Experimental Evaluation

To evaluate the practical impact of the attacks described in Section 5.3.1 real world experiments with up to date OBU hardware have been performed. The used experimental setup is explained in Section 5.3.3.1 and obtained results are given in Section 5.3.3.2.

5.3.3.1 Test System Setup

To test the feasibility of the attacks outlined in Sections 5.3.1 the test setup described in the following is used. The OBU hardware Cohda Mk5 [68] is used as the device under attack. It runs the ETSI ITS conforming VANET protocol stack from the ezCar2X framework. The

attacker uses a wireless connection to deliver a malicious GPS signal, which is transmitted by a custom GPS generation and replay unit based on the Universal Software Radio Peripheral (USRP) platform [152]. A second OBU with always correct GPS input is used to send valid CAMs to the attacked OBU.

The following test cases are executed to resemble the identified attack surfaces.

1. A GPS signal holding a faked time stamp is provided to the OBU from the begin of its operation on.

(a) The OBU holds PSCs being valid at received (faked) time. It is tested whether the OBU generates and emits messages with a time stamp equal to the faked GPS time stamps. Generation of messages with both past and future time stamps is tested. (b) The OBU has no access to a PSC, which is valid at the received GPS time. It is

tested whether the OBU generates any message. This resembles a part of the DOS attack described above.

(c) One GPS signal is provided to the OBU multiple times, and resets of the OBU are conducted before the GPS signal is provided anew. It is tested whether the OBU generates multiple sets of CAMs signed with different PSCs for the same future time span contained in the used GPS signal. This procedure enables an advanced attacker to perform a Sybil attack.

2. The unmodified GPS signal is provided to the OBU after its start-up. It is replaced with a GPS signal containing a time stamp significantly higher than the one in the first GPS signal, i.e., for the OBU this signal looks like coming from the future. Tests cases 1a and 1b are run. Furthermore, CAMs with a correct time stamp are sent to the OBU and reception of these valid messages is tested at the facility layer.

3. The test from 2 is ran, but after five minutes of receiving the manipulated time stamp, again the correct GPS signal is provided to the OBU. It is tested whether the OBU starts to send messages with correct time stamps again, after it receives the valid GPS signal again. This resembles part of the DOS attack from Section 5.3.1 and evaluates whether time stamp jumps in any direction are accepted by the OBU.

The results of these test cases are given in Section 5.3.3.2. 5.3.3.2 Test Results

An overview of the obtained results for test cases from Section 5.3.3.1 are provided in Table 5.1. Results summarized in Table 5.1 show that all attacks providing a manipulated time stamp to the OBU lead to significant security problems. However, the attacker is not able to force a real time stamp jump after the device had already obtained a first GPS fix, i.e., after initial time synchronization was performed. Unfortunately, manipulation of this first time synchronization was always possible.

test case observed result security problem 1a CAMs with manipulated time stamp

generated

reliability and non-repudiation violated

1b no CAMs generated DOS weakness

1c CAMs generated with different PSCs for same future time interval

Sybil attack via replay attack 2 CAMs generated with fast increasing

time stamps until OBU’s internal time is equal to provided GPS time

reliability and non-repudiation violated

other CAMs accepted until time differ- ence exceeds threshold, afterwards all received CAMs dropped

DOS weakness

3 at first like for 2 see above

CAMs generated with slowly increas- ing time stamps until OBU’s internal time is correct (again)

reliability and non-repudiation violated

received CAMs accepted once time dif- ference supersedes threshold, but all re- ceived CAMs dropped before

DOS attack successful until OBU’s time is correct (again)

Table 5.1: Overview about test case results.

After the attacker transmits a GPS signal with a time stamp significantly far in the future, compared to the OBU’s current system time (difference greater than ten minutes), the internal system time increased significantly faster (by a factor of more than two) than during normal operation. Thereby, the OBU’s internal time synchronization mechanism tries to overcome the difference between system time and provided reference time from the spoofed GPS signal.

To analyze the cause of this behavior a custom time logger was run on the OBU during experiments. It was found that the system always starts up with its internal time being equal to the start of Unix time. This is followed by exactly one time stamp jump, which causes the system time to be equal to the time stamp contained in the first obtained GPS fix.

Further system analysis shows that the Cohda Mk5 uses gpsd to handle GPS data from the on-board NEO M8 GPS sensor [306]. Moreover, the ntpd alternative chrony runs on the system to provide time synchronization to GPS time. Furthermore, initial time synchronization is done with the help of a custom start-up script, which listens to the gpsd output (via the gpspipe tool) and performs a hard reset of the system time to the time stamp of the first obtained GPS fix. Afterwards, this script terminates and further time synchronization is left to the combination of chrony and gpsd. Thus, this findings clearly corroborate our experimental findings given before. One should note that the described security issues are not caused by the used ETSI ITS implementation. Instead, they show a design problem of the current security architecture of VANET approaches, e.g., affecting both ETSI ITS and WAVE.