A Survey on Security Attacks and Defense Techniques for Connected and Autonomous Vehicles

In this section, we discuss the CAV components whose vulnerabilities have been found in the literature and provide a high-level overview of the attack models.

In this section, We attempt to organize the defense techniques into categories that have certain patterns. Some defense categories are generally effective against certain types of attacks, but we suggest that readers study defense techniques for attacks on a case-by-case basis. For example, attacks that prevent sensors from receiving legitimate signals can usually be mitigated by the abundance of information, through planting multiple sensors or through acquiring additional information from V2V or v2I connections, but this does not hold for the case of GPS jamming (section III-F-Attack Model 2).

The categories for defense techniques are as follows.

• •

  Anomaly-based Intrusion Detection System (IDS) is a method that is designed to detect unauthorized access or counterfeit data. IDS methods generally look to detect abnormal data from the signals or side-channel information. For example, Cho et al. (2016) [75] proposed Clock-based IDS (CIDS), which measures the clock skew of ECUs (the phenomenon in which the clock signal arrives at different ECU at slightly different times) and uses this information to fingerprint the ECUs. The fingerprints are then used to detect intrusions by checking for any abnormal shifts in the clock skews. IDS methods are generally applicable in attack models that rely on sending counterfeit signals, such as CAN attacks (section III-B), LiDAR spoofing (section III-D-Attack Model 1), radar spoofing (section III-E-Attack Model 1), and GPS spoofing (section III-F-Attack Model 1). However, they are not effective to defend against adversarial image attacks on cameras (section III-G-Attack Model 2).

• •

  The abundance of information can be achieved by getting information from other CAVs and infrastructures or by setting up abundant information within a CAV. This is good not only for defending against cyberattacks but also for increasing confidence in autonomous driving. This category of defense strategy is generally effective against Denial-of-Service type of attacks, such as LiDAR jamming (section III-D-Attack Model 2), radar jamming (section III-D-Attack Model 2), and camera blinding (section III-G-Attack Model 1). For example, by using multiple LiDAR sensors with different wavelengths, a CAV is protected from attackers who send high-power light beams to blind LiDAR sensors. However, this method is not effective against GPS jamming (section III-F-Attack Model 2). A major drawback of this defense category is that placing abundant components on CAVs is expensive.

• •

  Encryption methods can be applied to defend against attacks that abuse components that lack authentication methods, such as CANs and signals for sensors. Many encryption methods have been published to secure CAN and sensor signals, such as those in [76, 77, 78, 79] (they will be discussed in detail in section III). However, an encryption method is not applicable for GPS receivers because it is too expensive to modify the satellites so that they can send encrypted radio signals. This makes defending against GPS jamming attacks a difficult task (section III-F-Attack Model 2).

Some defense techniques are unique and do not fall into any of these categories, which is why we suggest that readers study defense techniques on a case-by-case basis.

Attack Model 1 - malicious OBD devices: The OBD port is an open gateway for many attacks to other CAV components because the port usually does not encrypt data or control access. Since the OBD port itself has no capability of remote connection, attackers would need physical access to the OBD port to perform these attacks. Some devices that are plugged into the OBD port can transfer data to a computer through wired or wireless connections. Some of these devices were made by car manufacturers for diagnostic purposes and firmware updates. Some examples of these devices are Honda’s HDS, Toyota’s TIS, Nissan’s Consult 3, and Ford’s VCM [33]. Some other devices are developed by third-party companies to connect vehicles to smartphones (i.e. self-diagnostic purpose), such as Telia Sense [80] and AutoPi [81]. Studies have been done to assess the feasibility of using these third-party devices to perform a meaningful attack. Marstorp and Lindström (2017) [82] found that Telia Sense is a well secured system whereas Christensen and Dannberg (2019) [83] successfully performed a man-in-the-middle attack, where they intercepted data to and from the AutoPi Cloud interface. After gaining access to the OBD port, attackers can interrogate information about the CAV, controlling key components (such as warning light [84], windows lift, airbag control system, horn [34]), and injecting codes to ECUs [85]. Koscher et al. (2011) [34] successfully performed one such attack on a running vehicle by using a self-written program named CARSHARK to compromise many components on the vehicle. In [86], it was shown that if attackers can trick drivers into downloading a malicious self-diagnostic application on their smartphones, attackers can transmit an ECU-controlling data frame through the OBD device to the vehicle’s ECUs.

Criteria for Defense Strategies: Defense may take place at the OBD level, or at CAN and ECUs level. Criteria for defense strategies at CAN and ECUs are discussed in their respective subsections (III-B and III-C). Here, we discuss the criteria for securing the OBD port. Based on our understanding of the attack model and study on the defense techniques, we suggest the following criteria.

• •

  Authenticity of OBD devices: before being granted access to a CAV’s data, OBD devices must come from a trusted manufacturer

• •

  Integrity of OBD devices: they must be provable that they have not been compromised or corrupted after their creation.

• •

  Privacy of OBD devices: any information gained from the OBD port is intelligible only to the device’s intended party.

• •

  The authentication process of OBD devices should be efficient to not cause significant delay to users.

Existing Defense Strategies: Unfortunately, we have not found any significant method in the literature to secure the OBD port and to detect malicious devices. However, defense strategies for CAN and ECUs are abundant. Defense strategies to detect abnormal activities from OBD ports can be implemented in CANs and ECUs and are described in their respective subsections. Fowler et al. (2017) [87] proposed using hardware-in-the-loop (HIL) equipment to collect and simulate data on attacks through an OBD port. The HIL technique is not a defense layer on OBD ports but provide a virtual environment for further testing attack and defense mechanisms for the OBD port.

Challenges for defending against this attack model: Because OBD ports are commonly used by car manufacturers for diagnostics and firmware updates, and by other companies for data collection purposes, it is difficult to distinguish legitimate from malicious OBD devices. No study has proposed putting a layer of defense in the OBD port and this remains a challenging problem.

Attack Model 1 - CAN access through OBD: Since CAN protocols generally do not support encrypting messages for authentication and confidentiality [88], attackers can perform three types of attack as follows.

• •

  Eavesdrop: CAN messages can be observed from the OBD port [88].

• •

  Replay attack and unauthorized data transmission [76]: Once attackers have observed all messages transmitted on the CAN bus, they can easily impersonate an ECU and transmit counterfeit messages through OBD ports.

• •

  Denial of Service attack [88]. Attackers can send many messages with high priority through OBD ports and prevent CAN from processing other messages on the CAN bus.

It is important to note that all of these attacks require physical access to the OBD port.

Criteria for Defense Strategies against Attack Model 1: Based on our understanding of the attack model and study on the defense techniques, we suggest the following criteria.

• •

  Confidentiality/privacy of CAN messages: CAN messages should be readable by only the intended receiving ECUs. A message sent through CAN is received by all ECUs connected to that CAN and each ECU decides whether to use it by checking the identifier of the message [89]. This may allow attackers to conclude private information such as driving behavior or the state of the vehicle.

• •

  Authenticity of CAN messages: CAN messages should only be sent from verified ECUs connect to that CAN to prevent unauthorized data transmission and Denial of Service attacks.

• •

  Low requirement for computing resources: the authentication and verification process of CAN messages should be done efficiently to ensure real-time performance of the entire CAV system.

