Cyber-physical systems (CPSs) enable a plethora of technological innovations that will dramatically improve everyday life. One prime CPS example is autonomous driving systems (ADSs) for coordinating a set of autonomous vehicles (AVs) safely, securely, and efficiently [ADSs, platoon2020]. The complex integration of multi-modal physical sensing, computation, and communication creates a particularly challenging environment to safeguard. As prior research has revealed, traditional information security methods fail to extend desired security properties such as authentication, message integrity, and confidentiality to the physical world [van2017analyzing].
To demonstrate this shortcoming, consider the scenario of Fig. 1 where is followed by The two vehicles form a cooperative platoon and coordinate operations such as acceleration, braking, steering, etc., to improve on safety and fuel efficiency [turri2016cooperative, lyamin2016study, lammert2014effect]. Coordination occurs in a variety of ways including physical sensing via cameras and LiDAR, and via secure vehicle-to-vehicle (V2V) communications [kenney2011dedicated, IEEE:WAVE]. Existing wireless standards, including the IEEE 1609.2 for V2V communication [IEEE:WAVE] and the more recent 3GPP TS 33.185 for Cellular Vehicle-to-Everything [secureV2X] recommend binding a vehicle’s digital identity via a public key infrastructure (PKI) at vehicle registration. Using the PKI, the two vehicles can mutually authenticate and exchange messages whose integrity and confidentiality are guaranteed.
However, the PKI cannot bind a vehicle’s digital identity to the vehicle’s physical/relative location and state. Although the origin and integrity of a message sent by to can be verified via the PKI, contents such as location, trajectory, velocity, acceleration, cannot be verified. This allows to impersonate “ghost” vehicles [bissmeyer2012central, han2017convoy], inject false data from remote locations without following , and ultimately jeopardize the safety and efficiency of the platoon. Note that even if uses its physical sensors to cross-validate the physical information contained in message , this verification cannot serve as a valid proof. For instance, consider that requests to form a platoon with via a message . Vehicle uses its LiDAR to verify if is following. Even if a vehicle is detected, has no direct means to verify that the digital identity of the following vehicle is indeed .
Proof-of-following. In this paper, we seek to provide the missing link between the physical and the digital world in the context of verifying a vehicle’s platoon membership. We focus on the property of following, where vehicles follow each other in a close and coordinated manner. We aim at developing a Proof-of-Following (PoF) protocol that enables a candidate vehicle to prove that it follows a verifier vehicle within the typical platooning distance.
A PoF protocol is closely related to distance bounding protocols [brands1993distance] and proximity verification methods [mathur2011proximate, zenger2015exploiting, miettinen2014context, hayashi2013casa, conti2020context] with notable differences. A distance bounding protocol verifies that a prover is located within bounded distance from itself at one time instance without taking into account mobility and time. A PoF protocol verifies a physical distance bound over time while the involved entities are moving. Although a PoF can be implemented as a repeated application of distance bounding over the verifier’s path of motion, we are exploring a looser form of verification where the distance bound does not need to be strictly met at every time instance. This model readily corresponds to a vehicle platooning application where the distance between the platooning vehicles could naturally fluctuate with traffic conditions and types of roads traversed, but still remains bounded overall.
The main idea of our PoF is inspired by a common car game typically played with kids called “I spy”. In I spy, one player (the spy) chooses a visible object and announces it to the other players with some attribute description (first letter, color, size). The other players have to guess the spied object. The game is ideal for car journeys because the visible objects are continuously renewed. Similar to the common vision of co-travelers in the I spy game, if the candidate and verifier vehicles are platooning, they should see (sense) the same environment. Security is drawn from the rapidly changing environment due to motion. Although several different modalities can be used to sense the environment, we opt to measure ambient RF signals. Specifically, our PoF protocol exploits the large-scale fading characteristics of RF propagation to correlate the moving paths of the platoon members. By continuously sampling ambient RF signals from cellular towers, platoon members verify that they sense the same RF environment. The problem addressed in this paper and the main idea of exploiting ambient RF signals is demonstrated in Fig. 2.
The use of ambient RF signals from the cellular infrastructure has several notable advantages. From a practical perspective, our method operates in-band using only a cellular receiver. It does not require any additional sensors such as cameras, LiDAR, etc., which may not be universal on all vehicles and operate with proprietary technologies. A cellular transceiver is likely to be standard equipment given the global momentum for the adoption of the Cellular-V2X (C-V2X) 3GPP standard [3GPP, secureV2X, qualcommV2X]. From a security perspective, RF signals decorrelate rapidly with distance and time, especially when mobility is involved [gudmundson1991correlation, szyszkowicz2010feasibility]. Thus, predicting the instantaneous RF environment other by pre-recording signals along a route or following at a large distance becomes impossible. Note that the general principle of using ambient RF signals to verify proximity has been used in indoor device pairing methods [mathur2011proximate, miettinen2014context, conti2020context] for stationary devices. A key difference between those methods and the proposed PoF (besides the incorporation of mobility) is that the former exploit small-scale fading of wireless signals and are limited to very small distances, whereas we rely on large-scale fading to accommodate typical platooning distance separations.
