being handled from customers by phone, or wireless services in their vehicles. All of the safety and security services

1 provided by OnStar at the time of writing are Automatic Crash Response, Emergency Services, Roadside Assistance, Crisis Assist, Stolen Vehicle Assistance and Turn-By-Turn Navigation [3]. All of the mentioned services aid in, among other situations, helping customers with crashes, avoiding tornadoes, vehicle diagnostics and directions.

Connected vehicles are an essential element in the Internet of Vehicles (IoV), in which the Internet of Things (IoT) is the foundation. IoT is a network of interconnected things, such as computing devices, sensors, actuators, machines and even people. This concept of interconnecting devices is not new. The first implementation happened in 1982, when a coke vending machine was connected to the internet so that the availability of coke in the machine could be checked [4, p. 4].

IoT allows all kinds of things to interconnect with the purpose of developing smarter environments. With time, new technologies and mechanisms have been developed and introduced. Wireless technologies, machine-to-machine communication (M2M), machine learning, artificial intelligence (AI), and cloud storage are some of the capabilities of today’s IoT. In the last two decades, other than resulting in smart homes, smart healthcare and smart manufacturing - the IoT has also converged mentioned technologies to establish smart traffic in the form of smart roads, intelligent transportation systems (ITS) and IoV.

● Smart roads have sensory systems embedded to warn vehicles of road incidents and provide information on traffic situations.

● ITS enables safer and smarter use of transport networks.

● IoV enables vehicles’ to share information that is collected via the vehicles’ devices to facilitate an easier and safer driving experience.

Car manufacturers that today are some of the most leading in the IoV vision include: General Motors, Google, BMW, Audi, Mercedes Benz, Tesla, VW, Jaguar, and Nissan. By 2020, according to CMSWire, more than 380 million cars are expected to be driven. By 2021,

2 according to Business Insider, 94 million cars are expected to be shipped where 82% of those will be connected [4, p. 5].

1.2 History of Traffic Light Controllers

In 1913, Ford started mass producing their car, the Model T. For the first time, cars were cheap and reliable enough for widespread use. This, however, came before any form of mechanised traffic light controllers were available. Instead, police officers were sent to intersections to try and coordinate the traffic flow [5].

A few early attempts at adopting railroad practices for intersections were tried. The mid-intersection towers had police officers in towers signalling traffic, and that would have a wooden or metal arm that pivoted in different angles to signal to traffic. Neither of these lasted very long. The towers would obstruct traffic while still requiring police officers to man them and the semaphores were too difficult to see while in traffic.

The first example of what would later become the standard traffic light came in 1914 when a traffic light was installed to aid the officers trying to regulate an intersection. This light still needed an officer to control it and was in a sense a connected traffic light that had a telephone, police telegraph and fire telegraph. The expectation was that the officer could clear the intersection for approaching emergency vehicles and be kept in the loop of any changes in traffic conditions that could affect the intersection.

During World War I, engineers developed automatic timers for the military. This technology was quickly applied to traffic light controllers and it spread rapidly throughout the world. Instead of needing police officers to man each signal, you could now shift the work to electrical and traffic engineers to maintain the systems and survey the traffic to find the most optimal cycles.

Smart or connected traffic lights are starting to appear all over the world, these aim to both get rid of the offline timers of the past as well as function as part of the foundation of connected traffic.

3

1.3 Thesis Statement

Fully connected traffic is becoming more and more of a reality. There are several communication technologies vying for the spot as the de facto standard. Connecting such a big facet of our lives can open up several problems relating to security, privacy and freedom. Will the potential benefits of this connectivity outweigh those potential downsides?

1.3.1 Questions to Answer

● How does the DSRC technology and Cellular communication technology compare? ● Do the potential advantages of connected traffic outweigh the potential disadvantages of the additional attack surfaces inherent to the technology?

1.4 Purpose

Connected traffic is a fairly new technology and so the purpose of this thesis is an attempt to investigate how connected traffic works. The authors aim to see if the technology is developed with security as a major focus and if the communication technology used is moving in a secure direction. Therefore, a comparison between the two mentioned communication technologies is of interest, leading up to potential security flaws and/or benefits that could change the world of traffic. The authors want a reader to get a broad understanding of how the technology works, what it means for everyday life and what the risks could be.

1.5 Problematisation of thesis statement

The question regarding the benefits of connected traffic outweighing the disadvantages can be looked at from a different angle. The thesis focuses on the potential opening of attack surfaces with the connected traffic development, which would then compromise security. However, even if this were to be made secure enough that the risks of compromised security were low, there is another potential problem that could occur.

4 If the majority of traffic across the globe grows too reliant on the connectivity of the communication technologies, there is a risk that attacks that threaten the entire system could have disastrous consequences. If a dedicated attack could shut down large swathes of traffic it could cause large scale accidents and economic loss for businesses that rely on transportation. This type of research would, on the other hand, be difficult to perform, considering the limited time and complicated nature of this technology .

1.6 Demarcations

Connected traffic is inherently a very technical field to discuss with numerous potential areas to delve deeper into. The authors lacked the time to fully explore all the minutiae of the technologies discussed in the project and instead decided to take a general approach to the description and comparison of technologies. This lack of time led the authors to forgo real-world tests or simulations that could have been relevant in the thesis, instead opting to focus on literature and previous work.

5

2. METHOD

With the rise of connected traffic, there have been several technologies proposed to handle the communication. There have been numerous discussions on which technology is the superior one. Using a literature study the thesis investigates two of the most prominent communication technologies and the security behind connected traffic in general. The literature study is complemented by interviews with industry professionals.

2.1 Literature study

The purpose of the literature study was to provide ourselves with an understanding of how the technology behind connected traffic works. The results of the study were later used to describe the theory to the reader as well as a basis for the comparison of different communication technologies.

The study was performed by searching databases such as IEEE and Science Direct, access provided by Halmstad University. Researchgate, a free database, was also used. A systematic approach was taken when searching for literature, starting with using key phrases such as “Internet of vehicles” and “connected vehicles”. The authors further refined the searches as they themselves progressed in their understanding of the subject as well as using citations of previous work. Using Google they found books and articles that provided a broader understanding as well as specific scenarios where the technology was used.

2.2 Comparing vehicular communication technologies

Using the information gathered in the literature study, the thesis compared dedicated short-range communication (DSRC) and cellular vehicle-to-everything (C-V2X) direct communication in an attempt to ascertain the benefits and downsides of either technology. This was done to facilitate a discussion on which technology shows the most promise for future development.

6 2.3 Interview

Qualitative interviews with industry professionals were deemed important as a way to confirm the information found in the literature. Examining how the theory found compared to the practicality of implementation.

A semi-structured approach was taken to facilitate an open and dynamic discussion relating to the chosen topics. The contacts were all professionals within the development of connected traffic. They were chosen specifically for their knowledge and experience relating to the subject. The relevant projects the contacts are a part of both take place in the Netherlands.

2.4 Problematisation of Method

In regards to the author's contact with companies that work with and develop connected traffic technologies, there was a limitation issue. Attempts to achieve contact with companies that prefer the implementation of DSRC communication technology were unsuccessful. The contacts who were interviewed are working towards developing cellular V2X and as such were biased towards that technology.

In the search of relevant literature that was to be used in comparing the two technologies, the same issue arose. The vast majority of them provided results that showed cellular communication to be more prevalent in its technology, even though the author’s aim was to find a close or equal amount of information in favour of the DSRC technology to give a more fair assessment of the two.

2.5 Positioning of Method

This thesis uses a literature study to give both authors and readers a baseline knowledge of the subject. That knowledge is then used to shape the thesis throughout. Other work makes the assumption that the reader is already familiar with a lot of the technology being discussed or described.

7 L. Zhao et al.[6​] compares LTE C-V2X with DSRC on a technical level using their own ​ simulations. There is very little focus on explaining the technologies beforehand, opting instead to assume the reader is already familiar.

Other work might focus more specifically on examining one technology without mention of others. D. Jiang and L. Delgrossi[7] focuses on describing how DSRC functions, going in-depth to give the reader a thorough understanding of the technology.

2.6 Ethical standpoint

Researching and discussing security can be a sensitive topic, depending on the situation. In this thesis, where two communication technologies are brought to light, potential attacks that they could be exposed to are acknowledged. The information within the thesis will be published online and therefore publically available. Something that could potentially give readers a negative assumption about the security of the communication technologies used today in connected traffic. The authors state that the mentioned attacks in no way mirror their risk of occurring on said technologies. Only that they are possible in a situation where the technologies were to be compromised. With that said, more recent developments have made it much harder for an attacker that manages to breach one component to move laterally within the system.

8 3. THEORY

Connected traffic is an umbrella term for several types of technology working together. In this chapter, the authors try to give a basic description of all the technology relevant to the thesis. This is to give the reader an understanding of how connected vehicles and traffic function today, how it might work in the future, and the development that has led us here.

3.1 Forms of Vehicle Connectivity

Connected vehicle technology is often referred to as Vehicle to Everything (V2X or V2E) which is further divided into four subcategories, as illustrated in figure 1: Vehicle to Infrastructure (V2I), Vehicle to Vehicle (V2V), Vehicle to Pedestrian (V2P) and Vehicle to Cloud (V2C) [4, p.5].

Fig 1: Illustration of the different forms of vehicle connectivity

9 Vehicle to infrastructure - V2I describes technologies in cars that transmit information to or ​ receive information from some form of infrastructure such as traffic light controllers, road sensors, speed cameras, and parking meters. Mostly wirelessly by either cellular communication or DSRC. This can be used to provide the driver with information about traffic conditions, accidents, best routes or even optimal driving speeds [8]. The purpose is generally to provide the drivers with information that will aid them in real-time to help limit traffic congestion, accidents and to give the driver a safer driving experience.

Vehicle to Vehicle - V2V describes technologies that transmit information between vehicles. ​ By necessity it is wireless, usually DSRC or C-V2X. V2V is used to protect against potential crash threats by letting cars communicate their positions relative to each other and any changes in speed or direction that are being made.

Vehicle to Pedestrian - V2P describes technologies that transmit information directly to and ​ from pedestrians, who make up a large share of road users. It encompasses technology dedicated to keeping pedestrians safe from traffic. One such technology is the pedestrian detection system which aims to warn both vehicles and pedestrians when one or the other is on a collision course. This can be achieved in several different ways: sensors in the vehicle that notices a pedestrian, road infrastructure that notices and communicates to both pedestrian and vehicle, or a location functionality in the pedestrian mobile device that communicates with nearby vehicles.

Vehicle to Cloud - V2C describes technologies that communicate with the cloud to limit the ​ amount of technology needed in the car itself. Cloud solutions let the manufacturers offload the storage and processing of data to remote servers. This lets them use more data-intensive tasks without adding large amounts of technology to the vehicle.

3.2 Connected Vehicles

Connected vehicles are an essential part of the future, where enforcing safety and security is becoming more and more important in the rapid digital development of the world. Some connected vehicles have the ability to access the internet at any time, either by built-in

10 devices or through user devices. It accesses the internet via cellular communications or via a WiFi hotspot and the vehicle itself is a whole ecosystem of computing devices and communication buses that are interconnected [9].

3.2.1 Connected Vehicles Functions

Today’s connected vehicles have three primary integrations of connected systems: embedded, tethered and integrated. Connected vehicles produced around 2010 and after are the first cars with V2X technology [10]. They typically have a head-unit, infotainment system and in-dash system with a screen to where different kinds of systems can be connected. The core component in all connected vehicles that enables a car to connect, is the telematics control unit (TCU) [11].