Existing Defense Strategies against Attack Model 1: Wolf et al. (2006) [90] proposed a secure CAN protocol that achieved authenticity and confidentiality by using Symmetric Key Encryption and Public Key Encryption. Lin et al. (2012) [76] and Nilsson et al. (2008) [91] also proposed to achieve authenticity by using the Message Authentication Code (MAC) method. Herrewege et al. (2011) [78] proposed an authentication protocol named CANAuth, which also uses MAC for authentication but utilizes an out-of-band channel to send more authentication data in a real-time environment. Even with the out-of-band channel, Herrewege et al. acknowledge that public-key cryptography is not viable due to its large key size requirement. Matsumoto et al (2012). [88] criticized that the aforementioned cryptographic methods suffer from key management issues (e.g. leakage of secret keys) and may not be fast enough to achieve real-time response in a moving vehicle. Halabi and Artail (2018) [79] aimed to solve these problems by proposing lightweight symmetrical encryption where the keys are generated based on a CAN frame’s payload and the previous key.

IDS-based defense techniques are popular. Müter et al. (2011) [92] proposed calculating the entropy of a CAN bus during normal activities; significant deviations in entropy are then used to detect attacks. Similarly, Miller et al. (2014) [18] proposed using a small device that connects to the OBD port, collects traffic data, and detects abnormal traffic patterns with machine learning. When the device detects an attack, it stops the circuit on the CAN bus and disables all CAN messages. Matsumoto et al. (2012) [88] proposed a solution where all ECUs attempt to detect unauthorized messages by monitoring all messages being transmitted on the CAN bus. For each ECU, a flag is implemented within the CAN controller that would indicate whether the ECU is trying to send a message. Then, the timing of the flag being switched is measured to detect unauthorized messages. Shin and Cho (2017) [93, 75] proposed a similar method, where they measured the intervals of periodic CAN messages and used these measurements to detect abnormal messages. Gmiden et al. (2016) [94] criticized that Matsumoto’s method requires modifications to each ECU and thus is an expensive solution. Gmiden et al. then proposed an IDS that checks the identity of each ECU that send CAN messages and calculates the time since the last message from the same ECU was observed. If the new time interval is significantly shorter than the previous time intervals from the same CAN ID, an alert of attack is raised. Tyree et al. (2018) [95] proposed an IDS that uses the correlations between ECU messages to estimate the state of the vehicle. A sudden change to an ECU’s messages would raise an alert that the ECU is compromised. If an attacker successfully compromises many ECUs, the sudden change in the state of the vehicle is used to detect the attack. Many more types of IDS for CAN can be found in Tomlinson’s survey paper about this topic [22]. Siddiqui et al. (2017) [96] proposed a hardware-based framework that implements mutual authentication and encryption over the CAN Bus.

Challenges for defending against Attack Model 1: Requirements for a good defense method against Attack Model 1 are real-time response, accuracy, and low degree of modification needed on the vehicle. Even though many defense mechanisms have been proposed in the literature [22], there also exist criticisms to most of them as discussed in the previous two paragraphs. It is difficult to determine the best defense strategies to implement in an operating CAV. Therefore, there is a need for comparative studies that are performed on moving vehicles to serve as recommendations for CAV manufacturers. In addition, CAN standards may carry legacy and thus may not have the capacity to accommodate the computing demand and communication constraints to these innovative solutions.

Attack Model 2 - CAN access from telematics ECUs: One may attack a CAN by compromising a member ECU first. Some ECUs could be compromised without access to the CAN because they have other access points through connection mechanisms such as Bluetooth and cellular networking. The compromised ECU can then send authenticated messages that can bypass the cryptographic and IDS-based defense mechanisms discussed in Attack Model 1. More details about how telematics ECUs are compromised and studies that have implemented this attack model are presented in subsection C.

Criteria for Defense Strategies against Attack Model 2: Defense strategies may be implemented on the CAN to detect abnormal ECU behaviors, or may be implemented on telematics ECUs to prevent compromise. Here, we discuss the second approach and leave the first approach for section III-C. The criteria for a defense strategy to be implemented on CAN are:

• •

  Enforce integrity of messages sent through CAN under the possibility that a connected ECU is compromised (and thus any authenticity test is invalid).

• •

  Efficient verification process to not interrupt system-wide service.

Existing Defense Strategies against Attack Model 2 When attackers have successfully compromised an ECU, they may be able to send encrypted and authenticated messages through the CAN. Therefore, cryptographic methods discussed in Attack Model 1 such as Symmetric Key Encryption, Public Key Encryption, and MAC may not be able to detect the attack. Some IDS-based defense techniques would not be useful either. For example, Matsumoto’s method [88] and Gmiden’s method [94] may not work because messages being sent from the compromised ECU would not create any timing abnormality. Other IDS-based approaches, such as Müter’s [92], Miller’s [18], and Tyree’s [95], may work because they attempt to model the traffic patterns and state of the vehicles, thus we speculate that they may acquire essential information to detect abnormal messages from the compromised ECU. A probably better strategy of defense is to secure the telematics ECUs. Securing telematics ECUs are discussed in the next subsection about ECUs.

Challenges for defending against Attack Model 2: As previously discussed, there are two approaches to defend against Attack Model 2: securing telematics ECUs [77, 97] and using IDS-based algorithms to detect abnormal traffic patterns from the compromised telematics ECUs [92, 18, 95]. Implementing both approaches in a CAV would increase the security against this attack model. However, it is still unclear how effective these approaches will be and how difficult they are to be implemented.

Attack Model 1 - ECU access through CAN: Attackers compromise ECUs through their access to CAN. As previously discussed, after gaining access to CAN through the OBD port or telematics ECUs, attackers may compromise other ECUs on the CAN. Examples of attack techniques are falsifying input data [34], code injection and reprogramming ECUs [98, 89].

Existing Defense Strategies against Attack Model 1: have been discussed in sections regarding OBD and CAN (III-A and III-B).

Attack Model 2 - ECU access through connection mechanisms: Attackers compromise a telematics ECUs through their connection mechanisms. We have found two examples of this attack model in the literature. First, Checkoway et al. (2011) [33] were able to get remote code executions on a telematics unit of a vehicle through Bluetooth and long-range wireless connection (chapters 4.3 and 4.4 on the cited paper, respectively). The authors achieved this result by extracting the ECUs’ firmware and using disassembly (a computer program that decompiles machine code into assembly language) to reverse-engineer the code. After assessing the firmware of the ECU that is responsible for Bluetooth connections, the authors hypothesized that if attackers can pair their smartphones with the Bluetooth ECU, they can compromise the ECU by sending malicious code through their smartphones. For example, after re-engineering the operating system of the ECU that is responsible for handling Bluetooth connections, Checkoway et al. found over 20 insecure calls to strcpy, one of which would allow them to copy data to the stack and thus to execute any code on the ECU. Second, Nilsson et al. (2008) [77] described another pathway for attacking telematics ECUs as follows. Many CAV manufacturers are performing firmware updates over the air (FOTA) for ECUs [99]. The FOTA process works as follows. The firmware is first downloaded over a wireless network connection to a trusted station, then transferred to the vehicle, and finally transferred to the ECUs. The firmware transferring process can be secured by using protocols described in [46, 100], but the installation process is not secured. Therefore, the downloaded firmware is vulnerable to susceptible to adversarial modification by a time-of-check-to-time-of-use attack (TOCTTOU), as described in [101]. The TOCTTOU attack works as follows. Given the benign firmware update File B that is expected by the check-install code. The attacker also prepares malicious File M and constructs a storage device that can observe the read requests to File B. For the first access to File B, the mass storage device serves the legitimate File B. This first access is likely to serve the purpose of calculating and comparing the cryptographic hashes. After the verification process succeeds, the storage device serves the malicious File M for the installation phase. The attack succeeds if the check code verifies the benign file File B and then install the malicious File M for the ECU’s firmware update.

