Congestion Attack on CV-based Traffic Signal Control
In this work, we perform the first security analysis on the next-generation Connected Vehicle (CV) based transportation systems. As a first step, we target the USDOT sponsored design and implementation of a system called Intelligent Traffic Signal System (I-SIG), which performs one of the most basic urban traffic operations, traffic signal control. Our goal is to identify fundamental security challenges, especially those specific to CV-based traffic control. Thus, we are particularly interested in security problems that are at the signal control algorithm level and are caused by design/implementation choices instead of implementation bugs. The analysis results are expected to serve as a guideline for understanding whether and why the current design/implementation choices in I-SIG are vulnerable, and providing insights on how to fundamentally secure it before large-scale deployment.
The I-SIG System
In I-SIG, real-time vehicle trajectory data transmitted using the CV technology are used to intelligently control the duration and sequence of traffic signals. Our analysis uses the latest released version, MMITSS-AZ, which is developed in the USDOT DMA program. This implementation has been tested on real road intersections in Anthem, AZ, and Palo Alto, CA, and has shown to achieve a 26.6% reduction in total vehicle delay.
Finding: Congestion Attack
We find that due to several newly-discovered vulnerabilities, even one single attack vehicle can greatly manipulate the intelligent traffic control algorithm in the current I-SIG system and cause severe traffic jams.
Threat model: CV data spoofing. In the attack, we assume that the attacker can compromise her own vehicle or other people’s vehicles (physically, wirelessly, or through malware), and send malicious CV messages with spoofed driving data (e.g., speed and location) to the I-SIG system.
Congestion creation vulnerabilities. Our security analysis finds that the current signal control algorithm design and implementation choices in I-SIG have congestion creation vulnerabilities, which can be exploited to greatly manipulate traffic signal planning decisions and create traffic congestion via CV data spoofing from even one single attack vehicle. We construct concrete exploits for these vulnerabilities and evaluate them using simulation under real-world intersection settings. The results show that these vulnerabilities can be exploited to cause massive congestion and can even cause a blocking effect to jam an entire intersection direction (see video demo below). In the jamming period, the travel time is > 6× higher for half of the passing vehicles, and > 14× higher for 22% of them.
In this short video demo, we show how one single attack vehicle parking nearby can exploit the newly-discovered congestion creation vulnerabilities in the current I-SIG system and cause severe traffic jams.
Experiment configurations in the demo:
I-SIG system version: MMITSS-AZ 1.0 released in OSADP (Open Source Application Development Portal)
Simulation software: PTV VISSIM (a commercial-grade traffic simulation software)
Penetration rate: 75%
Intersection layout: Real-world layout of a intersection near University of Michigan campus
Traffic flow: We videotaped real-world traffic flows in the intersection for 1 hour and manually counted the passing vehicles as the input to the VISSIM simulation model
Why is creating congestion a serious problem?
As one of the critical infrastructure, signal control systems has a fundamental impact on economic and environment, and thus it is highly important to ensure that such system is well protected and functions correctly and efficiently. This is equally true from individual’s perspective: as estimated by a recent study, traffic jams cost U.S. drivers an average of $1,200 a year in wasted fuel and time. This is exactly the reason why the USDOT is pushing the deployment of CV-based signal control.
What's the incentive for the attacker?
Such attack can be politically or financially incentivized, e.g., blocking routes to business competitors, like denial-of-service attacks on Internet. Since one attack vehicle can only attack one intersection, to cause larger-scale damage, attackers can form groups to attack consecutive intersections along arterial roads in an area.
Did you evaluate the attack in real world?
No, we only performed the evaluation in a simulation software. Due to budget and ethical concerns, it is impossible to recruit hundreds of real vehicles in an intersection to test attacks. We did our best to maximize the realism of the evaluation by (1) using the map of a real-world intersection near University of Michigan campus with its real signal phase configurations, and (2) using real-world traffic demand by videotaping real-world traffic flows in the intersection for 1 hour and manually counting the passing vehicles as the input to the VISSIM simulation model.
