Connected cars that communicate with other vehicles or transport systems to improve safety and traffic flow can easily be tracked, a security researcher has shown.
In an experiment undertaken on the campus of the University of Twente in The Netherlands, two wireless sensing stations were able to pinpoint a target vehicle nearly half the time, according to Jonathan Petit, Principal Scientist at Security Innovation, a software security company.
“You can build a real-time tracking system using off-the-shelf devices with minimum sophistication,” says Petit. In a paper to be presented at the Black Hat Europe security conference in November, he describes being able to place a security vehicle within either the residential or the business zones of the campus with 78 percent accuracy, and even locate it on individual roads 40 percent of the time.
Vehicle to vehicle (V2V) and vehicle to infrastructure (V2I) communications, together known as V2X, promise to make roads smoother and safer in the future by allowing cars to automatically share information about their location, speed and trajectory. The U.S. National Highway Traffic Safety Administration (NHTSA) estimates that if drivers could be warned about possible collisions, half of all crashes, injuries, and fatalities at intersections and during left-turn maneuvers might be avoided. NHTSA is due to rule next year on when and how V2X should be implemented; GM has already announced that the 2017 Cadillac CTS will incorporate the technology.
The system relies on connected cars broadcasting messages ten times a second, using a portion of the Wi-Fi spectrum at 5.9 gigahertz known as 802.11p. Cars within a few hundred meters can receive these messages and use them to build up a picture of the traffic around them. Official roadside receivers might also use data from passing vehicles to monitor congestion, alter traffic light timing or optimize transit.
However, there is nothing to stop anyone else from also tuning in to the messages using a wireless ‘sniffing station’. Data in the messages a vehicle sends is unencrypted, to allow other vehicles to use the speed and position information being broadcast. But while there is no personally identifiable data (such as a license plate) within the message itself, each wireless bulletin is digitally signed to ensure that fake messages can’t be introduced to disrupt traffic or possibly even cause accidents. It is these digital signatures that Petit’s system tracks.
“If I install sniffing stations along the route, I will be able to eavesdrop on all the packets that you send,” says Petit. “However, there is a general misconception that such attacks are only accessible to governmental agencies or large companies with the resources to cover every road junction.”
Petit and colleagues from the University of Twente and University of Ulm installed sniffing stations at just two intersections on Twente’s campus (out of a possible 21), and equipped a security vehicle with a standard V2X transmitter. Over 16 days of normal operation, the vehicle transmitted over 2.7 million messages, of which the sniffers detected just 40,000, or around 3 percent. Even with this relatively minuscule amount of information, Petit was able to locate the vehicle roughly 40 percent of the time, and place it within either zone of the campus with much higher accuracy. “Burglars could wait until all police vehicles are outside of a certain area before attempting a robbery,” he notes.
One solution proposed by NHTSA and European authorities is for vehicles to sign their messages using pseudonyms that automatically change every five minutes. But Petit found that even this was not enough to outfox his system. “Changing pseudonyms every five minutes just leads to a 50 percent increase of the cost for the attacker, meaning they’ll have to install 50 percent more sniffing stations,” he says.
With sniffing stations currently costing around $550 each, that would probably dissuade all but the most deep-pocketed attacker. However, technology only gets cheaper. Petit already believes that sniffing stations could be built from a Raspberry Pi chipset, a Wi-Fi radio, battery, and SIM card to upload the data to the internet. “A real-time tracking system would be really cheap and really small,” says Petit. “I could drop one at an intersection and nobody would notice it.”
Ultimately, says Petit, pseudonyms will help to confuse attackers but might not be able to protect drivers’ privacy completely. Petit is now working with Ford, GM, and other carmakers to develop strategies to help secure connected cars. One interesting finding from his experiment was that a Manhattan-style grid of roads makes it difficult for potential attackers because there are more connections between the intersections. “This raises the idea of privacy-enhancing road networks, where cities are designed with the concept of privacy at their core,” he says.
Mark Harris is an investigative science and technology reporter based in Seattle, with a particular interest in robotics, transportation, green technologies, and medical devices. He’s on Twitter at @meharris and email at mark(at)meharris(dot)com. Email or DM for Signal number for sensitive/encrypted messaging.