Criteria for Defense Strategies against Attack Model 2: Based on our understanding of the attack model and study on the defense techniques, we suggest the following criteria.

• •

  Robust code on ECUs’ firmware to avoid code injection.

• •

  Restrict access to connect to telematics ECUs, i.e., only accept connections from trusted and authenticated sources.

• •

  Robust firmware update protocols for ECUs that assure integrity and authenticity of the firmware updates.

Existing Defense Strategies against Attack Model 2: Checkoway et al. [33] did not discuss specific defense strategy against their attack model through Bluetooth and wireless connection, but did mention that robust code and firmware update protocols for ECUs are necessary. Seshadri et al. (2006) [97] and Nilsson et al. (2008) [77] proposed a protocol to secure the ECUs’ FOTA. In [77], the secure protocol can be summarized as follows. First, the trusted station generates a random value and combines it with fragments of the firmware update to create a chain. The chain is then hashed repeatedly and the final hash value serves as the verification code. Next, the firmware, the random value, and the verification code are transferred to the vehicle over a secure channel and the hashing process is performed again to validate the integrity of the firmware. In [97], the authors proposed Indisputable Code Execution (ICE), which is a protocol to securely execute codes on a network node from a trusted station. ICE consists of three steps: checking the integrity of the firmware update code, setting up an environment in which once the firmware update is executed, no other code is allowed to be executed, and executing the firmware update within the safe environment.

Challenges for defending against Attack Model 2: We have not found any study that implements the frameworks described in [77] and [97] to secure FOTA. A study to validate these frameworks in a realistic CAV environment is still needed as these publications only presented theoretical frameworks.

Attack Model 1 - LiDAR spoofing: An attacker can record legitimate signals sent from a LiDAR sensor and relay the signals to another LiDAR sensor of the same CAV to make real objects appear closer or further than their actual locations. Another variation of this attack model is when an attacker creates counterfeit signals that represent an object and inject the counterfeit signals into a LiDAR sensor. Both of these variations have been successfully demonstrated by Petit et al. (2015) [36] at a low financial cost. The authors performed the spoofing attack as follows. The attacker uses two transceivers B and C. The output of B is a voltage signal that corresponds to the intensity of the pulse sent by the LiDAR device being attacked. The output of B is sent to C, which in turn emits a pulse to the LiDAR device. The total cost of these two transceivers was 49.9 US Dollars! Despite the low cost, the authors managed to make the vehicle’s ECU (one that receives input from a LiDAR sensor) think that it is approaching a large object and initiate emergency brake. The second attack variation was more difficult to perform, as it requires the attacker to send the counterfeit signals within a small window after a LiDAR sensor sends its signal. Shin et al. (2017) [102] performed this attack variation on a stand-alone LiDAR sensor, Velodyne’s VLP-16. Cao et al. (2019) [38] concluded from their experiments that the machine learning-based object detection process made it difficult to perform a LiDAR spoofing attack. Nevertheless, the authors formulated an optimization model for the process of generating counterfeit inputs. They performed a case study on the Baidu Apollo’s software module and was able to force an emergency brake, reducing the vehicle’s speeding from 43 km/h to 0 in a second. The authors claimed that their attack model can have a success rate of 75%.

Criteria for Defense Strategies against Attack Model 1: Based on our understanding of the attack model and study on the defense techniques, we suggest the following criteria.

• •

  Low cost: A trivial solution for defending against this attack model is to have redundant LiDAR devices on the vehicle to make it more difficult for attackers to spoof all devices simultaneously. However, the cost for this solution is proportional to the number of redundant LiDAR devices and thus this solution may not be appealing for manufacturers.

• •

  High immediacy: The solution should not take too long to detect a spoofing attack. This also implies that the solution should be computationally efficient.

• •

  Signal filter: a solution that can detect spoofing attacks may be sufficient, but a solution that can filter out legitimate signals among adversarial signals would be even more appealing.

Existing Defense Strategies against Attack Model 1: Shin et al. [102] proposed a few defense strategies such as using multiple sensors having overlapping views, reducing the signal-receiving angle, transmitting pulses in random directions, and randomizing the pulses’ waveforms. Nevertheless, the authors also pointed out that these defense strategies do not match all the aforementioned criteria. Using multiple sensors is expensive. Reducing the signal-receiving angle is also expensive because it requires more LiDAR devices to cover the entire space around the vehicle. Transmitting pulses in random directions is feasible and inexpensive, but does not have good immediacy because the LiDAR device would have to send many unused pulses. Randomizing the pulses’ waveforms and rejecting pulses different from the transmitted one is probably the most appealing solution thanks to its low cost and high immediacy. Approaches of this type have also been studied intensively and applied for military radars [103]. In a 2016 study on LiDAR spoofing on Unmanned Aerial Vehicle (UAV), Davidson et al. (2016) [104] proposed using LiDAR data in previous frames to formulate a momentum model that aims to detect adversarial inputs. The model utilizes the random sample consensus (RANSAC) method and works as follows. Let $v_{diff}=(dx_{1},dy_{1}),(dx_{2},dy_{2}),...$ be the vector of motion that contain features from LiDAR object detection. RANSAC randomly samples k features and forms a hypothesis for each of them. The hypothesis $h_{j}$ for vector $(dx_{j},dy_{j})$ is the ground truth motion for vector $(dx_{j},dy_{j})$. Then, we let all other features vote for each of these k hypotheses. For a feature motion $(dx_{j},dy_{j})$ to vote for a hypothesis $h_{j}$, the two motion vectors need to be similar such that $|(dx_{i}-dx_{j},dy_{i}-dy_{j})|_{1}<threshold$. The RANSAC method performs many realizations of this process and then picks the hypothesis with the highest vote to be the final hypothesis for the frame, and the corresponding features to be the ground truth of the frame. The shortcoming of this solution, which the authors also acknowledged in the paper, is that it would take some time to build up the weights for the model and would require high computational power. Thus, the solution is not immediate. In 2018, Matsumura et al. [105] proposed a mitigation technique that embeds the authentication data onto the light wave itself. The fingerprinting is obtained by modulating LiDAR’s laser light with information from a cryptographic device, such as an AES encryption circuit. This defense strategy is interesting because it is cost-effective to implement and the authors claimed that attackers cannot make a distance-decreasing attack larger than 30 cm. It is important to note that Cao’s study (2019) [38] on an attack model was published after Matsumura’s defense strategy (2018) [105] but did not discuss this defense strategy any other countermeasure. In 2020, Porter et al. proposed adding dynamic watermarking to LiDAR signals to validate measurements. This solution has the potential to satisfy all the three aforementioned criteria.