An embedded system is the equipment in the vehicle that contains the hardware and software along with a SIM card, which enables the vehicle to immediately connect. The OnStar system is such a system. A tethered system is similar to an embedded system but requires the driver to provide their own SIM card-equipped device, typically a cellular phone. Finally, an integrated system is one that relies on the driver’s to emulate its services and applications. The kinds of systems that can be connected are the following:

Infotainment - This is a combination of systems that deliver entertainment and information to the driver using many different features, such as audio and/or video, touch screen displays, button panels, voice commands and hands-free controls, and a wide range of other features [12]. One of the most common, critical features of vehicle infotainment systems is smartphone pairing. Thanks to connectivity users can manage calls, read and send emails or text messages, listen to music and other audio, display image or video content, utilise GPS navigation and more. Remote applications can also provide remote start, door opening/closing, air conditioning, location tracking, alerts and monitoring of other people using the vehicle and more.

11 Music streaming is moving towards a service that can be customised. It can be adapted to play songs analogous to how the car moves in different environments and show recommendations of music that can be adapted to the user. Different parameters such as traffic conditions, landscapes, weather and the driver’s mood can influence these recommendations.

Other services that are available in a lot of connected vehicles consist of video streaming, games and internet browsing. Social networks where V2V connections enable social interaction between road users, as well as integrating generic social networks into the vehicle’s dashboard and more [9].

Safety - Not only are today’s connected vehicles equipped with physical safety for the driver, such as belts and but also with technology to reduce the risk of drivers, passengers and pedestrians being exposed to all types of automotive danger. Some of the available features [13] include automatic emergency braking (AEB). This alerts the driver of approaching vehicles or objects while reversing. It is done with the help of sensors and when an object is detected, the system can stop the vehicle to prevent impact.

Night vision safety technology is another one of the multiple safety systems available. It uses far-infrared imaging to scan the road for moving objects (e.g. pedestrians and animals) based on their body heat and movement, to then alert the driver. Other safety features include [9]: Detection of driver fatigue, distraction, anger and stress or even intoxication through sensors and computer vision applications. These detect different behaviours of the driver such as eye movement, eye rubbing and yawning, patterns in the voice, heart rate, steering wheel speed, breath and touch.

Accident avoidance and assistance is done through road analysis to spot risks on the road and avoid sudden obstacles by changing the driving path. Upcoming possible crashes can also be detected using radars, lasers and video sensors to then be signalled to the driver, or automatically mitigated by the car itself. If and when an accident does occur, smart systems in the vehicle can notify the nearest service available that is capable of providing road and/or

12 medical assistance.

Remote maintenance, roadside and vehicle assistance can also be available. Information is gathered on the vehicle’s conditions and diagnostics of malfunctions to be provided to the car manufacturer. This way, the right assistance can be provided to the driver to minimise the risk of an unexpected car breakdown. Regarding theft, it is possible to block the vehicle and to have proper authorities alerted.

Diagnostics - Usual fault detection in vehicles is typically displayed on its instrument panel ​ by the on board diagnostics (OBD-II) system, to warn the driver of different types of malfunctions concerning critical components of the vehicle such as the motor, battery, tires, etc. Using OBD-II equipment is also a common practice for monitoring every component of a vehicle that can affect emission performance [14]. Other available diagnostic features in today’s connected vehicles include the vehicle presenting regular health reports.

Traffic efficiency - There are plenty of available services in connected vehicles to aid in ​ traffic flow efficiency. Navigation, online route planning and street view help a driver plan their route to different places, to get information on fuel prices and maps of available parking spots. Monitoring of traffic, weather and road conditions can also be done by connected vehicles. The information can then be communicated to other vehicles and infrastructure so that it can further be provided to other drivers [9].

The modern connected vehicle generally has three ways to guide the driver to different locations. A display of a map with directions to the specific area the driver wants to travel to, a display of a list containing every next turn and, a turn-by-turn display of pop-ups with information on the following turn [15]. If a navigation system is not built-in, the driver can also use a smartphone application that connects to the vehicle. This method is more distracting for the driver, unlike the built-in navigation systems that provide the driver with all necessary information on the route in a single display. Other navigation features that exist are text alerts that provide the driver with information on when is the best time to leave the current location. Real-time traffic and real-time weather features give notifications on traffic situations and weather warnings.

13

3.2.2 Connected Vehicles Security

It is known that hackers have successfully broken into a variety of different IoT-devices [16], such as mobile phones, web cameras, baby monitors, medical devices, etc, as well as cars and what is known as IoV. Cybersecurity is therefore in constant development, but so is digitalisation which continues to grow faster than the security itself - increasing the potential attack surfaces of different technologies [17].

What makes IoT, and in its turn connected vehicles so vulnerable is the fact that devices and their data interconnect across great systems consisting of sensors, chips, other devices, machines and software. This opens up possibilities to control and manipulate these technologies with malicious intent [16]. There have been multiple different tests done on the cybersecurity of connected vehicles. The authors’ are going to mention some of the more recent ones. This is to give an idea of what the security threats and breaches at that time on connected vehicles looked like, what data could be retrieved from it and how.

The Connected Vehicle Ecosystem In 2017, an article was published where attention was brought to cybersecurity in connected vehicles [18]. The authors gave insight on the latest vehicle cybersecurity threats caused by the fact that connected vehicles become exposed in the whole IoT ecosystem, thus becoming new targets for attackers. A car that has been hacked into can not only be threatening to the car owners personal data, but also threatening for their life if an attacker would choose to interfere with the steering and brake system, the motor, the doors, the airbag deployment, etc. by performing remote attacks through the electrical control unit (ECU).

The amount of ECUs in modern cars has increased and continues to increase as more features are added, ranging from 30 up to 150 ECUs per car as of 2018 [19]. Together they create an in-vehicle network where they intercommunicate to monitor and configure different vehicular subsystems. Such as the infotainment system, embedded telematics, video cameras, vehicle safety and so on.

14

Each subsystem of ECUs controls a specific functionality in the vehicle. One of the subsystems is the Controller Area Network (CAN). It is used for engine control, safety subsystems and powertrains. The CAN is interconnected to gateways, which are then interconnected to the IVI subsystem. IVI supports audio, video and on-board cameras among other things, and also . Another aspect of connected vehicles is the possibility to connect outside devices through USBs, WiFi, , 4G and 5G such as mobile telephones, mostly [18]. In conclusion, at the time of the 2017 article being written, any vehicular system connected to the internet automatically meant all other systems interconnected to that one, could potentially be reachable by hackers.

Gaining Remote Access to a Connected Vehicle One example of a vehicle cybersecurity breach was the permitted remote attack on a Cherokee Jeep in 2015 by Charlie Miller and Chris Valasek [20]. They were able to gain remote access, sitting in Miller’s basement while Andy Greenberg, the driver and owner of the Jeep, was driving on the highway 10 miles away. Greenberg was unaware of what types of attacks they would conduct, only told the attacks would not be life-threatening and that he should not panic.

Miller and Valasek gained remote access to the Jeep through Uconnect, an Internet-connected computer feature in hundreds of thousands of Fiat Chrysler cars, SUVs and trucks. It controls the vehicle’s infotainment system, enables phone calls and offers a WiFi hot spot. The vulnerability that Miller and Valasek were able to identify was that the Uconnect’s cellular connection also let anyone who knew the car’s IP address gain access to it. So Miller used an old burner phone as a WiFi hotspot, tracking connected vehicles using its 3G .

The results revealed the GPS coordinates along with the vehicle ID numbers, makes, models and IP addresses of multiple cars, including Andy Greenberg’s. Miller and Valasek then proceeded to toy with the Jeep’s air-conditioning, radio and windshield wipers, followed by a cut of transmission for the accelerator. Had this not been a test, this type of attack could have had a fatal outcome for the driver. As a result of Miller’s and Valasek’s experiment, Chrysler recalled 1.4 million vehicles and blocked the wireless attack.

15

Malicious Attacks on Connected Vehicle Components In 2018, an ethical hacking research project was conducted by Keen Lab for multiple BMW car models [21]. In recent years prior to the research, BMW cars had been equipped with Infotainment systems and Telematics Control Units that are connected to the internet, just like other vehicle brands. Even though the purpose of this technology is to improve the customer’s driver experience, it had also opened up new attack surfaces. Findings proved that local and remote access was possible to the infotainment system and T-Box (a connected vehicle standard terminal)[22] components.

Vulnerabilities were found in the infotainment system, telematics control unit and central gateway module (transmits and evaluates data between busses of various vehicle domains [23]) where exploitation could be done through the vehicle’s external I/O interfaces, such as USB, OBD-II and the . Specifically, regarding remote attacks, the telematics could be triggered to control vehicular functions by sending malicious CAN-messages to the internal CAN-bus, by taking advantage of 14 different vulnerabilities existing in the different vehicle components.

Attacks Applicable on most Connected Vehicles In 2019, research was done on the security of the 2017 Skoda Octavia vRS [24] through physical and remote attacks, focused on end-user accessible interfaces. However, the results provide a generalised cybersecurity testing model, applicable and replicable to the majority of vehicular technologies at the time. The attack surfaces identified for the Skoda Octavia were the short-range wireless system (specifically key fob), different user interfaces such as the OBD-II, connected devices, ECU and Infotainment system. Finally, the internet access was tested through the infotainment system and the web browser.

Focusing on connected parts that were breached, findings concerned the infotainment system. A compromised connection was simulated by connecting the infotainment system to a private WiFi network. Thereafter it was scanned using a port scanner at which a number of open ports were found. The open ports were then tested using NetCat (a utility), to which one of the ports responded with information. Without any authentication

16 requirements, the researchers gained access to plain text data. This included GPS location, call history, phone book contact details, current vehicle speed, current mileage and more. A directory listing was also run against the car, the web-server and the web-browser to find hidden directories. The information retrieved was similar to the ones mentioned when scanning open ports. Other findings required physical access to the vehicle components in question and are therefore non-relevant to this thesis.

Increased Security in Today’s Interconnected Systems of Connected Vehicles The mentioned security vulnerabilities that have resulted in attacks on connected vehicles must continue to be mitigated and worked against systematically. That is why vehicle conventional ECUs and CAN buses will be complemented with ECUs that are connected by CAN, local interconnect networks and FlexRay data buses [25]. This enables a variety of features that will both keep the internal network of the vehicle secure and safer from attacks, and in its turn beneficially aid the development of the connected vehicle security for those driving it. One example of this is an intrusion detection system (IDS) integrated into ECUs. It monitors the CAN buses and detects abnormal behaviours which it logs or reports and sees as potential attacks.

Autosar is an open and standardised software program, developed jointly by automakers and other automotive interested parties for ECUs [26]. They deliver, among other things, a high degree of IT security in connected vehicles. One of their multiple security models is called SecOC and specifically secures CAN communication. Another one, referred to as Identity and access management, ensures that only authorized applications can access certain systems in the vehicle’s ecosystem.

The ECUs in connected vehicles play a critical role when it comes to protection against cyber attacks. ECUs today are only able to authenticate themselves with cryptographic keys to legally communicate and exchange data within the electrical system and the outside world. The challenge lies in the different original equipment manufacturers (OEM) to supply their ECUs with specific key material and certificates at the initial production. Fortunately, the process of implementing secure and precise ECU data assignment with cryptographic keys is used worldwide in ECU production for numerous different automotive manufacturers [25].