Contributions: Our main contributions are as follows.
We first define the security primitive, Proof-of-Following (PoF) in the context of vehicle platooning. Then we develop a PoF protocol for allowing a candidate vehicle prove to a verifier vehicle that it follows the verifier’s path within the typical platooning distance. The PoF protocol binds the “following” physical property to the candidate’s digital identity. The protocol enables new vehicles to join a platoon and also the continuous verification of platooning for existing members.
Our PoF protocol exploits the large-scale RF propagation characteristics to correlate the motions of the candidate and the verifier. This has notable advantages in terms of the required hardware to implement the PoF (just an RF transceiver) and the security of the PoF.
We demonstrate the security of our PoF protocol for an attacker that pre-records the RF environment along the route of the platoon and one that follows the platoon but at a longer distance.
We experimentally evaluate the performance and security of our protocol against our adversary model using a USRP radio-equipped candidate-verifier vehicle testbed in urban, freeway, and highway driving settings. In such realistic conditions, we demonstrate that the PoF withstands both the pre-recording and following attacks with overwhelming probability.
Limitations: Our PoF protocol has two limitations. First, it can only verify following for distances up to some bound. This is because RF measurements decorrelate exponentially with distance and approach zero after such bound. We emphasize that this is not a limitation for platooning applications because the benefits of platooning can only be reaped if the formation is tight (typically less than 25m) [platoon2020, turri2016cooperative].
Second, our PoF construct does not verify the relative vehicle positioning. Though positioning is important, we have left the construct more general to verify that the candidate is around the verifier rather than exactly behind it. This allows for more flexibility in the application domain. Note that an adversary would have to practically follow the platoon in close distance to be able to pass a PoF test which is equivalent to actually being part of the platoon. That is, if the adversary can pass a PoF test, the adversarial effort of being anywhere around the platoon is similar so it has no reason to not actually follow. From our general construct, relative positioning methods can be further developed. For instance, if multiple verifiers are incorporated, the candidate must be located in the intersection of the respective distance bounds.
Ii Models and Assumptions
Ii-a Platooning Model
Although a PoF primitive is general and can be applied to various mobile scenarios where verification of following is necessary, we explore it in the context of a vehicle platooning application. Platoons are led by a manually-operated or autonomous vehicle, which is followed by autonomous or semi-autonomous vehicles [guanetti2018control]. Members of the platoon engage in coordinated driving that involves sensing the physical environment and also exchanging control messages that contain motion state information such as acceleration, velocity, steering, etc. [jia2015survey]. Vehicles may be equipped with sensors (e.g., cameras, radar or LiDAR), and run control algorithms such as cooperative adaptive cruise control (CACC) [milanes2013cooperative] to maintain a fixed distance.
To secure the platoon operation, the V2V messages are protected using cryptographic primitives. According to the C-V2X communication standard (3GPP TS 33.185 [secureV2X]), V2X communication is supported by a public key infrastructure (PKI) that provides each vehicle a private/public key pair and a digital certificate as a proof of identity. These credentials can be used to establish trust among the platoon vehicles with shared secret keys (such as pairwise keys and group/broadcast keys) to protect the confidentiality and/or integrity of their message exchange. We assume that digital signatures are used to prove the digital identity of vehicles, at least during the trust establishment phase. Key management of digital identities and platoon secrets is beyond the scope of this work. A PoF involves the following entities.
Candidate (): The candidate vehicle wishes to join a moving platoon by sending a join request to the platoon verifier. The candidate is in possession of a public/private key pair and a certificate that is issued by a trusted certificate authority. The candidate vehicle is not allowed to receive or transmit any platoon coordination messages before it completes a PoF with the verifier.
Verifier (): The verifier is an existing platoon member that is responsible to verify the digital identity of the candidate and that he indeed physically follows the platoon. The verification process may involve the verifier alone or require interaction with other platoon members. Typically, the role of the verifier is assumed by the last platoon vehicle. Once a candidate is admitted, its public key is added to the list of platoon members by all the other vehicles in the platoon.
Ii-B Threat Model
We assume an external attacker who attempts to pass a PoF verification without following the platoon. The ultimate goal of the adversary is to be accepted in the platoon and inject falsified coordination messages. For instance, could indicate traffic congestion or the existence of an eminent danger (road obstacle), or send wrong heading information to hijack the route of a platoon. Such false information can jeopardize the platoon safety and efficiency [Jagielski2018Threat, gerdes2014CPS, DeBruhl2015Is, dadras2015vehicular].