Challenges for defending against Attack Model 1: Cao’s attack model may be considered state-of-the-art for its newness and effectiveness. Matsumura’s countermeasure is also novel and recent [105]. It will be an interesting study to implement Matsumura’s strategy against Cao’s attack model [38]. Davidson’s proposed method for UAV [104] may also be worth an experiment on CAVs. Porter et al.’s solution shows good potential and will be interesting for the community to discuss.

Attack Model 2 - LiDAR jamming: Attackers aim to perform a Denial-of-Service attack by sending out light with the same wavelength but with higher intensity and effectively preventing the sensor from acquiring the legitimate light wave. This technique has been used by civilians who aim to avoid speeding tickets by jamming police’s speed gun (a LiDAR device) [106]. In the context of CAV attacks, Stottelaar (2015) [107] successfully performed a jamming attack on a LiDAR sensor (Ibeo Lux3) and argued that such an attack on a CAV’s LiDAR sensor is possible. We have not found any other study or experiment on LiDAR jamming in the literature. Nevertheless, the attack process, as described in detail in [107], is relatively straightforward and should not require much training to replicate.

Criteria for Defense Strategies against Attack Model 2: Based on our understanding of the attack model and study on the defense techniques, we suggest the following criteria.

• •

  Low cost: The solution should not require expensive modification to the vehicle

• •

  High immediacy: The solution should not take too long to detect a jamming attack.

• •

  Signal filter: a solution should be able to filter out legitimate signals among jamming signals.

Existing Defense Strategies against Attack Model 2: Stottelaar [107] suggested several countermeasures such as using V2V communications to gather additional information, changing the wavelength frequently, using multiple LiDAR sensors with different wavelengths, and shortening the ping period (the time window that a sensor waits for the signal to come back). However, these countermeasures all have disadvantages. Vehicle-to-vehicle communication may not always be available. Using multiple LiDAR devices is expensive. The shortened ping period makes a device prone to errors. Changing wavelength frequently may not be effective against attackers who can follow a CAV for a while, as acknowledged by the author. Wang et al. (2015) proposed a novel LiDAR scheme called pseudo-random modulation (PMQSL) quantum secured LiDAR [42]. The PMQSL scheme is based on random modulation technique. The random modulation is a technique in the time domain, which is a typical way to recover the weak signal buried in random noise. The transmitting signal is modulated by the digital pulse codes, usually consisting of on and off. The $n^{th}$ order M-sequence $a_{i}$ with elements 1 or 0 is generated by a set of n-stage shift registers. The laser is pulse-position modulated by an electro-optic modulator. These pulses are further randomly modulated to create the horizontal, diagonal, vertical, and anti-diagonal polarization states of the photon through a polarization modulated model. When there is no jamming attack, four different distances corresponding to the four measured polarizations have very small error rates. In the presence of jamming attacks, the four distances have considerable error in the received polarization. The increase in error allows the system to determine that the LiDAR device was being jammed. The authors claimed that this LiDAR scheme can efficiently detect a jamming attack, but cannot filter out legitimate signals among jamming signals.

Challenges for defending against Attack Model 2: We have not found any study or experiment that demonstrates LiDAR jamming on a moving autonomous vehicle, as in Attack Model 1. Such a study will be interesting since we can observe the real effectiveness of Attack Model 2. Besides, defense strategies proposed in [42] and [43] need to be tested for CAVs because they were not specifically developed CAVs.

Attack Model 1 - Radar spoofing: Attackers replicate and rebroadcast radar signals to inject distorted data to the sensor. A common tool to perform this attack model is Digital radio frequency memory (DRFM), which is an electronic method to store radio frequency and microwave signals by using high-speed sampling and digital memory [108]. The phase of stored signals can then be modified and the signals are then re-broadcasted to the radar sensor. The falsified signals can then cause incorrect calculations of distance to surrounding objects. Chauhan (2014) [109] experimented with this attack model on a radar device (Ettus Research USRP N210) and managed to make an object from a 121-meter distance appear at a 15-meter distance. Yan et al. (2016) [37] discussed the same idea of the attack but unfortunately, they did not have the resource to implement the attack. Instead, they attempted to inject counterfeit signals to a radar sensor on a Tesla Model S. The attempt was not successful because the sensor has a low ratio of working time over idle time, which makes it difficult to inject signals at the precise time slot.

Criteria for Defense Strategies against Attack Model 1: Based on our understanding of the attack model and study on the defense techniques, we suggest the following criteria.

• •

  Attack Detection: The solution should be able to detect a radar spoofing attack in a timely manner.

• •

  Signal Filter: The solution should be able to filter out the attack signals and derives accurate distance measurements.

• •

  Consistency: The solution should be able to achieve the previous two criteria under many circumstances and over a long period of time.

• •

  Non-disruptivity: The solution should not affect other services of a vehicle.

Existing Defense Strategies against Attack Model 1: A novel approach, called physical challenge-response authentication (PyCRA) (2015) [110], inspects the surrounding environment by sending randomized probing signals, called challenging signals. PyCRA shuts down the actual sensing signals at random times and assumes that attackers cannot detect challenging signals immediately. Under that assumption, PyCRA can detect malicious signals by determining if they are higher than a noise threshold during a period with the Chi-square test. Kapoor et al. (2018) [111] criticized PyCRA that PyCRA may severely affect the safety-critical CAV components, such as adaptive cruise control and collision warning, because they are shut down at random times. Another shortcoming of PyCRA is that after the first 30 seconds following an attack, The derived distance is continuously longer than the actual distance [111], thus PyCRA falls short of the Consistency criteria. Dutta et al. (2017) [112] attempted to address PyCRA’s problems with consistency and non-disruptivity by introducing the Challenge Response Authentication method (CRA). CRA works by applying the recursive least square method to provide the estimated distance by minimizing the sum of square of errors, which is defined as the difference between the predicted distance and the actual distance. According to Dutta et al., CRA may satisfy all four aforementioned criteria. However, Kapoor et al. criticized that CRA may not be effective in practice because it relies on the assumption that the actual distance is known [111]. Kapoor et al. proposed a new method called Spatio-Temporal Challenge-Response (STCR). STCR uses the same idea as PyCRA, but instead of shutting down sensing signals, it transmits challenging signals randomized directions. Reflected challenging signals can be used to identify directions that reflect malicious signals, then excludes the untrustworthy directions when measuring the surrounding environment. According to [111], STCR is able to detect attacks and measure the actual distance consistently and in a timely manner.

Challenges for defending against Attack Model 1: Yan et al. [37] failed to apply the DRFM technique to inject counterfeit signals to a radar sensor because the sensor has a low ratio of working time over idle time. However, it was unclear from their publication whether this is the characteristic that all CAVs’ radar sensors share, and whether an attacker can find a way to overcome this problem. Further experiments are needed to answer this question. Besides, Kapoor et al.’s defense method [111] is the state-of-the-art technique but has not been validated in an experiment.

Attack Model 2 - Radar jamming: This attack model can also be carried out by using DRFM, but instead of modifying phase, attackers can modify frequency and amplitude of the stored signals before rebroadcasting to the radar sensors. The falsified signals can make the radar sensors fail to detect the object, at which the jamming device is located. We have not found any publication that experimented with this attack model on CAVs. However, this attack model is widely used by manned and unmanned aerial vehicles (UAV) to hide themselves from radar detection [113, 114, 115]. Since these attacks have only been applied to UAVs and not CAVs, we are not certain about their feasibility on CAVs and thus cannot make claims about criteria for defense strategies.