17 As such, further developing technologies that want to communicate with the connected vehicles will be rendered easier - thanks to the existing security in place within the ECU.

3.3 Traffic Light Communication

Though the benefits of a connected traffic controller were something seen even with the first version of traffic lights in 1914, the technology to maintain it wasn’t available until more recent developments in wireless communication. Traffic lights today are still generally fairly static in their function. Without any way of communicating or reacting dynamically, they have to have pre-set timing plans that are generated offline by analysing long-running statistics.

As the vehicle density in urban areas increases, this lack of adaptability leads to more and more inefficiency in heavier traffic flow. This is one of the things connected traffic light controllers aim to solve by being adaptable to the current situation instead of based on traffic measurements that might become outdated [27].

3.3.1 Connected Traffic Light Controllers

A modern intersection, much like an IoT device, can consist of sensors and actuators. The sensors are used to detect cars, traffic conditions and to inspect the infrastructure. This can be done with video surveillance or, for the detection of vehicles - induction loops, that measure the induction of metal bodies that pass over them [28]. The actuators, in the case of an intersection, would be the traffic light controllers. They react to the sensor information to determine the current state of the traffic lights. There are a few ways the controllers can operate.

● The fully offline approach, where they rely solely on pre-set timing. ● Semi-actuated mode, where the main street runs continuously while the side street only activates if there is traffic. ● Fully-actuated mode, where both streets react to sensor input and decide the timings based on that information.

18

Traffic light controllers often have a hardware level failsafe called the Malfunction Management Unit (MMU). It monitors the output of the traffic light controllers to ensure that no conflicting light states occur, such as green in every direction. The safe light-states are hardwired into the unit to provide protection against software-based tampering. Should the unit detect an unsafe configuration being sent out it will instead default to a preprogrammed safe state, such as every light blinking yellow. When they enter this failsafe mode a manual reset is required [29].

There are multiple proposed technologies and strategies for how the connected traffic light controllers are to be handled. Dr Walter Zimdahl proposed an idea as early as 1984 of how to go about this. The biggest issue in his opinion was the fact that there was no infrastructure in either cars or traffic controllers and getting someone to develop and adopt one without the other was going to be difficult [30]. This shows that the idea has been around for a long time, and the technology is now finally in a place where the implementation is very much feasible.

Gradinescu et al [27] propose a cluster-based V2V based system that creates virtual clusters in traffic, that then transmits information such as density of vehicles and average speed to traffic light controllers located in urban intersections. These could then, in turn, determine the optimal times for green and red lights to reduce the number of vehicles waiting at any given time. This decreases the average travelling time and improves the traffic conditions in cities.

Cluster-based vehicle communication can be combined with Green Light Optimised Speed Advisory (GLOSA) which is another strategy designed to reduce the Co2-emissions, stop times, enhance traffic fluidity and even improve the safety in intersections. This is accomplished through instructions to the driver on the optimal speed, within the legal limits. It can be accomplished either with preprogrammed timers for the offline traffic lights or connected to any of a multitude of technologies that handle wireless communication [31].

19 3.4 Vehicular Ad-hoc network

Vehicular ad-hoc networks (VANET) is a subcategory of Mobile ad-hoc networks (MANET) that is specific to vehicles and most often works within dedicated short-range communication (DSRC or C-V2X). MANETs operate dynamically in that every is free to move around independently of other nodes in the network. The network configures itself based on the nodes connected at the time and reconfigures when a node leaves or enters. This can be a number of cars on a road or vehicles arriving at a connected intersection, as illustrated in figure 2. A distinguishing aspect of VANETs compared to other networks is its content-centric distribution, where the content of the message is more important than the source [4, pp. 8-9]. To ensure safety and privacy however, the vehicle nodes must be given unique IP-addresses the same way normal networks are. This presents problems in a decentralised ad-hoc system such as VANETs, where there is no central server to assign addresses. There are protocols that work to some degree, but many fail to handle the detection of duplicate addresses, which in turn can create security concerns if something were to happen and cars can not be identified. This can be solved should the VANET use cellular communication for addressing instead of trying to rely solely on DSRC [32].

20 Fig 2: A connected intersection, cars arrive and enter a wireless connection with the roadside units.

3.5 Dedicated Short Range Communication (DSRC)

IEEE 802.11 is the standard most people refer to as WiFi. In 2010, the IEEE 802.11p WAVE standard was amended onto the existing 802.11 one, WAVE standing for Wireless Access in Vehicular Environments[7]. IEEE 802.11 is a protocol that defines the specifications for the MAC and Physical layer when implementing WLAN communication. In 802.11, communication networks are divided into service sets which are identified by their service set identifier (SSID). These networks are further divided into basic service sets (BSS), which are devices within the networks, with their own basic service set identifiers (BSSID) [33].

There are several steps that need to happen when a device wants to connect to a BSS. You start by listening for a radio to find the specific Access Point that will let you connect to the BSS you’re looking for. You then join through a number of steps such as authentication and association. In vehicular communication, you generally can not wait for

21 those steps to finish. Imagine a highway with two cars driving opposite directions. The time in which they interconnect is very short. As such, you need the capability of instantaneous communication [7].

The WAVE amendment lets vehicles operate in WAVE mode which means that they can broadcast on the wildcard BSSID, a channel normally reserved for a specific type of management frames. This means that two vehicles can communicate with each other without the overhead needed in normal 802.11 communication.

WAVE also introduces a new BSS type called WBSS (WAVE BSS). A station transmits a beacon that advertises that it is a WBSS station. This transmission contains all the necessary information a receiving station needs to decide whether or not to connect without going through all the steps of authentication. This, however, necessitates security solutions in the upper layers. 802.11p aims to not change much in the physical layer so as to not require the development of new devices, instead the changes are minimal in an effort to make smaller changes in existing devices feasible.

3.6 Cellular Communication

The cellular communication technology used for communication between connected vehicles and other vehicles, infrastructure, pedestrians and networks is the 3rd Generation Partnership Project (3GPP)-defined C-V2X. It uses the standardised 4G LTE or 5G mobile cellular connectivity and is an alternative to the WiFi technology, 802.11p. [34]. Today’s and many future connected vehicle-services are already supported by 4G LTE, but real-time communication for a range of advanced and high demanding services will be provided by 5G [35].

3.6.1 How Does Cellular Communication Work?

C-V2X is based on cellular mobile networks and operates in several modes, as illustrated in figure 3 [34][36]:

22 Device-to-Device - Includes V2V, V2I and V2P direct communication without having to necessarily rely on a network for scheduling. Device-to-Cell Tower - Is a communications link for V2I and is important to end-to-end solutions. It enables network resources and scheduling by also making use of existing operator infrastructure. Device-to-Network - Is V2N communication using traditional cellular links. This enables cloud services to be a part of the end-to-end solution.

Fig 3: The different modes of cellular mobile networks

The general architecture for delivering cooperative intelligent transport systems (C-ITS) messages includes a V2X Application Client and a V2X Application Server. The application client can be at vehicles, personal devices or road-site units that are all supported with cellular connectivity. The application server is at the backend or edge servers, that are accessible by application clients through cellular networks. An application server can handle message communication with an application client and also process the received message to

23 make decisions on spreading it further to the correct receivers. Since the application client transmits messages to the application server using cellular uplink communication, and the application server uses cellular downlink communication to transmit the messages - the V2X messages are always processed by the application server at the application layer before being spread to more application clients. This method is beneficial for prevention of spamming or misuse of the cellular communication channel and to protect user privacy [37].

3.6.2 Cellular Communication Challenges and its Solutions

Many C-ITS services need the ability to spread their messages to all relevant vehicles in a specific geographic area, even when identity information of receivers is secured from the transmitter. C-V2X has a special feature for that, known as GeoCasting. This feature can spread messages associated with information about the target area. It can identify receivers using the associated information through a -fencing mechanism and then deliver the messages to those receivers.

Advanced driver-assistance systems (ADAS) have demanding requirements regarding guaranteed communication latency, reliability, system capacity and service continuity. But with the continuous rise of 5G networks, C-V2X offers ultra-low latency, traffic separation through network slicing, Quality-of-Service maintaining and fast inter-mobile network operator mobility solutions to keep vehicles connected when crossing borders.

As mentioned before, one of the primary goals of connected vehicles is to maximise safety. One way to fulfil that goal is to ensure that users of the same service can interoperate with each other. However, the whole ecosystem of connected transportation involves different mobile network operators, regional transportation authorities and third-party service providers. They may implement different solutions when offering the same services. In , a solution for this has been developed and tested by NordicWay where the concept of using interchange servers has arrived, to interconnect backend systems of ITSs in a scalable way. The mentioned solutions are essential for services provided through cellular networks, such as C-ITS and ADAS, and to maintain connected vehicles as secure as possible [37].

24 3.7 Related work

Looking at connected cars and the communication technology behind them is a very broad topic. A. Ghosal and M. Conti take a similar approach as our thesis in their work, “Security ​ issues and challenges in V2X: A survey” [38]. Their survey brings light to V2X and ​ ​ ​ discusses its key security issues and challenges in V2X communication technologies. The authors focus on standardisation techniques and then introduce the challenges along with the requirements of V2X, as well as application projects regarding road safety and traffic management. The main objective is to provide a broad but structured summary of different research directions and approaches regarding this topic.

A more technical approach can be seen in “The performance comparison of LTE-V2X and ​ IEEE 802.11p” [6] by L. Zhao et al. This paper is more targeted towards the technical aspects ​ ​ ​ ​ of V2X communication technologies. More specifically, the authors focus on challenges and detailed design issues in LTE-V2X and IEEE 802.11p, as well as a performance comparison on link level and system level between the two .

Both previous mentioned works focus on a comparison between technologies, looking at V2X in a fairly broad sense. M. Hashem Eiza and Q. Ni take a more focused approach in “Driving with Sharks: Rethinking Connected Vehicles with Vehicle Cybersecurity” [18]. They ​ ​ delve deeper into specific scenarios of different attacks, what vulnerabilities that exist and what the consequences are should those be exploited.

An even further narrowing down of the topic can be seen with C. Urquhart et al’s investigation in “Cyber-Security Internals of a Skoda Octavia vRS: A Hands on Approach” ​ ​ [24] where they focus specifically on one car. While, as mentioned, security in connected vehicles is a broad topic with many facets, it can be narrowed down significantly. C. Urquhart et al investigates a Skoda Octavia vRS 2017 and uses their findings to facilitate a discussion on cybersecurity in vehicles as a whole.

25 4. RESULTS

In this chapter, a comparison of the two main technologies in connected traffic is made. There is a battle going on in the market between different wireless technologies regarding the communication in V2X. More specifically, the division concerns cellular communication versus WiFi-communication. Both technologies are used in different ways. DSRC, a specialised form of WiFi, was developed specifically for V2V communication. C-V2X, a cellular-based communication protocol, was developed for vehicles communicating to surrounding infrastructure and devices.

A list of potential attacks on areas such as availability and privacy that could be damaging to either technology is presented. An important side of discussing security is knowing what types of threats you face and how to mitigate them. The two companies interviewed focus their work on cellular communication, mostly using applications for smartphones. However, they are constantly working on the potential integration of this technology into vehicles and the development of more secure solutions.

