Jan 21, 2021
Qualcomm products mentioned within this post are offered by Qualcomm Technologies, Inc. and/or its subsidiaries.
Many within the automotive industry believe that the widespread use of C-V2X could potentially save thousands of lives and prevent hundreds of thousands of collisions every year. C-V2X also offers automotive manufacturers and road operators a technology that enhances mobility, efficiency, and environmental sustainability. Hence, Qualcomm Technologies takes securely delivered C-V2X messages very seriously. (Note: While C-V2X is indeed cellular-to-everything, when we refer to C-V2X in this blog post, we mean direct, short, broadcast communications, with no need for cellular networks.)
With any form of communications technology, there is always the risk of cyberattacks. The success or failure of such attacks, however, often depends on the quality of the communication system’s implementation. C-V2X was created from the start with security and privacy in mind and was consciously designed to make it easy to implement securely. In this blog post we’ll address:
- How the system design encourages sandboxing of C-V2X applications — preventing an attacker from using it to send control messages directly to your car
- How layers of protection prevent bad C-V2X messages from affecting your car’s V2X applications, even within the tightly constrained set of things that can be communicated via C-V2X
- How the system has been designed to preserve your privacy from bad actors by the roadside as well as hackers on the network
There is a continuous back and forth when developing any communications system, particularly when a system like C-V2X that has a direct impact on safety of life. The trade-off is that the more a system can communicate, the more useful it is to the user; however, at the same time, the risk of a bad external actor using that communications capability to attack and exploit the system also grows. Two key technologies that help protect against this kind of attack are sandboxing and authentication.
Sandboxing has a variety of meanings, but for our purposes it means deliberately limiting the types of data that will be accepted. The opposite of a sandboxed system is one that offers remote terminal access, in which an attacker can open a command prompt and subsequently run any command they like on the system. This kind of free-form access makes security design and testing very difficult, as a defender needs to cover all possible ways the attacker might try to get access, while the attacker only needs to find a single avenue of attack.
C-V2X deliberately avoids this kind of “Wild West” approach to what can be sent and accepted. Instead, in V2X, a series of applications are defined and specified in standards published by SAE, ETSI, CCSA, and other organizations. (An “application” here does not mean an app that you might have on your phone – it’s a specific set of messages that can be sent over the air and a specific set of uses that can be made of those messages). Each different application is identified by an Application Identifier – this is called a Provider Service Identifier (PSID) in the U.S. and an Intelligent Transportation Systems Application Identifier (ITS-AID) in the ETSI / ISO systems, but it’s just two different names for the same thing. When a message is sent, it is associated with an AID, and when it is received, it is immediately associated with the application for that AID. Essentially, within the C-V2X system, there is simply no way to send the arbitrary commands that lead to trouble in other systems — each message is for a specific application and will be processed by that application only, preventing spillover to other applications or to other components within the vehicle.
Sandboxing is the first line of defense and key to preventing an attacker from using C-V2X to gain access to wider vehicle systems. You might ask, wouldn’t it be possible for an attacker to do at least some damage by sending carefully crafted false messages within an application? The answer is no, thanks to two technologies that Qualcomm Technologies researchers and standards experts have been central in developing for the C-V2X setting: authentication and misbehavior detection.
Layers of protection: authentication and misbehavior detection
Authentication is widely used, not just in C-V2X, but in communications systems worldwide. You authenticate to a website when you enter your password, you authenticate to your phone with your thumbprint, and you’re used to logging in to your work systems, sometimes using advanced authentication technologies like a smartcard. In the V2X system, authentication has unique challenges and unique solutions:
- Broadcast. The system is a broadcast, ad-hoc networking system. This basically means that anyone could, in principle, talk to anyone, and it’s not realistic to set up a secure relationship in advance with everyone else in the system. Instead, C-V2X uses digital certificates to authenticate the broadcast messages. This is a well-known internet technology, though customized for C-V2X, that allows one party to trust another party’s messages, even if the two parties have never communicated before. The customized certificate and message formats are specified in IEEE 1609.2, the development of which was led by Qualcomm Technologies and serves as the baseline standard for C-V2X security worldwide.
- Identity is not useful. When you authenticate to a website, it can use your identity to look up your account details. In the C-V2X setting, a sender’s identity is too hard to use – there are simply too many identities out there, and they change too rapidly. Instead, sender authentication uses the AID mentioned above, not the sender identity, to indicate what application activities the sender can carry out. This both authenticates the sender and helps sandbox the message. IEEE 1609.2 specifies this approach.
- Constrained channels. Although C-V2X has greater channel capacity than rival technologies, the total bandwidth available for V2X communications is still limited. IEEE 1609.2 uses a special compact form of cryptography called elliptic curve cryptography to keep sizes down.
Authentication provides assurance to the receiver that the message came from a good sender – i.e., a real car, with working sensors, running a correct instance of the application and not malware. Certification programs to ensure that senders are good are being actively developed and will be mandated in Europe and elsewhere. Certificates will be issued only to good senders, so receivers can trust incoming messages.
Another layer of protection is provided by misbehavior detection, one of several key security technologies that Qualcomm Technologies researchers have been central in developing. Misbehavior detection can be thought of as plausibility checking on steroids — it’s a process of taking every incoming message for an application and asking, “Does this make sense?” If a message doesn’t fit with sensor data, or with other messages from the same sender, or with messages from other sensors, it can be rejected. This means that even if an attacker’s goal is limited to misbehavior within the C-V2X system – to send messages that cause a driver to get an alert, annoying them or maybe prompting them to take unnecessary action – they are severely limited in what they can send and hope the receiver will pay attention to. ETSI is currently working on a standard for misbehavior detection and reporting, and a misbehavior detection specification is maintained by the U.S. Security Credential Management Systems (SCMS) Manager. We are an active contributor to both.
In principle, it might seem scary that your car is driving around broadcasting its position and movements – couldn’t someone use that to track you, or issue automatic speeding tickets? In fact, the system is designed from the ground up to make violating your privacy difficult.
First, for normal end-user vehicles, the messages simply don’t contain any identifying information. As we noted above, the certificates don’t need to show your identity, they only need to show your permissions. This is a point of strength for the system from a privacy perspective – if receivers don’t need to know your identity to trust your message, we get a huge privacy boost by simply omitting your identity.
Second, although you sign your messages with a certificate, which could be used to track you (because you are the only one who owns that certificate), the system protects you against this kind of tracking by issuing multiple certificates to each car. In the U.S., no rules have been made about how many certificates to issue, but in Europe, the number is 60 to 100 per week. This means that a V2X sender can easily switch from one certificate to another as they go from one place to another, meaning that a tracker can only track them if the tracker is physically following the sender.
Finally, you might be thinking that the certificate issuer (a Certificate Authority or CA) is a point of violation of privacy, as the certificate issuer knows which certificates have been sent to which vehicle. This would allow an insider at the CA to track you – the “crazy ex” scenario – or, worse, if there was a database breach at the CA, it would allow anyone with access to the database to track everyone who received certificates from that particular CA. Again, the system design anticipates this – the certificate issuance uses multiple separated organizations and smartly spreads the issuance information between them so there is no single database that can be breached and allow tracking.
C-V2X was built from the start with security and privacy in mind
This has been a very quick overview of a very complicated topic. It’s true that adding any access point to a system brings additional security considerations, and this is as true of C-V2X as of any other access point. However, unlike almost every other system with the cellular system itself being an honorable exception, for C-V2X, security has been considered from the very start of the process. The C-V2X system designers are security-conscious, and the implementers take security into consideration at every step of the way. Because of these critical factors, we believe the C-V2X system as designed, to be secure.