Existing Defense Strategies against Attack Model 2: Similar to the attack model, defense strategies are widely studied for UAVs, but none has been discussed for CAVs. To defend against this attack model, one can attempt to separate the legitimate signals from the counterfeit signals. The specific methods are described in [116, 117, 118, 43].

Challenges for defending against Attack Model 2: Further studies on both attacks and defense techniques are needed to investigate whether the attacks are feasible on CAVs and whether the defense techniques are also effective on CAVs.

Attack Model 1 - GPS Spoofing: An attacker broadcasts incorrect, but realistic GPS signals to mislead GPS receivers on CAVs. This is also known as a GPS Spoofing attack. In this attack model, attackers begin by broadcasting signals that are identical to the satellites’ legitimate signals. The attackers then gradually increase the power of his signals and gradually deviate their GPS signals from the target’s true location. GPS receivers are often configured to make use of signals with the strongest magnitudes [119]. Therefore, once the counterfeit signal is stronger than the legitimate satellite signal, GPS devices would choose to process the counterfeit signal. Tippenhauer et al. (2011) described in detail how to perform a GPS Spoofing attack and the requirements for a successful attack [120]. They found that an attacker must be able to calculate the distance from himself to the victim with an error of at most 22.5 meters. Whether this condition could be met on a moving CAV is still unclear. We have not found any successful GPS spoofing attack on CAV published in the literature. However, attacks on other transportation means are available. For instance, in 2014, Psiaki et al. [121] successfully spoofed GPS signals to a superyacht’s and reported counterfeit locations to the crew. The crew then attempted to correct the course, only to deviate from the correct course. Shepard et al. (2012) [122] used a civilian GPS spoofer to successfully create a significant timing error in a phasor measurement unit, which is a component of GPS devices responsible for estimating the magnitude and phase angle of GPS signals. Zeng et al. (2018) [123] assembled a small device from popular components with a total cost of 223 US Dollars and used it to trigger fake turn-by-turn navigation to guide victims to a wrong destination without being noticed. The authors demonstrated the attacks on real cars with 40 participants and were able to guide 38 participants to the authors’ predetermined locations (95% success rate). Zeng et al. discussed one of the limitations of their study is that it is not effective if a driver is familiar with the area. However, this may not be the case for CAVs and thus Zeng et al.’s attack model would pose a significant threat to CAVs. Recently, Regulus Cyber LTD. tested GPS spoofing on a Tesla 3 and successfully made the car’s GPS display false positions on the map, and hence any attempt to find a route to a destination resulted in bad navigation [39]. The total equipment cost to perform this attack was 550 US Dollars and the report also stated that “this dangerous technology is everywhere“. Unfortunately for those who are curious, the researchers did not perform an attack when the car was on an autopilot mode. Narain et al. (2019) [124] proposed an interesting approach for attackers. They first looked for data on regular patterns that exist in many cities’ road networks. Then, they used an algorithm to exploit the regular patterns and identify navigation paths that are similar to the original route (assuming that the attackers know the victim’s route). Finally, the identified paths can be forced onto a target CAV through spoofed GPS signals. This attack model allows attackers to possibly bypass some defense mechanisms, such as the Inertial Navigation System (INS), which helps GPS receivers to get positions and angle updates at a quicker rate [125, 126]. The inconsistencies between the spoofed path and the original path may be negligible and the attack can be successfully executed. Also in 2019, Meng et al published an open-source GPS-spoofing generator using Software-Defined Receiver [127]. The authors claimed that their spoofing generator can cover all open-sky satellites while providing high-quality concealment, thus it can block all the legitimate signals. This would make the spoofing signals closely similar to that of the legitimate signal. Therefore, it would be difficult to detect this attack based on only the differences with surrounding GPS receivers or the signal consistency. The threat of this spoofing model to CAVs is very serious once all signals from the visible GPS satellites are spoofed [127].

Criteria for Defense Strategies against Attack Model 1: Haider and Khalid (2016) [20] proposed the following criteria for effective defense strategies:

• •

  Quick Implementation: The solution can be implemented easily.

• •

  Cost Effective: The solution should be affordable in either a small scale or a large scale.

• •

  Prevent Simple Attack: ability to detect simple attacks.

• •

  Prevent Intermediate Attacks: ability to detect intermediate type of attacks.

• •

  Prevent Sophisticated Attacks: ability to detect sophisticated and advanced types of attacks, such as [127, 124].

• •

  No Requirements to modify satellite transmitters: the solution does not require changes to be made on the satellite transmitters.

• •

  Validation: the solution is easy to test.

• •

  Interoperability: The solution works on many types of machines (we are only concerning about CAVs in this context).

Existing Defense Strategies against Attack Model 1: In 2003, the United States Department of Energy suggested seven simple countermeasures to detect GPS spoofing attacks [128]. The seven countermeasures are:

• •

  Monitor the absolute GPS signal strength: by recording and monitoring the average signal strength, a system may detect a GPS spoofing attack by observing that signal strengths are many orders of magnitude larger than normal signals from GPS satellites.

• •

  Monitor the relative GPS signal strength: the receiver software could be programmed to record and compare signals in consecutive time frames. A large change in relative signal strength would be an indication of a spoofing attack.

• •

  Monitor the signal strength of each received satellite signal: the relative and absolute signal strengths are recorded and monitored individually for each of the GPS satellites.

• •

  Monitor satellite identification codes and number of satellite signals received: GPS spoofers typically transmit signals that contain tens of identification code, whereas legitimate GPS signals on the field often come from a few satellites. Keeping track of the number of satellite signals received and the satellite identification codes may help determine a spoofing attack.

• •

  Check the time intervals: with most GPS spoofers, the time between signals is constant. This is not the case with real satellites. Keeping track of the time intervals between signals may be useful in detecting spoofing attack.

• •

  Do a time comparison: Many GPS receivers do not have an accurate clock. By using timing data from an accurate clock to compare to the time derived from the GPS signals, we can check the veracity of the received GPS signals.

• •

  Perform a sanity check: by using accelerometer and compass, a system can independently monitor and double check the position reported by the GPS receiver.

All of the above seven countermeasures are simple and inexpensive to implement, may prevent simple attacks, do not require modification to satellite transmitters, and are inter-operable. However, they may fall short when dealing with sophisticated attacks such as [127, 124].

Defense strategies against GPS spoofing attacks have also been studied extensively in the academic literature. Since GPS signals do not contain any information that can verify their integrity, a natural way to defend against Attack Model 1 is to use redundant information to verify the integrity of GPS signals. One example of such a method is the Receiver autonomous integrity monitoring (RAIM), a technology that uses redundant signals from multiple GPS satellites to produce several GPS position fixes and compare them [129, 130]. A RAIM system is considered available if it can receive signals from 24 or more GPS satellites [131, 132]. RAIM statistically determines whether GPS signals are faulty or malicious by using the pseudo-range measurement residual, which is the difference between the observed measurement and the expected measurement [40]. Advanced Receiver Autonomous Integrity Monitoring (ARAIM) is a concept that extends RAIM to other constellations beyond GPS, such as GLObal NAvigation Satellite System (GLONASS), Galileo, and compass [133, 134]. One criticism with ARAIM is that its availability is inconsistent if one or more satellites are not reachable [135, 131]. Meng et al. (2018) proposed solutions for this problem and improved ARAIM availability up to 98.75% [135, 136]. There are many other validation mechanisms, which all make use of additional satellites or side-channel information. For example, O’Hanlon et al. described how to estimate the expected GPS signal strength and compared against the observed signal strength to validate GPS signals [41]. Furthermore, a defense system can monitor GPS signals to ensure that the rate of change is within a threshold. Montgomery proposed a defense approach that uses a dual antenna receiver that employs a receiver-autonomous angle-of-arrival spoofing countermeasure [137]. The main idea is to measure the difference in the signal’s phase between multiple antennas referenced to a common oscillator. Other examples of countermeasures can be found in the survey paper by Haider and Khalid (2016) [20].

