Field infrastructure footprint analysis



Download 157.83 Kb.
Page4/7
Date31.01.2017
Size157.83 Kb.
#13664
1   2   3   4   5   6   7

2.4.Security

2.4.1.WWAN Messaging and Security


Gap : Security Standards for Local and Wide Area Networks Are Not Aligned

The system architecture as described for purposes of this project includes local area (e.g., DSRC) and wide area (e.g., cellular) communications channels. In general the SAE J2735 standard defines messages independently from the communications media, so it appears that these messages could be used for either medium. However, the IEEE 1609.2 standard specifically defines the mechanisms used to secure the WAVE/DSRC communications link and to ensure anonymity. This standard includes, among other things, mechanisms for validating the integrity of messages and for encrypting messages. There are currently no standards identified for securing messages sent across wide area networks such as cellular, and these links are inherently non-anonymous. It appears that the 1609.2 approach could be applied to messages sent over a cellular channel, but the standard is not currently oriented toward this application, and it has not been analyzed to determine if it is compatible or appropriate. For example, if a vehicle system signs probe data using anonymous certificates and then sends this data over a non-anonymous link (e.g., cellular) the user’s identity is then bound to the 1609.2 certificate, and anonymity is lost.



Recommendation: Determine what security and assurance standards should be applied to data provided over WWAN.

2.4.2.Field Equipment/Application Certification/Tamper Resistance


Gap : Security Requirements for Field Equipment Are Not Defined

It appears that the requirements for the DSRC terminal elements of field equipment (e.g., RSUs) are limited to FCC licensing, and conformance to the WAVE/DSRC standards. The WAVE DSRC standards simply require that messages sent from an RSU must be signed, either by the RSU or by the message originator. However, since there are no security requirements that apply to the generating application, it is unclear what is actually being certified. Stated differently, lacking any security requirements or performance standards for applications, the certification authority, the certificate simply attests to the fact that the RSU requested and received certificates. It currently says nothing about the integrity of the RSU or the application that generated the message. These requirements may emerge as a result of the certification process, and if applications are developed prior to the development of these requirements, the applications may need to be modified. Similarly, there are no requirements or specified standards for tamper resistance or tamper detection. Without such requirements it may be possible to tamper with an RSU so that it sends improper messages that are signed using the RSU certificates.



Recommendation: Develop physical and application security standards for field equipment.

2.4.3.Vehicle/Application Certification


Gap : Vehicle Certification Does Not Adequately Constrain Terminal Elements

It appears that the requirements for the DSRC terminal elements of field equipment (e.g., RSUs) are limited to FCC licensing, and conformance to the WAVE/DSRC standards. The WAVE DSRC standards simply require that messages sent from an OBU must be signed. However, since there are no security requirements that apply to the generating application, it is unclear what is actually being certified. Stated differently, lacking any security requirements or performance standards for applications, the certification authority, the certificate simply attests to the fact that the OBU requested and received certificates. It currently says nothing about the integrity of the OBU or the application that generated the message. These requirements may emerge as a result of the certification process, and if applications are developed prior to the development of these requirements, the applications may need to be modified. Similarly, there are no requirements or specified standards for tamper resistance or tamper detection. Without such requirements it may be possible to tamper with an OBU so that it sends improper messages that are signed using the OBU certificates. This issue is especially concerning since vehicles engage in peer-to-peer message exchanges (V2V communications), which means it is possible to use the connected vehicle system to deliver malware to the entire national vehicle population in a matter of days. This represents a serious risk with substantial potential negative consequences.



Recommendation: Determine how to link a DSRC terminal element to a vehicle so it will not work outside of the car or in another vehicle without re-certification, and so that the certificates are linked logically to the applications that use the certificates. Include association with vehicle ECUs and positioning technology. Include/develop requirements for tamper resistance that extend to application software.

2.4.4.Retirement/End of Life


Gap : No Method for Destruction of Vehicle Equipment

Currently there is no provision for and no requirements associated with how connected vehicle terminal equipment is to be handled when it is retired. For field equipment this may be handled by the licensing processes or by voluntary revocation of certificates (assuming some administrative mechanism is in place to support this). For vehicles this represents a substantially larger problem. First there are many more vehicles retired every year than RSUs (about 10 M to 15 M vehicles go out of service each year). Second, unlike RSUs, vehicles are not site licensed, so implementing and enforcing any sort of administrative control and retirement processes is problematic. Not only does this make it difficult to revoke every retired unit, but such a revocation level would swamp the certificate revocation list and would overwhelm the OBU (which needs to download, maintain and use the revocation list). Ideally the OBU should be coded to the vehicle at certification, and some provision should be made such that if the OBU is activated in the absence of its host vehicle it erases its certificates and must be re-certified. This type of approach or something of a similar nature will allow for a second-hand parts market, but will avoid the need for keeping track of which units are in service and also will avoid a huge revocation list.



Recommendation: See Gap 13 above.

