CVAnalyzer: Automated Discovery of Denial-of-Service Vulnerabilities in Connected Vehicle Protocols
Summary
With the development of the emerging Connected Vehicle (CV) technology, vehicles can wirelessly communicate with traffic infrastructure and other vehicles to exchange safety and mobility information in real time. However, the integrated communication capability inevitably increases the attack surface of vehicles, which can be exploited to cause safety hazard on the road. Thus, it is highly desirable to systematically understand design-level flaws in the current CV network stack as well as in CV applications, and the corresponding security/safety consequences so that these flaws can be proactively discovered and addressed before large-scale deployment
In this paper, we perform the first rigorous security analysis to automate the discovery of availability or DoS (Denial of Service) vulnerabilities, in (1) the latest version of the IEEE 1609 protocol family and (2) Cooperative Adaptive Cruise Control (CACC) applications (i.e., platoon management protocols (PMPs)). We formulate the analysis as a model-checking problem and design a novel system, CVAnalyzer, that leverages (1) a general model checker (MC) and (2) a probabilistic model checker (PMC) to automate both the attack discovery and the attack assessment.
Findings: Denial of Service Attacks
Using CVAnalyzer, we are able to uncover 4 new DoS vulnerabilities in Peer-to-Peer Certificate Distribution (P2PCD), which can block the certificate learning process and can further prevent the application layer from processing incoming packets, and 15 vulnerabilities (14 of 15 are new) in PMPs, which can block the communication among platoon members. Our quantification results show that their exploits can have as high as 99% success rates, and can double the delay in packet processing, which violates the latency requirement of CV communication. Besides, our case studies demonstrate that P2PCD attacks can lead to traffic accidents, and PMP attacks can affect the speed stability of the victim vehicle.
Threat model: In the attack, we assume that the attacker can compromise On-Board Units (OBUs) on her own vehicles or others' vehicles, and send malicious packets to other vehicles through compromised CV devices. All malicious packets should comply with protocol specifications. Also, the attacker can passively eavesdrop and capture all network traffic in her wireless communication range under the promiscuous mode of the wireless adapters. Furthermore, we assume that cryptography operations used in CV protocols (e.g., signing, verification, and hash) are secure. The attacker thus cannot forge digital signatures used for packet authentications but can use valid certificates installed in compromised vehicles to sign outgoing packets.
CVAnalyzer
Figure 1: CVAnalyzer overview
CVAnalyzer combines (1) a general model checker (MC) and (2) a probabilistic model checker (PMC) to automate both the attack discovery and the attack assessment. Either model checker alone cannot achieve our analysis goal. MC is useful for attack discovery; while, for tractability reasons, PMC (e.g., PRISM) has limited support in finding vulnerabilities and mainly focuses on quantitative property verification. Therefore, we utilize MC and PMC to verify availability-related properties and quantitative properties respectively. By verifying these properties, we not only identify potential vulnerabilities but also understand the corresponding security consequences.
Analysis Results
We inspect the latest specifications of the CV network protocols and one complicated CV application (i.e., CACC). For the former, we focus on newly added CV-specific features (e.g., P2PCD); for the latter, we pick two platoon management protocols (PMPs) (VENTOS and PLEXE), which are widely used by researchers, practitioners, and developers. Table 1 summarizes 4 DoS attacks in P2PCD (Figure 2) and 15 attacks in PMPs.
Table 1: Summary of attacks found in the CV protocols. (N: CV network protocol, P2PCD.A: CV application, PMP)
P2PCD Vulnerabilities
CVAnalyzer finds 4 new DoS attacks that can compromise the availability of CV network. All 4 vulnerabilities come from P2PCD, which prevents victim vehicles from learning unknown certificates (Figure 2). Without knowing the necessary certificates, the victim vehicles cannot verify incoming packets; the CV network stack thus cannot deliver data to the application layer. We have also reported to and received confirmations for P2PCD attacks from IEEE 1609 Working Group.
We will introduce two P2PCD attacks here. Readers can refer to our paper for more details about the attack assumptions, steps, underlying reasons, attack assessment, as well as attack validations in a real-world testbed.