Challenges for defending against Attack Model 1: Even though several countermeasures have been proposed in the literature, their effectiveness against newer attack strategies, such as [127, 124] (2019), is unknown. The attack strategy in [127] is especially dangerous for CAVs. Therefore, finding effective countermeasures for these 2019-born attack models is a current research challenge.

Attack Model 2 - GPS jamming: Since radio signals from the satellites are generally weak, jamming can be achieved by firing strong signals that overwhelm GPS receiver, so that the legitimate signals can not be detected [138]. Examples that highlight the risks of GPS jamming have been reported. In 2013, a New Jersey man was arrested for using a $100 GPS jamming device plugged into the cigarette lighter in his company truck [139]. The man’s motive was to jam his company truck’s GPS signal to hide from his employer. However, the device was reported to be powerful enough to interfere with GPS signals at the nearby Newark airport. Even though GPS jamming devices are illegal for civilian use, they can easily be found on online retailers such as eBay [140]. GPS jamming is less dangerous than GPS spoofing in the sense that attackers have higher control over GPS receivers with a spoofing attack. However, GPS jamming attack can cause disruptions of service and is essentially a Denial-of-Service attack.

Criteria for Defense Strategies against Attack Model 2: Based on our understanding of the attack model and study on the defense techniques, we suggest the following criteria.

• •

  Attack Detection: The solution should be able to detect a jamming attack in a timely manner to ensure the safety of CAVs.

• •

  Signal Filter: The solution should be able to filter out the attack signals so that the vehicle can still operate under certain attack scenarios and avoid disruption of service.

Existing Defense Strategies against Attack Model 2: Many GPS receiver modules have implemented anti-jamming measures that target unintentional interference from every-day electronic devices. However, Hunkeler et al. (2012) [141] have shown that these countermeasures are ineffective against intentional attacks. For example, the NEO-6 GPS receiver has an integrated anti-jamming module that provides data to assess the likelihood that a jamming attack is ongoing. Hunkeler et al. showed that the parasitic signal from the GPS jammer interfered with the NEO-6 receiver in such a way that the receiver could not function while the anti-jamming module reported very low probability for a jamming attack. Several studies have demonstrated how calculate the probability of intentional GPS jamming attack just by using information from GPS receivers [141, 142, 143]. Unfortunately, detection of GPS jamming does not prevent disruption of service, which is the main objective of a GPS jamming attack. L3Harris Technologies, Inc. developed a technology, Excelis Sentry 1000, that can detect sources of interference to support timely and effective actionable intelligence [144]. The Excelis Sentry 1000 systems can be strategically placed around high-risk areas to instantaneously sense and triangulate the location of jamming sources [140]. However, this defense strategy may not be effective for CAVs, whose operating location is not predictable.

Mukhopadhyay (2007) [145] and Purwar et al. (2016) [146] proposed methods to reduce the jamming signals and estimate the legitimate GPS signals. Mukhopadhyay used a the Adaptive Array Antenna technology and the Least Mean Squared (LMS) algorithm to maximize the chance of collecting the desired signals and the chance of rejecting jamming signals. The Adaptive Array Antenna technology are antenna arrays that have integrated signal processing algorithms that can identify spatial signal signatures such as the direction of arrival (DOA) of the signal, and use them to calculate beamforming vectors in order to track and locate the antenna beam. Mukhopadhyay used the LMS algorithm, which is a member of a family of stochastic gradient algorithms, to further accurately calculate the DOA. The DOA information would then contribute to determining the signals being rejected or accepted. Purwar et al. (2016) [146] proposed the Turbo Coding method for counter jamming. In Turbo Coding, The Turbo encoder at the GPS satellites that send the original GPS data is encoded, then modulated, and passed over a noisy channel. Then, the encoded data arrives at the GPS receivers along with noise and jamming signals. The receiver demodulates the distorted GPS signals and then the Turbo Decoder decodes demodulated signals to retrieve the original GPS signals. This technique has two major weaknesses. First, the results in [146] demonstrated that as the strength of jamming signals increases, their method becomes less effective. Specifically, when the jamming signals is about 14 times stronger than the legitimate signals, the method cannot recover the legitimate signals. Second, this method requires modification to the GPS satellites.

Challenges for defending against Attack Model 2: The state-of-the-art countermeasure was published by Purwar et al. (2016) [146]. It has two major weaknesses that would be problematic to be implemented for CAVs. The method requires modification to the GPS satellites and is only effective if the jamming signals are not too strong.

Attack Model 1 - Camera blinding: On CAVs, cameras commonly provide inputs for deep learning models for the task of object detection. Attackers aim for a denial of this service by blinding a camera with extra light. Petit et al. (2014) [36] experimented with a blinding attack on a MobilEye C2-270 camera installed on a non-automated car’s windshield. The researchers showed that a quick burst of 650 nm laser was able to almost fully blind the camera and the camera never recovered from the blindness. The 940 nm 5x5 LED matrix and 850 nm LED spot also achieved the same result, but the camera was able to recover after more than 5 seconds. It is important to note that the MobilEye C2-270 camera is not used for full vehicle automation (SAE Level 5) but function-specific automation (SAE Level 1 to 3). Yan et al. (2016) [37] experimented with similar attacks and was also able to blind a camera permanently (the authors did not specify the camera). This paper also pointed out that LED and Laser beam could blind a camera but Infrared LED could not because of the narrow frequency band filters. We have not found any other study on this attack model.

Criteria for Defense Strategies against Attack Model 1: Based on our understanding of the attack model and study on the defense techniques, we suggest the following criteria.

• •

  Low cost: The solution should not require expensive modification to the vehicle

• •

  Generalization: The solution should work on as many attack wavelengths as possible. Petit et al. and Yan et al. showed that this attack model is possible for laser and LED with different wavelengths. A solution that works for all attack wavelengths would be ideal.

Existing Defense Strategies against Attack Model 1: Petit et al. [36] also suggested two countermeasures in their study. The first countermeasure is to use redundancy by installing multiple cameras that have overlapping coverage. This is effective because laser and LED spot have small beam width, making it difficult to attack multiple cameras spontaneously. This defense strategy cannot mitigate the risk of Attack Model 1 completely, but it makes attackers spend more effort on a successful attack. Nevertheless, the cost to implement this solution grows in direct proportion to the number of extra cameras. The second countermeasure is to integrate a removable near-infrared-cut filter into a camera. This is a technology that is available on security cameras and can filter near-infrared light on request. This solution can potentially satisfy both criteria, but would need implementation and experiments to be verified. In 2020, DH and Ansari proposed a detection method by using predictive analytics to predict the future next frames captured by the cameras and then compare the received frames with the predicted frames [147]. DH and Ansari’s solution has the potential to satisfy both the criteria we mentioned.