4.1 Comparing DSRC and C-V2X

In early 2019 the European Commission proposed legislation that would mandate that WiFi would be the technology used in vehicular communication [39]. This was proposed on the basis that when the discussion started WiFi was the more mature technology, it was ready for deployment. This would lead to safer roads much quicker than alternate strategies. However, when the commission proposed the Delegated Act on C-ITS, cellular technologies had grown from what they were when the discussions first started. As such, several member states of the EU were opposed to the act which would limit vehicular communication to only WiFi. They argued that doing so would lead to Europe falling behind in the development of connected vehicles, instead keeping the development open for either technology and letting time tell which is superior.

DSRC technology utilising 802.11p, while designed specifically for vehicular communication, often falls behind cellular communication in many facets. One of the main

26 advantages WAVE had over cellular was the availability of the technology and the readiness of deployment, as well as its superior ability to communicate directly instead of relying on networks [40]. Further developments in cellular communication by 3GPP has introduced a contender in that area, LTE-V2X. It was designed to directly contend with 802.11p and integrate better in other cellular communication solutions [41].

In more recent simulations made comparing DSRC with different cellular technologies [6][41], the cellular technologies came out on top in most scenarios that had a higher rate of congestion. While DSRC did perform slightly better in lower congested areas, LTE-V2X manages better range and general stability overall.

DSRC also suffers from low market penetration, while it has been readily available, it has not been adopted as widely as it would need for it to function as the main V2X technology, compared to cellular which is readily available throughout the developed world [4, pp. 72-73]. For DSRC to work the way it is intended there would have to be a massive deployment of roadside units to support it, this would be a massive and expensive undertaking. On the other hand, cellular technology will be deployed regardless of the vehicular application and adapting it to fit the needs of V2X would be cheaper.

One of the biggest downsides to DSRC is the fact that there is no apparent way of further developing the technology to meet future demands from the automotive industry. Further, with it being developed for rapid transmission short-range messaging it can not support the higher bandwidth demands associated with fully autonomous driving, a technology that will rely heavily on vehicular communication [42]. Cellular communication, on the other hand, is rapidly evolving with the emergence of 5G.

4.2 Security Challenges in Vehicular Communication

One of the main points of consideration when looking at the different technologies is the security aspects. There are a number of challenges in V2X security affecting either technology, such as how to authorise, authenticate and encrypt messages without increasing

27 the latency to an unacceptable level. None of the technologies solves that in of itself, instead, relying on layers above the actual communication to handle the security [43]. Some of the major challenges to implementing security are the balance of security and privacy, delay sensitivity, low error tolerance, mobility, heterogeneity and policy creation [4, p. 233-235].

Security and privacy balance - The communication must be able to send secure messages ​ without violating the user’s privacy. The messages must, at the same time, be authenticated without revealing the identity of the vehicle in order to hinder vehicles being tracked this way. However, accountability must be identified in case of accidents [4, p. 233].

Delay sensitivity - The communication of safety applications are time-critical and any delay ​ could result in accidents. This puts restrictions on the type of authentication and encryption that can be used, as they need to be both fast and reliable enough to meet the demands [38].

Low error tolerance - Similar to delay sensitivity, the error tolerance is low because of the ​ safety-critical nature of messages being sent. If there is an error in the communication that leads to a message not arriving or being faulty, this again can lead to accidents [4, p. 233].

High mobility - The high mobility nature of connected vehicles means that the time they ​ spend connected could be very low. This limits the time the network can spend establishing a secure connection. The short time spent connected hinders the network's ability to reliably send messages to the right nodes in the network before the link is broken [4, p. 233].

Heterogeneity - The devices in these networks will come from several different ​ manufacturers using different parts in their systems. They will come from different countries with potentially different policies. This makes developing technologies that can work with all systems difficult [4, p. 233].

Security Policies - Without ground rules that apply to all developed devices there will be ​ difficulties in securing the communication. Extra processing will have to be put into determining what protocol will work with different types of devices [38].

28 4.3 Possible Attacks on Connected Traffic

With the importance of security in these technologies, knowing what attacks are possible is critical to securing the communication. There are several areas that attacks can affect viz: Authentication - The process of verifying the identity of a user or device. ​ ​ ​ Authorisation - Determining what a user or device is allowed to do. ​ Availability - Making sure information that needs to be available is available. ​ Confidentiality - Making sure information is only available to authorised devices/users. ​ Identification - The ability to identify the user or a running application of a system. ​ Integrity - To protect data from deletion or modification from any unauthorised party. ​ Privacy - Keeping data safe and private. ​ Table 1 mentions each attack and what type of service is affected.

Name of attack Compromised Name of attack Compromised services Services

Brute Force AC, AZ, C Message spoofing AC, A, C, I

Man-in-The-Middle AC, C, I, ID, P Message tampering AC, A, I

Masquerading AZ, ID, I Wormhole AC, ID

Impersonation AC, C, ID, P DoS/DDoS AC, A

Replication AC, ID Jamming A

Sybil AC, A, ID Black Hole A

Replay AC, C, ID, I, P Gray hole A

Eavesdropping AC, C, I, P Malicious software All

Traffic analysis C, P Table 1: Attacks and affected services (Authentication (AC), Authorization (AZ), Availability (A), ​ Confidentiality (C), Identification (ID), Integrity (I), Privacy (P))

Brute force - This attack compromises the confidentiality and authentication of messages ​ and takes place while trying to gain unauthorised access to, in this instance, a network. The attacker will submit passwords or passphrases in hope of eventually guessing correctly. It is,

29 however, tough to execute due to resource constraints and short connection times. A solution for this is key generation algorithms and strong encryption so that it can not be breached within a reasonable time frame [38].

Man-in-The-Middle (MITM) - Integrity, authenticity and non-repudiation are violated in ​ this attack. It is one where information between two vehicles, sender and receiver, is being intercepted and one of them is then being impersonated to spread false messages. This type of attack can be very sensitive due to its possibility of causing disastrous outcomes, such as loss of property and even fatal accidents. Solutions include strong authentication and confidential communication through powerful cryptography with short-lived keys that change continuously [38].

Masquerading - A masquerade attack is used as a base for performing other attacks, by ​ pretending to be a valid vehicle and proceeding to create a black hole or generate false messages. It can be used to pose as e.g. an emergency vehicle to influence other drivers to change route and speed. This is mitigated through the use of non-repudiation techniques [44][38].

Impersonation - Similar to masquerading, where it is a first step for other attacks, the ​ identity or credentials of other vehicles are used to cause disturbances in the network and/or gaining privileges that result in congestion or accidents. Applying several key-based mechanisms can help to provide strong encryption, as well as user authentication using digital signatures and also using variable MAC and IP addresses [44] [4, p. 237].

Replication - The identity of a genuine node is replicated in this attack. It adds nodes in the ​ network which enable the malicious node to send false messages. It can be used to form the basis of a variety of attacks, such as Sybil. Replication can be done in several different manners, meaning there are multiple mitigation methods. But the main idea is to make sure nodes report location claims that identify their positions and attempt to detect conflicting reports that signal one node in multiple locations. This requires every node to sign and send a location claim to then verify and store the signed location claim of every other node [45] [4, p.238].

30

Sybil - This is a common attack where multiple identities are used to generate and broadcast ​ messages to other vehicles. The vehicles interpret the information as if it is coming from somewhere else, hence misleading them to take the wrong actions and directions which could be beneficial to the attacker. The Sybil attack can be mitigated through several actions - including registration, position verification, efficient radio resource distribution and deployment of a central validation authority [44][4, p. 239].

Replay - Replaying is when a data transmission going through a network is being intercepted and then repeated by an attacker to gain access, without having to authorise or identify themselves. This can cause congestion and also confusion if two messages from the same source are being received with inconsistent information. The solution for hindering this attack comes down to the content in the networks needing security through maintaining fresh secret keys, along with implementing message authentication with timestamps [44][46].

Eavesdropping - This attack is similar to some mentioned attacks where V2X-messages ​ exchanged over the air interfaces are read. It is usually a passive form of attack where communication is listened in on and facilitates in the collection of useful information for vehicle tracking. It is also possible to use eavesdropping to inject fake messages, making it possible to manipulate other users. It is best prevented through the use of pseudonyms and proxies, as well as encryption of data payload [44].

Traffic analysis - Aims to trace the position and path of a vehicle for extraction of private ​ information about the driver, with the intention of using the information in another attack. Mitigation is accomplished through anonymous key sets that change according to driving speed, or an ID-based security mechanism [44].

Message spoofing - Also known as location spoofing, is an attack where a false traffic ​ location is sent to disturb and confuse connected vehicles route formation. Something that could lead to possible dangerous situations in traffic. A solution is to use bit commitment and also a signature-based mechanism with positioning systems that only accept authentic location data [44].

31

Message tampering - In this attack, a genuine message from an authenticated user is ​ captured by a malicious node. In similarity to other attacks, the message is tampered with before being forwarded to the correct destination and can cause different types of problem-prone activities. This attack is best mitigated through data verification mechanisms [4, p. 237] [38].

Wormhole - Two or more attackers form tunnels to transfer data packets and replay them ​ into the network. This attack has a severe impact on wireless networks where routing mechanisms become confused and disrupted when control messages are tunnelled in the wrong direction. There are several different mitigation techniques for wormhole attacks. One of them is the use of packet leashes, which both detect and defend against the attack by letting all nodes confirm their current position and transmission time. Something the receiving node can use to control whether the packet has travelled through a wormhole or not and if so, drops it [47] [4, p. 239].

Denial of Service (DoS) and Distributed Denial of Service (DDoS) - The availability of information can be compromised by increasing latency and power ​ consumption to the network, among other things. This naturally happens with the constant increase of users, which in itself adds strain on the network, but also with certain attacks that can completely shut down a system due to an overload of information. DoS- and DDoS-attacks do exactly this in different ways. One method is to use flooding, where the control channel is intentionally flooded with an exaggerated amount of messages, causing a disruption of services so that they are not available to the connected vehicles. A solution includes the use of digital signatures and certain authentication methods such as symmetric cryptography with delayed key disclosures. Using small lifetime public and private keys with a hash function is another method of defence [38][44].

Jamming - This attack compromises availability and can be used as a form of DoS-attack to ​ interfere with wireless networks. It is a method of disrupting communications using radio signals, creating an interference where transmitted signals can not recover information from

32 the receiving user equipment - causing system degradation. Physical layer frequency hopping and direct sequence spread spectrum are useful mitigation techniques. Credentials that are periodically refreshed are also helpful [44][48][49].

Black hole - The malicious vehicular node uses its routing protocol to advertise itself as ​ having the shortest path to the destination node. So the attacker always has the accessibility of replying to route requests, which means they can adapt the data packet and drop it. This leads to increased latency and prevention of receiving messages in time, resulting in an increase of the affected vehicles response time to incidents. Black hole attacks have several solution possibilities, including cryptography technologies such as symmetric keys, digital signatures and hashing [50][51][4, p. 241].

Gray hole - This attack is similar to the black hole attack but is harder to detect due to ​ changes in its behaviour. It does not only drop packets but occasionally also forwards some of them. This makes it difficult to decide which messages are legitimate and which are malicious [4, p. 241].