The attacker is assumed to be in possession of a valid public/private key pair and a certificate issued by a trusted certificate authority. We emphasize that the cryptographic credentials only authenticate the vehicle’s digital identity but do not bind the vehicle to its physical trajectory. Note that, although the verifier can use other sensing modalities (such as radar or LiDAR) to measure the distance to the vehicle behind it, the measurement alone cannot be tied to a candidate’s digital identity (transmitted over the wireless interface). In addition, radar or LiDAR measurements can be spoofed remotely [giechaskiel2019taxonomy, cao2019adversarial]. We consider two types of adversaries as follows.
Remote adversary: A remote adversary is stationed at some location away from the moving platoon and uses the existing infrastructure (cellular tower or road side units) to communicate with the platoon. The adversary is aware of the platoon’s route (trajectory) in advance and in real time. The adversary can use this knowledge to traverse and observe (e.g., measure the RF environment) the platoon’s route ahead of time. He requests to join the platoon at a time of his own choice, pretending to be a vehicle that follows the platoon. He can also replay historical measurements to the platoon.
Following-afar adversary: A following-afar adversary tails the platoon from a long distance that does not meet the following distance requirement, but still allows him to communicate with the platoon. As an example, the adversary could be within a few hundred meters from the platoon. The adversary is also aware of the platoon’s route and can traverse it ahead of time. Moreover, since the adversary follows the platoon from afar, he can obtain more up-to-date measurements in real time.
Although the adversary could get closer (e.g., tens of meters) to the platoon during some parts of the driving, we do not consider partial following in our adversary model. This model does not make much practical sense for the adversary. If the adversary could closely follow the platoon within a valid distance for some time, he has no incentive to enlarge it. One plausible scenario is for the adversary to approach the platoon to join it and then fall behind to avoid visual detection. However, this strategy can be averted if the PoF is employed for continuous following verification.
To formally define the following property, we first give a definition of a route for a moving vehicle.
Route: A route of a moving object is represented as a set of time-ordered positions where each position is the object’s geospatial coordinate at time with , and for .
Based on the route definition, we now provide the definition of following.
Following: Let a verifier move on a route and a candidate move on a route . The candidate is said to follow verifier if the Euclidean distance between and for each time is bounded by
where is a desired following distance bound.
Proof-of-Following: A PoF is a protocol executed between a verifier and a candidate . If the candidate always follows (i.e., , ), outputs accept. If always does not follow (i.e., , ), outputs reject.
Note that our PoF definition is a relaxed one as it only differentiates between the two extreme cases (always follows and always does not follow). The most strict PoF definition would output reject if the candidate does not follow for any of the time points (rather than all). We do not consider the partially following cases in between. We argue that this is not necessary in real-world applications, since the partially-following adversary is not practical (as already explained earlier). In addition, even for legitimate following vehicles, some error or brief violation of following should be tolerated (e.g., when vehicles are human-driven, or not following using a strict CACC algorithm).
Because of this, our PoF definition is not simply a generalization of repeated distance bounding tests over a discretized route mobile setting. Note also that the definition does not place any restriction on the location sampling rate, which can be adjusted based on the application scenario. Moreover, the definition does not specify the relative positioning between the two moving objects. That is, the candidate can be around the verifier (either leading or following). This is to allow for a more general definition, which can be further restricted based on the application requirements.
Iii A PoF Construct based on the RF Environment
Iii-a Main Idea
The chief idea of constructing our PoF primitive is to exploit the randomness of the continuously changing environment due to mobility to prove continuous vehicle proximity. The selected modality for perceiving the environment should satisfy two important criteria.
The environment should exhibit spatial and temporal decorrelation.
The environment should exhibit high entropy and should not be repeatable.
Several modalities such as sound, vision, and RF may meet the two criteria. For instance, ambient sound while travelling on a freeway decorrelates rapidly with distance. Moreover, it varies significantly with time at the same location.
We have opted to exploit both the spatial and temporal correlation of ambient wireless signals. Specifically, a legitimate candidate who is closely following the platoon will observe a similar RF environment as the verifier, as opposed to a vehicle that is far away from the platoon. Besides, the RF environment is arbitrarily changing with time and location due to the constant change of the physical topology and the motion of other vehicles. The temporal variation (short channel coherence time) can prevent an adversary from pre-recording ambient RF signals ahead of time and replaying them to a traveling platoon. Moreover, the RF modality is widely available for outdoor scenarios, and vehicles will already be retrofitted with cellular receivers to support the C-V2X standard [secureV2X]. In our PoF, vehicles exploit the ambient RF signals transmitted by cellular base stations (eNBs) along the traversed route.