Challenges for defending against Attack Model 1: Petit et al.’s suggested countermeasures are the only ones that we found in the literature. Yan et al, (2016) [37] did not discuss any countermeasure in their experiment. Petit et al.’s proposed strategy of using near-infrared-cut filter into cameras has high potential, but need further experiments and validations. Similarly, DH and Ansari’s solution has the potential to be a generalized solution and may be implemented easily, but need further validations due to its newness.

Attack Model 2 - Adversarial Images: An adversary may carefully make small perturbations on the images that cameras observe and cause the artificial-intelligence algorithms (used for CAV’s vision) to generate incorrect predictions. Even though the ultimate targets of this type of attack are the deep learning models that reside in ECUs, cameras are convenient channels for attackers to inject adversarial images. In 2017, Google researchers were able to create stickers called adversarial patch [148] with patterns that can deceive artificial intelligence algorithms. These stickers may be printed out and attached to important transportation objects, such as road signs. Lu et al. (2017) [149] experimented such an attack by taking 180 photos of compromised stop signs with an iPhone 7 from a moving vehicle. They found that a trained neural network classified most of the pictures correctly, which meant that the attack model was not effective. In contrast, Eykholt et al. (2018) [150] were a lot more successful with their experiments. They experimented with a camera in a lab setting and a camera on a moving vehicle (non-CAV). By decorating stop signs with small black-and-white stickers, the authors made a state-of-the-art algorithm fail to recognize the stop signs 100% of the time in a lab setting and 84.8% on a moving vehicle. Li and Gerdes (2019) [151] experimented with the same type of attack by using electromagnetic interference in a remote manner and without physical modification to the stop signs, which makes the attack easier to launch and harder to detect. We have not found any experiment on CAVs, but this attack model, as demonstrated in a moving vehicle setting [150], should also apply to CAVs. There are several methods that attackers can use to know how to tamper with objects such as road signs. These methods are called universal adversarial perturbations and are described in [152, 153, 154, 44]. Recently, an IBM research group released an open-source Python library, called Adversarial Robustness 360 Toolbox, for generating and defending against adversarial images [155]. This attack model is especially dangerous because it may make CAVs ignore alerts or read the wrong speed limits from road signs.

Criteria for Defense Strategies against Attack Model 2: Based on our understanding of the attack model and study on the defense techniques, we suggest the following criteria.

• •

  Low cost and easy implementation: The solution should not require expensive modification to the vehicle

• •

  Generalization: The solution should work on many types of image perturbations.

• •

  Computationally efficient: The solution should be calculated efficiently to serve real-time object-detection purposes.

Existing Defense Strategies against Attack Model 2 Securing Machine Learning models against adversarial images have been discussed extensively. This can be achieved by several techniques such as pre-processing inputs [156, 157, 158, 159], adding adversarial samples to training data [160, 161, 162], and utilizing run-time information to detect abnormal inputs [163]. All of these methods are algorithm-based and can probably be integrated into the codes on the ECUs that handle object-detection from camera data. To our knowledge, no research has studied the extent of generalization of these algorithms, as well as their theoretical and practical computational complexity. Such a comparison study for these defense techniques should be performed for further discussions on this topic.

Challenges for defending against Attack Model 2: The attack and defense of Attack Model 2 have been studied extensively in terms of methodologies and have been tested with general images. A comparison study for these defense techniques in terms of generalization and computational efficiency should be performed to server further discussions on this topic.

Attack Model 1 - Falsified information: Attackers aim to send falsified information through the V2V and V2I communications to disrupt CAVs’ operation and traffic flow. This can be achieved by impersonation or Sybil attacks. In an impersonation attack, attackers steal the identity of legitimate CAVs and broadcast falsified information. This could be achieved if the connection protocol lacks a strong authentication method. Chim et al. (2009) [164] described in detail one way to impersonate another CAV’s identity in section IV of their paper. In a Sybil attack, attackers create a large number of identities and use them to send falsified information over a network and make the falsified information appear to be popular and legitimate. For example, Rawat et al. (2019) [165] described a scenario in a VANET network, where fake identities are made to look like they surround a target vehicle, making the target vehicle think that there is a traffic jam.

Criteria for Defense Strategies against Attack Model 1: This attack model can be mitigated by implementing strong authentication methods that may be specified in the V2V and V2I network protocols. Based on our understanding of the attack model and study on the defense techniques, we suggest the following criteria.

• •

  Low cost and easy implementation: Solutions that are easier to implement and cost less are preferable.

• •

  Computationally efficient: The solution should be calculated efficiently to serve real-time authentication.

Existing Defense Strategies against Attack Model 1: Several authentication methods have been proposed, such as [166, 167, 168]. Grover et al. (2011) [166] proposed an authentication scheme that uses neighboring vehicles in VANET. There are four phases:

• •

  Periodic Communication: each vehicle on the road periodically broadcasts and receives beacon packets. This phase is to announce a vehicle’s presence to all vehicles on the road.

• •

  Group construction of neighboring nodes: when a vehicle collects enough beacon messages from other vehicles, it makes a record of neighboring nodes in the form of groups at regular intervals of time.

• •

  Exchange groups with other nodes in vicinity: after significant duration of time, these vehicles exchange their neighboring nodes record with each other in vicinity.

• •

  Identify the vehicles comprising similar neighboring nodes: after receiving the records from other vehicles, each vehicles may detect malicious vehicles by observing that the abnormal vehicles exist in neighboring nodes for duration greater than a threshold.

Grover’s approach may satisfy both of aforementioned criteria, but may fall short when there are not enough vehicles on the road to exchange information. Whyte et al. (2013) [167] proposed the Security Credential Management System (SCMS) that implements a public-key infrastructure (PKI) with some features for providing privacy. The PKI is used to authenticate vehicles through V2I connections. Two major drawbacks of this approach are that a PKIs are expensive to implement, and that V2I communication may add significant delays to the authentication process. Alimohammadi et al. (2015) [168] proposed a secure protocol based on a light weight group signature scheme. For a short time and secure group communication, the Boneh-Shacham algorithm is used for short group signature scheme and batch verification. Hubaux (2004) [169] suggested that all vehicles use electronic license plates to allow the wireless authentication of CAVs. Zhang et al. (2008) [170] proposed an authentication scheme that would efficiently authenticate CAVs by using some roadside infrastructures. However, Chim et al. (2009) [164] claimed that their attack model would penetrate Zhang et al.’s method. In 2020, Zhao et al. [171] proposed a protection mechanism that consists of an offline phase and an online phase. The offline phase establishes matrices and parameters to support attack detection and decision making during the online phase. All the methods that require PKI and roadside infrastructures are costly and difficult to implement.

Challenges for defending against Attack Model 1: Strong authentication methods that are based on public-key encryption would require a public key infrastructure. However, as van der Heijden et al. (2018) discussed [23], PKIs suffer from problems such as being expensive to implement in a large region and may not provide real-time authentication. Furthermore, Chim et al. [164] pointed out that the processing units on CAVs may not be able to process the authenticating messages in real time.