Malicious software - Viruses, worms or trojans can be introduced to a vehicular network and ​ cause disruptions in the operations of on-board units and road-side units, resulting in long-lasting outages. Existing mitigation technique is to only permit software and firmware updates that are sent and digitally signed by nodes with the required permission. [52][4, p. 241]

4.4 Examples of Current Industry Practices

While the technology for integrated cellular communication is being developed, some companies opt to instead use the cellular devices carried by most people today. Bas Heutinck from Dynniq estimated roughly 1.7 million users of their apps in the Netherlands. The primary purpose of Dynniq and BeMobile both is to develop and implement connected traffic. This is to reduce the number of accidents and to optimise traffic by providing both road users and administrators with more information. They do this through a connected

33 roadside ITS. The ITS has the topology of an intersection programmed into its firmware and maps the incoming traffic onto that topology.

Dynniq is also a part of a project called Talking Traffic wherein they develop standardised components ranging from traffic light controllers to end-user devices. While the smartphone apps remain the main usage at the moment, there is effort being put into integration of the technology into vehicles. Mostly within transportation companies that drive trucks, but also in emergency vehicles.

The companies develop and implement the technology, but in the end, it is the road administrator that owns the traffic light controllers. The traffic administrator, in this case, being the city or district in charge of the intersections are the ones who control the traffic. They decide who gets priority and they are the ones who benefit from the added traffic statistics that connected traffic offers.

The road users are the other beneficiaries of the technology. Among them are pedestrians, cyclists, drivers - anyone utilising the road. They are offered increased traffic stability, safety, and sometimes priority.

The security of the systems is prioritised by both companies, with how critical the systems can be, an unsecured system could result in accidents and death for the users involved. Road administrators are the ones who have access to the infrastructure and suppliers have access for maintenance purposes. In order to maximise security, the networks of the traffic light controllers remain closed to the public internet and instead only connected to the cloud. If that is not possible for any reason, a VPN is used to make sure it is not publically accessible. Furthermore, the interconnections of all components are secured using TLS certification and regular penetration testing is performed to ensure the security stays up to date.

Stephen Logghe from BeMobile claims it has not been exposed to any known attacks or threats, but they do expect the possibility of fake users being added into the system. This could trick the system into thinking streets that are empty are instead congested. Their solution to this would be to limit these signals to specific on-board units. Both companies

34 claim to be confident in their security and they actively work to limit any attack surfaces that are discovered, as such they’re not worried about any attacks succeeding.

5. DISCUSSION

In the following chapter theory and result is discussed, showcasing thoughts on why cellular communication seems to be the prevailing technology. While DSRC was developed with vehicular communication in mind it has stagnated somewhat over the years, while cellular technology continues to develop. The security issues plaguing connected traffic will look similar regardless of what technology is used. Introducing new flows of information where there previously were none will lead to an inherent increase in risk within those areas. When this is done in areas that are sensitive to interference, the risks become that much greater. The future aims to eliminate human error in traffic in order to reduce the number of accidents that occur and provide everyone with a more stable traffic flow. In order for this to be feasible, the security and reliability of the technology need to be high enough that human intervention is not needed. In addition to the security, the ethical implications of connecting such a major part of our lives are discussed. There is going to have to be strict regulations in order to make sure the technology is not abused by companies looking to profit or governments trying to assert control over its citizens.

5.1 Cellular Communication as The Preferred Technology

The discussion on whether or not to focus vehicular communication on one technology or the other is still ongoing as of writing this project. With 5G on the rise, however, this discussion may be cut short, should 5G deliver what is being promised in terms of speeds, reliability and security.

DSRC had some distinct advantages in availability. The technology was ready and only needed the infrastructure to be installed. This, however, would be a big undertaking costing a lot of money but it was argued that it would be worth it in the long run, that the technology would save lives, that it would save money with reduced costs associated with accidents. A

35 major downside to DSRC, however, is its limitation in how to grow it, how to develop it. So while there was an opportunity to install and use it, no one capitalised on it and the technology stagnated. Meanwhile, cellular technology exploded with the expansion of the mobile industry and the introduction of IoT.

Cellular technologies have the advantage of widespread already existing infrastructure. Regardless of what technology ends up being more prevalent for vehicle communication, cellular technology will be used globally in other forms. If connected traffic uses cellular communication, it would integrate into this existing infrastructure which will continue to evolve.

For a long while, cellular technology did not have a good solution when it came to the actual VANET communication. With the development of C-V2X however, cellular technology again aims to overtake DSRC in that as well. C-V2X is better in most regards, with longer range and higher reliability. It does, however, struggle in supplying the lower latency offered by DSRC, which as mentioned before is critical for safety messages. This is however promised to be a non-issue when 5G becomes the norm.

Regardless of how the VANET communication ends up being handled, cellular technology will most likely have a role to play. The allure of cloud-based processing will probably be too strong to not utilise in some way, and several shortcomings with pure DSRC communication can be solved by using V2N utilising cellular communication.

5.2 Keeping Security as The Main Focus

Balancing the high demands of vehicular communication with adequate security is a challenging task. A task not made easier by the fact that the community is divided on how to handle the technology. Without proper standardisation, the effort of creating security becomes even harder.

36 Connected traffic devices could easily end up in similar pitfalls as IoT technology in that security gets overlooked in favour of performance. As such, there needs to be strict policies and guidelines for how the security of devices should function before they are implemented into the systems. It does not matter that the system as a whole is secure if an unsecured component is installed. This need for thorough security, coupled with the demands the communication has for performance, might lead to difficulties in creating new technology that meet these requirements.

The nature of new connected technology is that there will be more information flowing in areas where there were not earlier. This by itself means that additional attack surfaces will be presenting themselves. Something that can be seen evidenced in Upstream Security’s “Global Automotive Cybersecurity report 2020” [53], wherein they detail an exponential increase in cyberattacks of vehicles.

The contacts talked to both seemed confident in the security of their various technologies, however, they mentioned that it is something they are constantly looking into. This is an important takeaway, with the rapid development of technologies you can never relax your drive to find newer and better security solutions. If you do, you will fall behind. Falling behind in security within many other industries might lead to financial loss. Falling behind in security within vehicular communication can lead to loss of life.

5.3 The Future of Connected Traffic

Connected traffic paves the way for a better future, in regards to multiple features that will aid in safety and security for road users. As of today, a lot of accidents are caused by a wide variety of reasons. Such as drunk or tired drivers, speeding, congestion and more. So with the development of connected traffic communication, multiple features have been developed along with it to counter these serious problems, mentioned earlier in the thesis. It has big opportunities to continue in its growth for further advancement in potential future features that could progress traffic flow - an essential aspect of preventing road incidents. The first steps of this can be seen with the companies contacted, that develop connected traffic solutions.

37

In April 2015, a decision was made at EU-level that now makes it obligatory for all cars being sold in EU-member countries to be implemented with a feature from 1st of April 2018. This feature is a service named eCall. It is an automated emergency call system that will contact an emergency call centre in the situation of an accident and send relevant information of the vehicle's position, direction, model, chassi number and fuel. The eCall technology is supported by cellular communication networks and is proof that cellular communication is already improving safety conditions and saving lives.

In the future, more and more vehicles will become automated and self-driving. Something that is going to remove the human factor in the driving process. This could be both positive and negative concerning how the communications will be handled between vehicles, infrastructure and pedestrians. In case of an attack being performed that would disturb this communication, the resulting outcome is most likely going to vary depending on how the vehicle is being driven.

If a vehicle is self-driving, an incoming message that has been delayed by an attack could lead to the vehicle performing the correct action, but with a delay - thus resulting in an accident. Would this instead be a situation where an actual person is driving the car, no matter of the delayed message, the person has the opportunity to take another action than the one recommended, thus avoiding an accident. On the other hand, if a situation occurs where a fast reflex response is critical in case of an unexpected occurrence in traffic, a self-driving car is most likely going to respond better than a driving human, resulting in the prevention of serious incidents. No matter if driving is completely automated or still has human interaction, the development of smart traffic will still facilitate more secure and safe driving for everyone involved.

5.4 Ethical Aspects of Connecting Traffic

In the discussions with Dynniq, one functionality they offer was presented. The ability for lorry companies who pay a licensing fee to request a priority pass in traffic. This led us to inquire further about the ethics of such a system, a system where one company could control

38 the traffic. It was quickly made clear that the private companies have no such control, that it is the traffic administrator who handles these requests, the question still stands though. While this is the case in the Netherlands, and most likely in any country with stricter regulations, this might not be the case in more lax countries, or it might impose more control over the population in countries with more oppressive governments.

With the connection of another facet of our lives, we open up the potential for additional malicious control. In this example no one is hurt, one company is paying another to use their service. But for someone with a creative mind, there are plenty of worst-case scenarios that spring to mind. An oppressive government could use these systems to exert additional control over its citizens. Less strictly regulated countries might allow private companies to charge individuals for using their vehicles.

5.5 Future work

This thesis describes different technologies and attacks on those at a very basic level, future work could go more in-depth and practical. A purely technical approach could be taken and the different communication technologies could be compared at a deeper level. The attacks mentioned are mostly in theory, no attempts to use them against any of the technologies were made, this could be the basis for another thesis, attempting a form of penetration testing on connected traffic.

39

40 6. CONCLUSION

Connected traffic as a concept is still in a relatively early phase of implementation and as such the benefits and disadvantages are hard to fully determine. The potential of being able to drastically reduce traffic accidents is an enticing promise that might lead you to not think about the potential downsides that might follow. Opening up the automotive industry into a more digital space could allow for attacks that cause the very thing the technology is trying to prevent. Should the security remain the top priority, if the risk of attacks is minimised, this technology will potentially bring about a safer world, one where the high number of traffic accidents is something scoffed at in the history books.

Since the connected traffic technology is moving at a rapid pace, it is not unlikely that self-driving vehicles will take over eventually. So there remains a question of how connected traffic will look in the future and how the used communication technology will be implemented in all elements of it.

Self-driving vehicle technology is something, that in time, might completely erase the human factor. That means, even though the passenger can choose where to go, the vehicle is most likely going to decide which route to take and the method of driving. That is a part of connecting traffic that could cause individuals to feel less in control of their situation. Every single aspect of it will be connected and will, therefore, be exposed to various circumstances, e.g. tracking. Similar to accessing the internet through one's computer where sites are able to see the location of the computer, vehicles’ locations could be disclosed as well.

The state of being constantly connected could lead to the same privacy issues we are starting to see with today's smartphones. Companies and governments being able to potentially track your location, your habits, interests and so on is already an issue many find disturbing. Adding additional layers of connection in other facets of our lives could be risking inviting further control. This might not necessarily be an issue that affects everyone negatively, but for areas of the world with an oppressed populace, this additional connectivity might further add to their oppression.

41

With the high demands these technologies will require of the communication technology, arriving at a joint decision is going to help ease the world into the full coverage needed for it to function at its best. DSRC technology has proven itself to be adequate at the short-range communication needed for V2V communication, but it falls short in several areas. Cellular communication, on the other hand, is constantly improving and is seemingly about to overtake DSRC even in the areas it excels. As such, cellular technology, especially with the introduction of 5G, is looking like the most likely technology to meet the demands connected traffic has.