Why is it possible for one single attack vehicle to cause such massive congestion?
Normally it's indeed not possible: the traffic control algorithm in I-SIG targets optimized total delay for all vehicles in an intersection, which usually have over 100 of them, and thus it should be very challenging for the data from one single vehicle to significantly influence the signal planning.
In our paper, the capability of causing the massive congestion is due to two congestion creation vulnerabilities we discovered in our security analysis. One is called "last vehicle advantage", which allows an attacker to determine the traffic signal plan by spoofing as a late arriving vehicle. The other is called "curse of the transition period", which allows an attacker to inject tens of "ghost vehicles" to substantially influence the traffic signal plan. More details about these two vulnerabilities please see our research paper.
Is the current signal control algorithm in I-SIG representative?
The current signal control algorithm (COP+EVLS) is chosen by the I-SIG designer, a team of USDOT-selected signal control experts. The design is based on a 2015 paper in Transportation Research Part C, a top journal in transportation research. The current algorithm is chosen because it is very suitable for the CV environment: its input is the arrival time for individual vehicles instead of aggregated traffic information, and thus can best leverage the per-vehicle trajectory data in the CV environment to effectively handle traffic dynamics. To the best of our knowledge, this is the only design in the transportation literature that is fully implemented and tested on real roads. According to the CV Pilot Program website, the I-SIG system is currently under deployment in New York City and Tampa, FL.
How realistic is the thread model, i.e., CV data spoofing?
CV data spoofing can be achieved in at least two ways. First, the attacker may directly compromise On-Board Units (OBUs) by exploiting software vulnerabilities, similar to the demonstrated compromises on other Electronic Control Units (ECUs) before ([Koscher et al., 2010] [Checkoway et al., 2011]). Second, if compromising OBUs is difficult, the attacker can send fabricated CAN messages with spoofed sensor data to the OBUs by compromising other ECUs ([Koscher et al., 2010] [Checkoway et al., 2011] [Cho et al., 2016]). Since the attack model includes malicious vehicle owners who have arbitrary physical accesses, as long as in-vehicle systems are not vulnerability-free, which has been proved repeatedly ([Koscher et al., 2010] [Checkoway et al., 2011] [Mazloom et al., 2016]), such compromises are always achievable in practice, just like the smartphone jailbreaking/rooting practices today.
Can this attack be prevented by the vehicle certificate system (SCMS) developed by USDOT?
No, it can't. The attack vehicle still uses its true sender identity, i.e., SCMS certificate, so that the sent CV messages are still correctly signed. The attacker only manipulates the driving data sent in these messages, e.g., speed and location, which can be achieved by (1) using the private key if compromising OBU is achievable, or (2) modifying sensor data before reaching OBUs.
How to defend against it?
Since the vulnerabilities are caused by traffic signal control algorithm design/implementation choices instead of implementation bugs, fixing them is non-trivial. We envision three defense solution directions: (1) Robust algorithm design for the transition period, (2) Performance improvement for RSUs, and (3) Data spoofing detection using infrastructure-controlled sensors. Please check out our research paper for more details.
Qi Alfred Chen, Yucheng Yin, Yiheng Feng, Z. Morley Mao, and Henry X. Liu
Proceedings of the 25th Network and Distributed System Security Symposium (NDSS'18), San Diego, Feb. 2018. (acceptance rate 21.5% = 71/331)
BibTex for citation:
Qi Alfred Chen, Ph.D. Candidate, EECS, University of Michigan (now Assistant Professor, CS, University of California, Irvine)
Yucheng Yin, Undergraduate student, EECS, University of Michigan
Yiheng Feng, Assistant Research Scientist, UMTRI, University of Michigan
Z. Morley Mao, Professor, EECS, University of Michigan
Henry X. Liu, Professor, CEE & UMTRI, University of Michigan