Attack Model 2 - Denial of Service: Attackers perform Denial-of-Service (DoS) attack and Distributed Denial-of-Service (DDoS) attack on the communication mechanisms. Several studies have demonstrated how VANETS and V2I networks are vulnerable to DoS and DDoS attacks[172, 173, 174, 175]. All of these attacks are intended to confuse CAVs’ operations and disrupt traffic flows. DDoS attacks on V2I networks are likely to disrupt transportation in a large region, especially if the infrastructure provides critical information to control traffic flows. Ekedebe et al. (2015) [176] experimented with DoS attacks on V2I network by using a simulated environment and showed that DoS attacks can prevent all messages from being sent to vehicles in the network. V2V networks are also possible targets for DoS and DDoS attacks because they have limited connection bandwidth. For example, the DSRC standard specifies that a node must wait to transmit signals until the DSRC channel is idle [177]. To exploit this limitation, attackers may constantly transmit noises through the DSRC channel to keep it always busy and thus to prevent legitimate signals from being delivered. Leinimuller et al. (2006) [178] described another variation of DoS attacks on V2V networks, where an adversarial vehicle in a VANET network can falsify its position information to intercept message packets between other vehicles in the network.

Existing Defense Strategies against Attack Model 2: Defending against DoS and DDoS attacks on V2I and V2V network requires a secured V2I or V2V network architecture and protocols. Just like DoS attacks on V2I networks resemble those on a traditional centralized network, defending strategies for a traditional centralized network can be applied to defend V2I networks. The defense strategies for a general centralized network can be found in Douligeris’s survey paper (2004) [174], which include intrusion prevention, intrusion detection, intrusion response, and intrusion tolerance techniques. Singh et al. (2018) [179] discussed a machine-learning based approach to detect DDoS attacks on V2I networks. Besides this study, We have not found any other study that is specific for V2I networks. To secure V2V networks, several papers have proposed secured architecture. For example, Blum et al. (2006) [177] proposed the CARAVAN architecture, Plossl (2016) [180] proposed an architecture that uses a certified GALILEO receiver to achieve reliable time and position information, Hubaux (2004) [169] suggested using electronic license plates to authenticate CAVs.

Challenges for defending against Attack Model 2: All the aforementioned studies are based on theoretical frameworks and have not been tested in a realistic CAV environment. An experimental study, even if performed on simulated but realistic data, would be valuable to determine suitable methods to defend against DoS and DDoS attacks on V2V and V2I networks.

Research trends: We have observed the following research trends happening on the topic of security of CAVs.

• •

  The trend in developing new attack models largely follows the remote attack pattern by targeting sensors, cameras, and communication mechanisms. We have observed that most of the recently developed attacks can be performed from a remote distance, either from the roadside or from other vehicles. Examples of such attack can be found in [36, 124, 127, 172].

• •

  The trend in developing new defense strategies is to utilize machine learning and anomaly-based intrusion detection systems. The requirements for new defense strategies often include the capability of real-time response, low expense, and less modification to CAVs’ architecture.

• •

  There is an obvious need to develop secured mechanisms to update the software on ECUs. All the current updating mechanisms are easily abused by attackers to compromise CAVs, such as those attack models mentioned in [99, 101].

• •

  A decentralized public key infrastructure (PKI) will be necessary to improve the security of V2V and V2I communications [23, 181]. While operating, a CAV may meet many other CAVs in a short time and may need to exchange information through V2V communications. To mitigate the attack model 1 discussed in section III-H, authentication based on public-key encryption is necessary. To achieve this, a CAV will need to request the public key of other CAVS from a PKI. Decentralizing PKI is necessary to reduce the latency before the vehicle receives the necessary keys to achieve real-time authentication.

Research Challenges: From the research challenges discussed in section III, we organize three categories for the open security issues on CAVs. The specific challenges and their related publications are presented in Table III.

• •

  Unsolved attack models: there are several attack models in the literature that we have not found a corresponding defense strategy in the literature. Some of these attack models pose significant and realistic threats to CAVs, such as the GPS Spoofing methods discussed in[127] and [124], both published in 2019. These challenges are presented in the first column of Table III.

• •

  Attack models needing further experiments: there are recently developed attack models that we are unable to assess the level of threat and effectiveness in a realistic environment of CAVs. Further experiments under a realistic environment will provide the community with a better understanding of the impact of these attack models and incentivize research for defense strategies. These challenges are presented in the second column of Table III.

• •

  Defense strategies needing further experiments: there are many defense strategies proposed only theoretically or have only been tested under unrealistically simulated environments. Further experiments under realistic environment will help validate these strategies and identify the most suitable ones. These challenges are presented in the third column of Table III.

In July 2019, a coalition of 11 companies that are involved in the development of CAVs published a whitepaper titled “Safety First For Automated Driving“ [182]. The 11 companies include Audi, Intel, Volkswagen, Baidu, BMW, Aptiv, Fiat Chrysler Automobiles, Daimler, Continental, Infineon, and HERE. The whitepaper describes a thorough approach to make CAVs operate safer, of which security is a subtopic. With this publication, the authors aimed to build a guideline for the development of safer and more secure CAVs. The authors claimed to continuously update this whitepaper by including detailed solutions for defined problems in the future. They hope that the whitepaper will become an international standard for the development of CAVs. Regarding security issues, the whitepaper [182] recommends two approaches:

• •

  Using Secure Development Lifecycle (SDL), which is a process for integrating security into the product development and product maintenance processes. SDL practices are divided into preliminaries, development, and sustainment. Regarding preliminaries, a CAV development team is required to be sufficiently trained with knowledge of security issues, policies, procedures, and guidelines. Development includes security practices in software engineering, such as code review, penetration testing, and threat modeling. Sustainment practices ensure that CAVs continue to operate safely after release by having an effective incident response system and continuous updates.

• •

  Regarding the machine learning models embedded in CAVs, the authors conducted a brief survey on the challenges of building safety-ensured machine learning models and suggested many guidelines. This section is presented in Appendix B of the whitepaper [182]. In short, the guidelines involve the processes of selecting data for model training and testing, architecture design of models, model evaluation, and deployment and monitoring. Interestingly, we think that building defense mechanisms against adversarial image attacks (section 3E, attack model 2) fits into the paradigm of data selection and model validation that the whitepaper describes.

Another coalition of Ford, Lyft, Uber, Volvo, and Waymo, named the Self-Driving Coalition for Safer Streets also presented several publications related to CAV’s security on their website [183]. Most notable is Waymo’s safety report titled “On the Road to Fully Self-Driving“ [184]. The report claimed that Waymo applied approached such as building redundant security measures for critical systems and limiting communication between critical systems. However, the specific implementation of these approaches was not described. We have not found any related safety report from other members of this coalition.

Regarding secure communication for CAN Bus, Guardknox Cyber Technologies Ltd. developed a patented security approach, named Communication Lockdown, to enforce a formally verified and deterministic configuration of communication among the CAN Bus [185]. Guardknox Cyber Technologies Ltd. claims that this technology can provide zero false positives with minimal integration and no vehicular hardware modification.

From our observations, research and implementation of security issues are in the early stage of development among the CAV corporations. We have not found any strong connection between academic research and the industry’s implementation of CAV-related security issues. There is no evidence to show that CAVs on the market have been updated to defend against the novel attack models that the research community has found.