42 7. REFERENCES

[1] F. Yang, S. Wang, J. Li, Z. Liu and Q. Sun. “An overview of Internet of Vehicles”. IEEE. ​ ​ ​ Communications, vol. 11, no. 10, pp. 1-15, Oct. 2014, [Online] doi: 10.1109/CC.2014.6969789 Accessed 13.03.20

[2] Auto news, “Definition of Connected Car – What is the connected car? ​ Defined”, autoconnectedcar.com, Jul. 2018. [Online]. Accessed 28.03.20 at ​ https://www.autoconnectedcar.com/definition-of-connected-car-what-is-the-connected-car-de fined

[3] Onstar, “Explore Available Safety & Security Services”, Onstar.com, 2020, [Online] ​ ​ Accessed 28.03.20 at https://www.onstar.com/us/en/services/safety-security/ ​

[4] Z. Mahmood, Ed. 2020. “Connected Vehicles In The Internet Of Things”. 1st ed. Springer ​ ​ International Publishing, doi: 10.1007/978-3-030-36167-9

[5] C. Mcshane. “The Origins and Globalization of Traffic Control Signals”. Journal of ​ ​ Urban History, vol. 25 no 3, pp 379–404. March 1999, [Online] doi:

10.1177/009614429902500304 Accessed 28.03.20 ​

[6] L. Zhao et al., "The Performance Comparison of LTE-V2X and IEEE 802.11p" IEEE 87th ​ ​ Vehicular Technology Conference (VTC Spring), Porto, June 2018, pp. 1-5, [Online] doi: 10.1109/VTCSpring.2018.8417813 Accessed 10.03.20

[7] D. Jiang and L. Delgrossi, "IEEE 802.11p: Towards an International Standard for ​ Wireless Access in Vehicular Environments", VTC Spring 2008 - IEEE Vehicular ​ Technology Conference, Singapore, June 2008, pp. 2036-2040. [Online] doi: 10.1109/VETECS.2008.458 Accessed 03.04.20

43 [8] Department of transportation, “Vehicle-to-Infrastructure (V2I) Resources” ​ ​ [Online] Washington DC Accessed 14.04.20 at https://www.its.dot.gov/v2i/ ​

[9] R. Coppola, and M. Morisio, “Connected Car: Technologies, Issues, Future trends”, ​ ACM Computing Surveys, Oct 2016, vol. 49 no. 3, pp. 1-36. [Online] doi: 10.1145/2971482 ​ Accessed 22.04.20

[10] Smart G + D, “A Brief History of Car Connections”, smart.gi-de.com, June 2017, ​ ​ [Online] Accessed 28.03.20 at https://smart.gi-de.com/automotive/a-brief-history-of-car-connections/

[11] P. Kollaikal, S. Ravuri, E. Ruvinsky “Connected Cars”, Sutardja Center for ​ ​ Entrepreneurship & Technology, San Francisco, [online] Accessed 28.03.20 at http://scet.berkeley.edu/wp-content/uploads/ConnCarProjectReport.pdf

[12] Concise Software, “What’s inside your car’s ‘brain’? Car infotainment systems 2019 ​ guide”, concisesoftware.com, July 2019, [Online] Accessed 28.03.20 at ​ https://concisesoftware.com/car-infotainment-system-guide/

[13] Geico, “The Future Of Car Safety”, geico.com, 2020, [Online] Accessed 28.03.20 at ​ ​ https://www.geico.com/living/driving/auto/car-safety-insurance/future-of-car-safety/

[14] The California Air Resources Board, “On-Board Diagnostic II (OBD II) System Fact ​ Sheet”, Sacramento, Sep 2019, [Online] Accessed 28.03.20 at ​ https://ww2.arb.ca.gov/resources/fact-sheets/board-diagnostic-ii-obd-ii-systems-fact-sheet

[15] Infopulse, “Modern car navigation systems and their features”, infopulse.com, Apr ​ ​ 2018, [Online] Accessed 28.03.20 at https://www.infopulse.com/blog/modern-car-navigation-systems-and-their-features/

44 [16] S. Greengard “Deep insecurities: the internet of things shifts technology risk” ​ ​ Communications of the ACM, April 2019 pp. 20-22, [Online] doi: 10.1145/3317675 ​ Accessed 09.03.20

[17] AON, “2019 Cyber Security Risk Report”, aon.com, United Kingdom, Feb 2019, ​ ​ [Online] Accessed 09.03.20 at https://www.aon.com/getmedia/4c27b255-c1d0-412f-b861-34c5cc14e604/Aon_2019-Cyber- Security-Risk-Report.aspx?elqTrackId=2329a269caaf49b890c376d41643540c&elqaid=360& elqat=2

[18] M. Hashem Eiza and Q. Ni, "Driving with Sharks: Rethinking Connected Vehicles with ​ Vehicle Cybersecurity", IEEE Vehicular Technology Magazine, vol. 12, no. 2, pp. 45-51, ​ June 2017. [Online] doi: 10.1109/MVT.2017.2669348 Accessed 13.03.20

[19] M. Millikin, Green Car Congress, “IHS Markit: sales of automotive ECUs to hit $211B ​ in 2030, 5% CAGR”, greencarcongress.com, May 2019, [Online] Accessed 13.03.20 at ​ https://www.greencarcongress.com/2019/05/20190515-ecu.html

[20] A. Greenberg, Wired, “Hackers Remotely Kill a Jeep on the Highway - With Me in It”, ​ ​ wired.com, July 2015, [Online] Accessed 13.03.20 at https://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/

[21] Keen Security Lab, “Experimental Security Assessment of MBW Cars: A Summary ​ Report”, Tencent Technology (Shanghai) Co. Ltd., May 2018, [Online] Accessed 20.03.20 at ​ https://keenlab.tencent.com/en/whitepapers/Experimental_Security_Assessment_of_BMW_C ars_by_KeenLab.pdf

[22] Businesswire “Global and China Telematics Box (T-box) Industry Report 2018 - ​ ResearchAndMarkets.com” businesswire.com, October 2017 [Online] Accessed 20.03.20 at ​ https://www.businesswire.com/news/home/20181009005821/en/Global-China-Telematics-Bo x-T-box-Industry-Report

45

[23] E. Wielinga, ICT, “How do you master vehicle data networking?”, ict.eu, [Online] ​ ​ Accessed 20.03.20 at https://ict.eu/case/central-gateway-modules/ ​

[24] C. Urquhart, X. Bellekens, C. Tachtatzis, R. Atkinson, H. Hindy and A. Seeam, "Cyber-Security Internals of a Skoda Octavia vRS: A Hands on Approach," in IEEE Access, ​ ​ vol. 7, pp. 146057-146069, 2019, [Online] doi: 10.1109/ACCESS.2019.2943837. Accessed 20.03.20

[25] J. Holle, S. Shukla, A. Berthold, M.P. Schneider, C. Wecker, M. Lueke, et al., ESCRYPT, “Security Special 2020”, escrypt.com, 2020, [Online] Accessed 23.04.20 at ​ ​ https://www.escrypt.com/sites/default/files/2019-12/ESCRYPT_Security-Special_2020_EN. pdf

[26] Autosar, “General Information About Autosar”, autosar.org [online] accessed 23.04.20 ​ ​ at https://www.autosar.org/about ​

[27] N. Maslekar, J. Mouzna, M. Boussedjra, H. Labiod, “CATS: An adaptive traffic signal ​ system based on car-to-car communication” in Journal of Network and Computer ​ Applications, vol 36 no 5, September 2013, pp. 1308-1315, [Online] doi:

10.1016/j.jnca.2012.05.011 Accessed 20.03.20 ​

[28] M.M. Dobersek, “An operational comparison of pre-time, semi-actuated, and fully ​ actuated interconnected traffic control signal systems” in Proquest Digital Dissertations, ​ 1998, [Online] ISBN: 978-0-599-11095-3, Accessed 03.04.20

[29] B. Ghena, W. Beyer, A. Hillaker, J. Pevarnek, J.A. Halderman, “Green Lights Forever: ​ Analyzing the Security of Traffic Infrastructure” in WOOT’14: Proceedings of the 8th ​ USENIX conference on Offensive Technologies, Aug 2014, [Online] (no doi), Accessed 03.04.20 at https://jhalderm.com/pub/papers/traffic-woot14.pdf ​

46 [30] W. Zimdahl, "Guidelines and some developments for a new modular driver information system," in 34th IEEE Vehicular Technology Conference, Pittsburgh, Pennsylvania, USA, 1984, pp. 178-182, doi: 10.1109/VTC.1984.1623259. Accessed 03.04.20

[31] D. Eckhoff, B. Halmos and R. German, "Potentials and limitations of Green Light ​ Optimal Speed Advisory systems" in 2013 IEEE Vehicular Networking Conference, Boston, ​ MA, 2013, pp. 103-110, [Online] doi: 10.1109/VNC.2013.6737596. Accessed 03.04.20

[32] R. Jaiswal and K. Verma, "Modified IP passing scheme to check correctness of passed ​ IP in VANET" in 2017 International Conference on Computer, Communications and ​ Electronics (Comptelix), Jaipur, 2017, pp. 464-466, [Online] doi: 10.1109/COMPTELIX.2017.8004014. Accessed 03.04.20

[33] Juniper Networks, “Understanding the Network Terms SSID, BSSID, and ESSID”, ​ ​ juniper.net, Dec 2015, [Online], Accessed 03.04.20 at https://www.juniper.net/documentation/en_US/junos-space-apps/network-director2.0/topics/c oncept/wireless-ssid-bssid-essid.html#jd0e46

[34] A. Papathanassiou and A. Khoryaev, “Cellular V2X as the Essential Enabler of Superior ​ Global Connected Transportation Services” in IEEE 5G Tech Focus, vol. 1, no. 2, June ​ 2017, [Online] (no doi), Accessed 24.04.20 at https://futurenetworks.ieee.org/tech-focus/june-2017/cellular-v2x

[35] T. Nylander, R. Gustafsson, D. McGillivray, H. Sahlin, Ericsson, “Keeping vehicles ​ connected when they cross borders”, ericsson.com, May 2019, [Online], Accessed 04.04.20 ​ at https://www.ericsson.com/en/blog/2019/5/connected-vehicle-cross-border-service-coverage

[36] 5G Automotive Association, “The Case for Cellular V2X for Safety and Cooperative ​ Driving”, 5gaa.org, Oct 2017, [Online] Accessed 24.04.20 at ​ https://5gaa.org/wp-content/uploads/2017/10/5GAA-whitepaper-23-Nov-2016.pdf

47 [37] A. El Essaili, T. Lohmar, T. Nylander, Y. Zang, Ericsson, “Cellular V2X: What can we ​ expect on the road ahead?”, ericsson.com, Oct 2019, [Online], Accessed 03.04.20 at ​ https://www.ericsson.com/en/blog/2019/10/cellular-v2x-the-road-ahead-c-its-adas

[38] A. Ghosal, M. Conti “Security Issues and Challenges in V2X: A Survey” March 2019 ​ ​ [Online] Accessed 06.05.2020 at https://www.researchgate.net/publication/332079712_Security_Issues_and_Challenges_in_V 2X_A_Survey

[39] European Commission “Commission delegated regulation supplementing Directive ​ 2010/40/EU of the European Parliament and of the Council with regard to the deployment and operational use of cooperative intelligent transport Systems” March 2019, [Online] Accessed 28.04.20 at ​ https://www.europarl.europa.eu/meetdocs/2014_2019/plmrep/AUTRES_INSTITUTIONS/C OMM/ADL_1/2019/04-08/COM_ADL201901789_EN.pdf

[40] A. Filippi, K. Moerman, G. Daalderop, P.D. Alexander, F. Schober, W. Pfliegl, NXP , Cohda Wireless, Siemens, “Ready to roll: Why 802.11p beats LTE and 5G ​ for V2X”, 2015, [Online] Accessed 06.05.20 at ​ https://assets.new.siemens.com/siemens/assets/public.1510309207.ab5935c545ee430a949109 21b8ec75f3c17bab6c.its-g5-ready-to-roll-en.pdf