Figure 2: Four P2PCD attacks can break the whole pipeline of P2PCD learning process to prevent the CV device from learning/storing the unknown certificate.
Figure 3 illustrates the attack process of two P2PCD attacks, N3 and N4. Vehicle 1 (V1) first sends a trigger secured protocol data unit (SPDU) to surrounding vehicles. N3 exploits the unicast capability and injects a malicious SPDU with the same learning request field (i.e., the HashedId3 value of ca1) as what Vehicle 2 (V2) intends to send. As a result, V2 can observe the malicious learning request and decides not to send its own learning request. V2 hence fails in learning unknown certificate ca1 because V1 does not receive any learning requests.
N4 takes a step further. Due to the request active timer (e.g., reqActiveTimer), V2 still thinks that there should be an active request in the fly. Therefore, while receiving the next trigger SPDU, V2 chooses not to add the HashedId8 value of the unknown certificate ca1 into the queue and keeps waiting for learning responses.
Figure 3: N3 can stop Vehicle 2 (V2) from sending learning requests to Vehicle 1 (V1) by sending a malicious learning request. N4 can stop V2 from recording unknown certificates by sending one or more malicious learning requests.
PMP Vulnerabilities
CVAnalyzer identifies 15 PMP attacks in total. Among identified vulnerabilities, A1-4 are not directly related to availability issues but are building blocks of other attacks. Although the PMPs analyzed in this paper are academic prototypes, our main contribution is the verification methodology, which can be generally applied to future PMP protocols. Our results demonstrate the necessity of such a systematic verification methodology: using manual efforts, a very recent work uncovers 1 vulnerability (A1). In contrast, using CVAnalyzer for the same PMP implementation, we are able to automatically uncover not only the same one but also 14 more (A1-15), which demonstrates both substantially improved efficiency and effectiveness.
Case Studies of Identified Attacks
To evaluate the impact of identified attacks, we use a simulator, VENTOS (VEhicular NeTwork Open Simulator), so that we can demonstrate the driving behavior under attacks. We construct two case studies and demonstrate that: (1) P2PCD attacks can lead to traffic accidents, which eliminates the benefits of V2V safety applications (e.g., Forward Collision Warning (FCW)); (2) PMP attacks can affect the speed stability of the victim vehicle.
By design, the CV safety application promises to increase personal safety. However, our experiment results show that all four P2PCD attacks can fully eliminate the benefits of CV applications (e.g., Forward Collision Warning (FCW)), violating the original goal of CV applications. In our simulation, FCW is never triggered while enabling P2PCD attacks, as the attacker can prevent victim vehicles from processing BSMs. Thus, a rear-end collision occurs when a leading vehicle deaccelerates suddenly.
CACC aims to increase traffic throughput and improve traffic flow stability. However, A3 and A4 can interfere with the traffic flow stability, even without sacrificing the attacker's own speed stability, which violates the design goals of CACC. Our results indicate that the attacker can increase the standard deviation of the victim's speed by 43%, further disturbing the following traffic.
Research Paper
Shengtuo Hu, Qi Alfred Chen, Jiachen Sun, Yiheng Feng, Z. Morley Mao, and Henry X. Liu
To appear in the 30th USENIX Security Symposium (USENIX Security'21), Aug 2021 (Acceptance rate TBA)
BibTex for citation:
@inproceedings{sec:2021:hu:cvanalyzer,
title={{Automated Discovery of Denial-of-Service Vulnerabilities in Connected Vehicle Protocols}},
author={Shengtuo Hu and Qi Alfred Chen and Jiachen Sun and Yiheng Feng and Zhuoqing Morley Mao and Henry Xianghong Liu},
booktitle={Proceedings of the 29th USENIX Security Symposium (USENIX Security '21)},
year={2021}
}
Team
Shengtuo Hu, Ph.D student, EECS, University of Michigan
Qi Alfred Chen, Assistant Professor, CS, University of California, Irvine
Jiachen Sun, Ph.D student, EECS, University of Michigan
Yiheng Feng, Assistant Professor, Civil Engineering, Purdue University
Z. Morley Mao, Professor, EECS, University of Michigan
Henry X. Liu, Professor, CEE & UMTRI, University of Michigan
Acknowledgements