2.4.5.Revoked Device Management


Gap : Requirements for Revoked Device Behavior

Currently there is no provision for and no requirements associated with how connected vehicle terminal equipment is to behave when its certificates are revoked. If nothing is done the unit will continue to transmit messages that will then be ignored by a receiver that finds that unit’s credentials on the CRL. A more efficient approach would be to have units that determine they are on the CRL or are otherwise misbehaving to remove themselves from service by transitioning to quiet mode where no messages are transmitted. This is not a critical issue, but it would make for a more orderly system and would potentially provide a mechanism for identifying true bad actors, since only bad actors would fail to remove themselves from the system.



Recommendation: Develop a requirement for devices to turn themselves off after certificate revocation.

2.4.6.Bootstrap and Device Certification


Gap : Security Credential Management System Design Is Not Deployment Ready

The current Security Credential Management System (SCMS) includes a variety of inconsistencies and known issues. For example:



  1. There is uncertainty about the scope of pseudonym certificates. One interpretation of the security standard is that certificates are associated with only a single application. However, if this is the case, then each vehicle will be required to support a full set of certificates for each application that requires pseudonym certificates (there are currently five such applications identified in the SAE Message sets). This approach will result in much larger revocation lists and substantially more SCMS activity that currently envisioned. The alternate interpretation is that each pseudonym certificate will include permissions for all applications installed in the vehicle that require anonymity. While this is a simple approach in concept, and it substantially reduces the number of certificates and the size of the revocation list, it carries the added burden that the vehicle system must be re-certified when new software is installed. While this is useful from a platform assurance perspective (See Gap 15), the details of such application related certification have not been worked out.

  2. Related to the above issue, the Safety Pilot SCMS bootstrap process did not include methods to limit the capabilities for certificates requested from devices authorized using a specific bootstrap ID. For the Safety Pilot, a valid bootstrap ID authorized a device to request any certificates that the SCMS was configured to produce.

  3. The Safety Pilot bootstrap ID process was an ad hoc approach meant to overcome a security weakness exposed by the fact that the bootstrap process would not occur via a secure connection to the SCMS. The implications of requiring a secure hardwired interface for bootstrap processing have not been addressed.

  4. The standards that define connected vehicle messages use PSIDs to restrict the messages that can be authorized with a certificate. However, there is no specific process for associating PSIDs with operations and connected vehicle messages – this is a gap related to connected vehicle security management rather than the certificate management system in particular. There are similar gaps that are related directly to the certificate management system.

  5. The SCMS does not include any specific features for managing information about PSIDs. For example, the SCMS does not include a list of valid PSIDs, so cannot verify that the PSIDs in a bootstrap or certificate request are valid. The SCMS does not include features for implementing device-specific restrictions based on PSIDs (as suggested previously).

  6. The number of certificates installed each vehicle and the period of update for these certificates as defined in the current (and rapidly evolving) security design is such that moderate levels of revocation (resulting from moderate levels of misbehavior, faults, and attacks) will produce a significantly large revocation list (50MB to 150 MB). This large list may require excessive data storage, and processing in the vehicles, and itself may present a viable denial of service attack surface (create enough revocations that the system collapses because the CRL is too large).

Counter arguments to these issues include a variety of inconsistencies. For example, one argument is that the level of revocation is likely to be so low that the CRL will never become significantly large. But, if such a low level of revocation were to occur, then there would hardly be any need to revoke any vehicles. In addition if the system has a known limitation like this, then a simple attack is to cause enough revocations that the system is overwhelmed. Others include the extension of the certificate update period to avoid the need for frequent contact with the SCMS (requiring numerous roadside units). However, the system already includes an assumption that the CRL is updated daily, so there is already a requirement for frequent SCMS contact. In addition, extending the update period means that revoked units remain on the CRL for a longer time, causing the CRL to grow, thereby requiring more memory, more processing and longer CRL download times.

There appear to be multiple parties involved in the security system design and the design appears to be in flux as the system is changed to address newly identified issues. It is unclear if this approach is convergent. As noted above, some changes are taken to address issues and these changes invalidate basic system assumptions, or create additional vulnerabilities.



Recommendation: The entire security system should be described in a single definitive document and “frozen” for some period during which problems associated with deployment feasibility, management feasibility, vulnerabilities, etc. are identified by parties other than the designers of the system (so called “white hat” attackers, for example). These vulnerabilities should then be addressed by a second round of design, and the process repeated.

Gap : Misbehavior Reporting and Detection Processes Are Not Sufficiently Defined, and May Not Be Effective

The current implementation of the certificate management system does not include any capabilities related to misbehavior identification other than support methods that allow devices to submit messages to the SCMS for misbehavior report processing. These methods support submission of casual reports (i.e., samples of messages) and suspicious messages. However, the SCMS does not include specific processes for acting on these reports, such as:


  • Processes for reviewing casual reports to identify suspicious behavior.

  • Processes for reviewing reports of suspicious behavior and determining whether the suspicious behavior (identified by the SCMS from casual reports or from device reports of suspicious messages) warrants revocation of certificates.

In fact, the entire process of misbehavior detection with connected vehicle messages is not well understood.

Recommendation: Research is needed on how to identify misbehaving devices before those methods can be implemented in both connected vehicle devices and the certificate management system.



Download 157.83 Kb.

Share with your friends:
1   2   3   4   5   6   7




The database is protected by copyright ©ininet.org 2024
send message

    Main page