[41] J. Hu, et al., “Link level performance comparison between LTE V2X and DSRC” in ​ ​ Journal of Communications and Information Networks, vol. 2, June 2017, [Online] doi: 10.1007/s41650-017-0022-x, Accessed 06.05.20

[42] 5G Americas, “Cellular V2X Communications Towards 5G”, 5gamericas.org, Mar ​ ​ 2018, [Online], Accessed 06.05.20 at https://www.5gamericas.org/wp-content/uploads/2019/07/2018_5G_Americas_White_Paper_ Cellular_V2X_Communications_Towards_5G__Final_for_Distribution.pdf

48 [43] I. Ivanov, C. Maple, T. Watson and S. Lee, "Cyber security standards and issues in V2X ​ communications for Internet of Vehicles" in Living in the Internet of Things: Cybersecurity of ​ the IoT - 2018, London, 2018, pp. 1-6, doi: 10.1049/cp.2018.0046. Accessed 04.05.20

[44] M. Mujahid, A.S. Ghazanfar, “Survey on existing authentication issues for ​ cellular-assisted V2X communication” in Vehicular Communications, vol. 12, 2018, pp. ​ 50-65, [Online] doi: 10.1016/j.vehcom.2018.01.008, Accessed 30.04.20

[45] N. Meghanathan, B.K. Kaushik, D. Nagamalai “Advances in Networks and ​ Communications ” in First International Conference on Computer Science and Information ​ Technology, Bangalore January 2011, pp.168-171 Accessed 01.05.20

[46] V. Sharma, I. You, N. Guizani, “Security of 5G-V2X: Technologies, Standardization and ​ Research Directions” in ArXiv, May 2019, [Online] (no doi), Accessed 30.04.20 at ​ https://arxiv.org/pdf/1905.09555.pdf

[47] R. Shree, R.A. Khan, “Wormhole Attack in Wireless Sensor Network” in International ​ ​ Journal of Computer Networks and Communications Security, vol. 2, no. 1, pp. 22-26, Jan 2014, [Online] ISSN: 2308-9830, Accessed 04.05.20

[48] S. Vadlamani, B. Eksioglu, H. Medal, A. Nandi, “Jamming attacks on wireless ​ networks: A taxonomic survey” in International Journal of Production Economics vol 172, pp. ​ 76-94, February 2016, [Online] doi: 10.1016/j.ijpe.2015.11.008 Accessed 28.04.20

[49] V. Marojevic, “C-V2X Security Requirements and Procedures: Survey and Research ​ Directions” in ArXiv, July 2018, [Online] (no doi), Accessed 28.04.20 at ​ https://arxiv.org/ftp/arxiv/papers/1807/1807.09338.pdf

[50] E. Fazeldehkordi, I. S. Amiri, O.A. Akanbi, 2016, “Black Hole Attack” in A Study of ​ ​ Black Hole Attack Solutions, p. 7-57, [Online] doi: 10.1016/B978-0-12-805367-6.00002-8

49 [51] S. Gurung and S. Chauhan, "A review of black-hole attack mitigation techniques and its drawbacks in Mobile Ad-hoc Network," in 2017 International Conference on Wireless Communications, Signal Processing and Networking (WiSPNET), Chennai, 2017, pp. 2379-2385, [Online] doi: 10.1109/WiSPNET.2017.8300186. Accessed 04.05.20

[52] C. Laurendeau, M. Barbeau, “Threats to Security in DSRC/WAVE” in Springer Lecture ​ ​ Notes in Computer Science, vol 4104. Berlin, 2006, pp 266-279, [Online] doi: 10.1007/11814764_22 Accessed 04.05.20

[53] Upstream Security “Upstream security’s global automotive cybersecurity report 2020” upstream.auto,2020, Accessed 06.05.20

50

51 Appendix A: Interview with BeMobile

Interviewee: Dr Steven Logghe, Chief Traffic Interviewers: Christoffer Krantz and Gabriela Vukota Date: 19.03.20 Location: Digital meeting via Zoom

Note: The interview failed to be recorded and therefore, the questions asked are presented along with notes on Dr Steven Logghe’s answers.

Questions for BeMobile

● How do your traffic lights operate?

● Who is using this technology today? Which countries, cities.. - How many connected traffic lights do you have access to?

● What traffic light providers are you working with?

● Are there any priorities and how are they decided? (who makes way for who)

● Will the street design need to continuously upgrade to work better with connected traffic lights?

● Are there any standards for traffic light interfaces?

● Can anybody gain access to the interface? What is required to gain access?

● How are you working towards making this technology as secure as possible? - Are you protected from common known cyberattacks?

● How do you see the future in connected vehicles and traffic lights? - Do you think that the technology will become more secure or is there a limit where it will only get more dangerous and open up larger attack surfaces?

● Other companies working with this that might be willing to talk to us? (Mentioned InterCor, Citrus, Mobilidata

52 ● Your app flitsmeister, how does it work, what does it communicate with and how?

Notes on Answers

500 traffic lights in the netherlands

Three in belgium

700 ??

Cellular, over 4g

Testing for 5G

Users using application, synced with car

80% users on 4g

Don’t see any hurdles with 4g, low latency, with their own backend

Vehicle sends request to to traffic light, goes through server to light and then back

Human latency needs to be taken into account

Certification not using smartphone, using onboard systems to verify, with authentication and authorization.

They could make it so users could get preferential treatment

Point to point communication

Not worried about security (skräll)

Wifi p standard?

Cellular communication more easy, and established

Netherlands, 5 suppliers

Swarco, dinek, vialys, siemens? Lots of regulations

New standards for loops and vehicle information

Every supplier using same standard to different levels of success

Lots of older traffic lights that are old, hard to implement

53 Need to upgrade hardware, currently closed system with only local detectors

Most difficult part is opening the systems and make sure it’s safe

Need lots of processing power to handle all the gps positions

And traffic signals need to be able to process

5500 traffic signals, ambition to have 800 junctions upgraded.

Road admins, suppliers, med mera decided on a standard

Strategic commité, the standards are published publicly, translated to English to be able to be reused.

Wifi p, etsy g5, changed to cellular

C its, broadcasting local, lots of people wanted it to be standard? Delegated act

The suppliers are all working for road administrators such as cities and so on, the road administrator is the legal owner

Exchange point, t-lex, managed by the national government

Standards for how the data is handled, processes in place for escalation if something happens (Soc? maybe).

They’ve had penetration testing, and third party consultants trying to hack, unsuccessful.

Lots of layers with security

Using smartphone to find communication

Spoofing types

The traffic lights being more connected means better physical security, no physical box to open as before

1,7 million app users in netherlands

Who pays for this? Public service or private?

What will the business model be?

Goal is to have integration in vehicles, apps are just first wave

Car manufacturers need to develop this technology faster to compete with the smartphones

54 Why?

Improve traffic, optimization of traffic, user wants comfortable and safe driving. More information for the driver. Who do you optimize for, the administrator or the user.

For the admin, better detection and means to optimize

The end user, more information and easier drive, fluent traffic

The two can be conflicting

France or Austria

Mail Contact

More answers were needed for the thesis at a later time. Therefore, an email with further questions was sent to Dr Steven Logghe and answers were received shortly after.

1. In our talks we discussed wifi technology vs cellular, and the fact that BeMobile is focused on the cellular side. What would you say specifically is the pros and cons of either technology? Why would you pick one over the other?

In favor of wifi p technology :

● existing market ordening (traffic lights can just add part of hardware, in-car devices also just need additional hardware) => this makes it easy to sell by existing to suppliers to the clients (eg traffic management technology suppliers can upsell wifi p routers, suppliers to automotive can upsell easiliy new wifi p routers there...).

In favor of cellular technology:

● Service provider role is part of the business model : there is one provider responsible for the communication part (including privacy and security). This provider can take ownership of the quality and stability of the service itself (while with wifi-p every one acts uncoordinated at best effort without any guarantee). ● No new hardware necesarry (just connecting existing services), so faster deployment and no chicken-egg business model. The roll out speed will be much faster. ● Always point to point connections, makes it much more easy to install security steps in the chain.

55 ● Smaller privacy risk : data is within private point to point connections and not 'free in the air' ● This can work more agile : you can make updates in the chain. With wifi p you add routers and are stick to them for the next 10 years and you are unable to make a system upgrade.

2. What are security flaws you could think of in either technology and what is being done to correct these flaws in your applications?

● wifiip : it is an open channel, so any one can read or add new messages within this communication channel. I think this is a risk for privacy (any one can read the messages out there). There are currently 'checks' on the messages to see if the messages are valid. But this also causes a risk that anyone can add (even fake) messages. Too much messages can lead to over use of bandwith and so the communication channel becomes 'congested'. There is no legal stick to control and act on this : it is an open channel, so anyone may add messages.

3. Can you think of any specific attacks that's been used on either technology, successful or not?

Not yet. What I expect :

* Fake users added in the system : see eg : https://www.theguardian.com/technology/2020/feb/03/berlin-artist-uses-99-phones-trick-goo gle-maps-traffic-jam-alert => solution to link usage only to on board units (eg for priority ​ requests at a traffic signal, only allow this from specific in car build systems).

* for wifi p as with all other wireless open radio channels : you can scrape the data and re-use it. see also succesfull hack linked to this : https://www.wired.com/story/hackers-steal-tesla-model-s-seconds-key-fob/ => no easy ​ solution possible in my view (you need to add cellular connectivity to all systems to solve this)!

56 * for wifi p : adding messages to overload the communication channel => no solution possible in my view.

4. From the perspective of connected traffic controllers, is there any way you can affect the actual car if you gain access to any of the systems you provide? Traffic light controllers, the app, anywhere inbetween?

At this moment you can affect the driver of the car by giving him advice. If you take into account the position of the driving car within your traffic controllers, than you can incorporate an approaching car much more intelligent than with current road based detectors.

The next step is to connect the information from the connected traffic controller to the car 'engine' itself, but that clearly will take time!

57

58 Appendix B: Interview with Dynniq

Interviewee: Bas Heutinck, Technology manager for Dynniq Interviewers: Christoffer Krantz and Gabriela Vukota Date: 24.03.20 Location: Digital meeting via Zoom

Transcription of Meeting C: Gaby take it away if you want to introduce us!

G: Sure, i'm just going to give you a quick explanation first of what we're doing. As you know we're doing a bachelors and more specifically V2I, vehicle to infrastructure where connected vehicles communicate with connected traffic lights which we know to be a fairly new technology and because of that we want to research the security around cars being able to connect to traffic lights for better traffic optimization and safety. And so our thesis statement is "do the benefits of connected vehicles outweigh the potential security risks". So if you want to start off with presenting who you are and what you do, describe how the connected traffic lights operate in comparison to a traditional traffic light.

B: Yeah sure. Well, my name is Bas Heutnick, manager technology of dynniq mobility in the netherlands. Im responsible for product management, development and delivery of our core traffic portfolio, which means traffic light controllers, ITS applications, cloud services and so on. Going through the entire chain of what you're investigating, so also the vehicle to infrastructure communication. From dynniq we do that in several countries, netherlands is our homebase we've got our head offices over there. We have a large business in the UK, w have some offices in the nordics, in finland, in sweden, in denmark, in poland and some other baltic countries, and we have an office in belgium. We do business through distributors all over the world. We've got a main office in the netherland and we've got the project talking traffic. It's a public project partnership, organised from the ministry of traffic and transportation in the Netherlands and the public project partnership is meant to come up with an architecture for creating standardized components and interfaces from traffic light controllers to user devices in vehicles and other road users. Within that partnership we developed an architecture which starts from the roadside, the traffic light controller, that's just a basic safety functionality that happens on the street, so controlling the signals which state whether you have the right of way or not, red amber and green. On top of that there's the ITS application, the smart software, which optimizes the traffic going past the intersection, the third component on the street is the road side ITS station. It has a topology of the intersection within the software, it maps incoming messages from road users onto the topology of the

59 intersection. This architecture is being rolled out throughout the Netherlands, we hope to have about 1000 intersections equipped with this architecture at the end of the year. About one fifth of the whole install base of TLCs will be equipped with this architecture, and therefore connected to the cloud all traffic light controllers connect to one traffic light exchange so that's one point somewhere in the cloud which connect to all the traffic light controllers and make sure that the data from and to the traffic light controllers is made available to cloud partners who make sure that the data also ends up to the eventual road user. Also adding information from all the datastreams, also making sure that location mapping is being done in the right way and check if its possible or not, all those things are happening in the cloud at the moment and bemobile is one of the parties who is active on that field within the partnership. Of Course because now all the component that i just discussed have a software based communication connection between them. All traffic light controllers have a connection to the cloud and from the cloud there's connections to all the road users. I believe the safety and security of those connection are of the most interest to your thesis at the moment. And of course we've put a lot of thought into that as well. We know what the risks are when you connect traffic light controllers to the cloud environment. And it's very important to make sure it's not misused. That it's safe and secure at all times. The situation that we have in the netherlands is that all traffic light controllers already had a connection with a network. But those networks are all closed networks. So it's not the public internet that you connect the traffic light controller to.It's all seperate networks of the road administrators, if that's not possible a traffic light controller will always be connected through a vpn connection. So you can't connect from the internet. That's still in place, also in this situation where all traffic light controllers are connected to the traffic light exchange. So they're all closed networks but furthermore there's also an extra security layer added into the architecture and that's making use of TLS certificates. All component on the street, the TLC, the its application and the roadside ITS station are all interconnected into each other with TLS certified connections. For each connection between two component you have to have a certificate. Also there needs to be a certificate between the traffic light exchange and the roadside ITS station. In that way, within the architecture we are trying to do every connection as secure as possible. Of Course there is also one step further in security and that is making use of PKI certificates, that's not currently being implemented but is of course also part of the discussion and active in some european research projects where the PKI certificates are investigated, whether we can use them in the traffic light infrastructure.

C: You mentioned that information is stored and processed through a cloud, do you own the cloud, is it your architecture?

B: We have our own cloud, bemobile has their own cloud, there are several cloud providers to deliver cloud solutions for this. They all connect connect to the same traffic light exchange to get information on traffic light controllers

60 C: Do you communicate, is it a close knit communication with other providers to make sure the clouds can work together if they're all sending information to the same place.

B: Not necessarily, it's more that every road user that for example uses an app to communicate, to get information and send from the traffic lights and send information to the traffic lights are connected to one of the clouds and therefore that information is through that specific cloud sent through the traffic light exchange and therefore will not duplicate the information or something like that.

C: One of the more basic questions we have, why? Why connect the traffic lights, what's the purpose, what's the benefits?

B: There are several reasons, first of all to give more information to the road user, maybe not very exciting that you can see how long it takes until it turns green or turns red again, but it can help a bit in smoothening traffic. The best use case at this moment is that you can give priority. For example, we've got an application which facilitates priority for heavy goods vehicles, so very heavy trucks, if you prevent them from having to stop for a traffic light controller. If you prevent that stop that already saves up to a litre of diesel with the accompanying CO2 emission and the comfort of the driver. That also holds for public transport, and for emergency vehicles. The road administrator can giv3e priority for specific modalities, to improve safety or flow. To have more efficient flow on your network. That's one of the benefits, of course the other side is that you have more data available to analyse and to improve your traffic situation, traffic management calculations. Not in real time but to gather data and working through it afterwards

C: With communicating with the user, how do you achieve that, BeMobile has an app, do you go through their app or do you do something on your own?

B: We have our own app, apps*. We've got one for trucks, one for emergency vehicles, we've got one for cyclists one for pedestrians, we've got several apps. It more or less uses the same dataroute. The app connects to the cloud, the cloud processes the data that comes from the app and sends it through to the traffic lights exchange is then through the same cloud sent through the app. We have our app for that, we also do integration of that software into management systems in for example trucks or lorry companies. We try to do onboard integration as well to prevent professional drivers having multiple devices on their dashboard to get the information from.

G: Do all those apps work together, for the pedestrian, emergency vehicles, for the trucks, do they work together to optimize traffic?

61 B: That is also part of that architecture, the ITS application, the software that optimizes traffic on the intersection also takes floating car data that gets in the application through those apps is used to imprimize traffic, does that answer your question?

G: We can see on your site that you offer these multiple services, like FlowNode, ImFlow and GreenFlow...

B: Yes.

G: ... And are those services cooperating with each other, or like with the traffic lights or how does that work?

B: The FlowNode is our traffic light controller. So that's the basic function. ImFlow is our ITS application so that's the optimizer of the traffic locally. And GreenFlow is the service that does the end-to-end automization, so that's delivering the app and all the cloud services to bring the communication from the traffic light controller up to the app user and the other way around.

C: I don't know how much you can answer about this but what's your business model? How does Dynniq earn money? Is it through contracts or...?

B: Yeah, well we earn money by selling our traffic light controllers and by selling our ImFlow applications [Used the wrong term, probably meant FlowNode?]. So that's mostly business to government, so we sell our traffic light controller to, for example a city. They install them on their intersections and that's how we make money. And the same holds for ImFlow, our ITS application. The GreenFlow services, we deliver that as a service. So as for example a truck company, you can buy a license from us for our GreenFlow service. And by using that you can get information on-board from traffic lights that are connected, then you can do priority requests. So based on that, there's a license fee for that. That's the other part of the business model.

C: How do you view the ethics of private companies controlling traffic flow? Seeing as with your application, lorry drivers could get priority.

B: That's always very important to make very clear. It's not us that control traffic, it's also not the lorry driver who controls traffic. It's the road administrator who determines who he wants to give priority or not. So the only thing the app does, is create a priority request. And it's up to the road administrator to determine whether he wants to facilitate the priority or not, and at what times and what conditions. So the only things that we offer, is the technical infrastructure to make it happen.

62 C: A driver who isn't paying the license fee, won't have the option to send a request, correct?

B: Correct. And then you might think, is it then unethical because a lorry company who doesn't have the money to pay for it doesn't get priority? Could be, but of course this license fee is based also that it brings value. So if you use the app and there are enough traffic light controllers connected on the route that you drive, that also means that there is sufficient amounts of stops which are prevented. So you also always earn back your fee based on the less fuel that you use. And that's costly maintenance that you have on your vehicles.

C: The actual process of implementing a connected traffic light. Do you completely remove the old traffic lights, do you modify them or how does it work?

B: Depending on what the customer asks... The architecture has been created since 2017. Now in the Netherlands we've got new requests of traffic light controllers, so renewal when the old one is more than fifty [fifty or fifteen? 20:09] years old. That's often around the time stamp that it needs to be renewed. Then we now deliver connected traffic light controllers, that's actually more or less the de facto standard in the Netherlands nowadays. But when it's specific locations where it's desired to have a connected traffic light controller and the existing traffic light controller is not that old yet, then we also do upgrades. So you adjust the current traffic light controller and make it a connected traffic light controller.

C: Who owns the traffic lights?

B: The road administrator.

C: How would you describe the road administrator? Is it the city in question?

B: Yeah. It's the city or the programs for national authority. So it's the governmental organisation who's responsible for the road infrastructure.

C: Who would be able to modify the data in general with the traffic lights? Either what they're sending, what they're receiving. Who has access to the infrastructure of the traffic lights?

B: Normally that would be the road administrator themselves. We as a supplier can have access also for maintenance purposes. And possibly a third party maintenance company. So if you don't own the traffic light controller itself, that are the options you have for being able to do something in the traffic light controller.

C: Say if someone with malicious intent got access to a physical traffic light, could they harm the system in any way, besides just harming the physical traffic light?

63

B: When they've got the opportunity to get in the traffic light controller, then they could do something that for example puts everything to red. But it's never possible to give green to conflicting directions, because within the traffic light controller it is such that, through hardware and software we've made it impossible to give two conflicting directions green. So creating a hazardous situation by giving green to conflicting directions, it's not possible. Of course when you put everything to red at the same time and that takes long enough, then you know for sure that traffic will start driving through the red light. That of course also gives hazardous situations. But that's more indirect than giving green light to conflicting directions.

G: Do you have any concerns regarding the security and how are you working towards making it as secure as possible?

B: That's always on our mind when we do things, develop things, of course. Things that we put on the street we always look at how it's connected and how secure it is. And we always give also guidelines to the road administrator, how to take care of the connections. And the way we do it and we encounter it, making sure that the traffic light controller is always connected on a local separate network and not on public internet. By the way it's connected to the traffic light exchange and how that's secured, currently I don't see very high risks of people being able to get in the network of a traffic light controller.

G: Do you execute penetration testing?

B: Yeah, on a regular basis.

C: How do you see the future of this technology? What would you want it to look like?

B: How far in the future are you interested in?

C: Let's say five and fifteen years.

B: Within five and fifteen years I foresee that every traffic light controller is connected. That information on traffic light controllers are standard functions in new vehicles. That the road administrator is able to implement policy on who he wants to give priority, to a very detailed level. So not only on group or modality but also on specific road user level, and that all vehicles are standard equipped with these kind of technologies. I even think that fifteen years is a bit too close for that, but maybe in thirty-forty years it could also be that this technology and the traffic light controller technology might even be completely software based. We move towards self-driving vehicles. The infrastructure that we're now building is offering information for these kinds of vehicles to operate also in a (nervi? 28:24) environment, and get the information they need. If you draw the line on how that would look like in the future and then fifteen years is a bit too short of a time frame. But every vehicle and the public

64 clouds on traffic management will be connected in such a way that you could leave the traffic light controller off the street. But every intersection is controlled from the cloud with a virtual traffic light controller, something like that. It's a bit futuristic but I think that's what we're currently setting the first steps to.

C: You mentioned self-driving cars and that was one of my thoughts too, that this is a fairly good foundation for self-driving cars functionality. Do you work with any companies or anything that is developing self-driving cars?

B: No, not at the moment. We've got contact with several OEM’s who are in vehicle manufacturing. Now from our perspective, because there's currently our business model, we're looking into companies who produce trucks. And we try to get our information on board in their on-board computer. But we do not have direct contacts on how this is integrated in self-driving vehicles.

C: Do you have any contact with other car manufacturers, not specifically for trucks?

B: We've had some first contact but that's very premature.

Final words and questions are asked regarding the thesis and the contact between us, and after the meeting ends. ​

65 Gabriela Vukota Bachelor of Science with a major in Digital Forensics Halmstad university

Christoffer Krantz Bachelor of Science with a major in Digital Forensics Halmstad university

PO Box 823, SE-301 18 Halmstad Phone: +35 46 16 71 00 E-mail: [email protected] www.hh.se