Iii-B Rationale and Feasibility Study
In this section, we conduct a feasibility study on exploiting large-scale fading as a PoF modality.
Why large-scale fading. Large-scale fading is the result of signal attenuation due to signal propagation through large distances and diffraction around large objects in the propagation path. The wireless signal propagation loss can be represented using the well-known log-distance path loss model [recommendation1997guidelines]:
where is the propagation loss (or large-scale fading), is the distance between the transmitter (TX) and receiver (RX), is the reference distance, is the media path loss at , is the path loss exponent, and is the shadow fading.
Since the large-scale fading is impacted by terrain configuration (including static and moving objects) between the TX and RX, it brings randomness and unpredictability as the vehicles move. It is more stable when two closely-located vehicles sense ambient RF signals from far-away cellular base stations because the distance and diffraction from a base station to the two vehicles is approximately the same. Moreover, large-scale fading in mobile outdoor scenarios decorrelates more gracefully with distance and time than small-scale fading [gudmundson1991correlation, szyszkowicz2010feasibility]. On the contrary, small-scale fading refers to the rapid changes of the amplitude and phase of a radio signal over a short period of time (on the order of milliseconds) or a short distance (a few wavelengths) [grami2015introduction].
Several models have been proposed in the literature to capture the spatial decorrelation of large-scale fading [gudmundson1991correlation, senarath2007multi, szyszkowicz2010feasibility]. The exponential model is the one that has been most widely adopted [gudmundson1991correlation, recommendation1997guidelines, guan2015measurements]. In Fig. 3, let two moving vehicles and (separated by a distance ) simultaneously measure the large-scale fading from the same base station, denoted by and , respectively. The correlation between and is expressed as
where is a tunable parameter called the decorrelation distance, which depends on the physical environment [algans2002experimental, he2014shadow]. From this model, we expect the correlation to be relatively high for vehicles with distances smaller than , but to drop significantly for larger distances. Several values have been empirically determined for different mobile environments [algans2002experimental, he2014shadow].
Experimental validation. To validate the spatial and temporal correlation properties of large-scale fading, we collected measurements of LTE signals in a freeway environment, which is the most relevant for platooning applications. The data was collected by driving two vehicles and separated at different distances and simultaneously measuring the RSS***Note that, since RSS (in dB) is the difference between the transmit power and path loss, where the former is usually fixed thus does not need to be known, measuring RSS is equivalent to measuring the fading. from eNBs. The location and timestamp of each sample was also recorded to allow for time synchronization between and , and also the computation of the distance separation Figure 3 shows the topology used in the experiments, along with a sample realization of the measured large scale fading samples and the correlation model in (2). The experimental setup is described in detail in Section IV-A. We tested the following two main hypotheses.
Spatial correlation decreases with distance. Here, we seek to verify the correlation model in [gudmundson1991correlation] and determine the decorrelation distance .
Temporal correlation decreases with time. Here, we seek to verify that the correlation of RF signals collected at the same location but different times decreases with the time difference.
To extract the large-scale fading and filter out the small-scale fading, we apply an -point moving average to RSS samples that are collected from LTE eNBs. Let denote RSS samples collected by vehicle . The -moving average for the -th RSS sample is given by
We then compute the Pearson’s correlation coefficient as the correlation metric, defined as:
where and are the mean values of the RSS moving average over RSS entries for and , respectively.
Iii-B1 Spatial Correlation Decreases with Distance
To validate this hypothesis, two vehicles were driven with following distance on a freeway at 30mph. A total of 6,000 samples were collected at a sampling rate of 20Hz for each (5 min duration). The samples were organized to subsets of 1,200 samples (1 min duration) and the correlation was computed over each subset, using a 40-point moving average.
Figure 4 shows the correlation averaged over all subsets, as a function of the vehicle separation The fitting of the theoretical curve obtained from the exponential model in (2) yielded a decorrelation distance . This is in the same order of a typical platooning distance bound, indicating that correlation would be an ideal metric to implement the PoF primitive. Note that although the average correlation fits to a deterministic model, the RSS samples used to compute the correlation are constantly changing with mobility and have high entropy (which we will show in Appendix A).
Iii-B2 Temporal correlation decreases over time
To validate the temporal decorrelation hypothesis, we collected LTE transmission samples over the same route but at different times. We drove vehicle and platooning over the same freeway segment and computed the correlation between samples collected by the two vehicles, but aligned to the same locations. That RSS samples aligned to the same location but different time, where the difference equals the time separation of the two vehicles. The two vehicles were moving at 30Mph and had fixed time difference from 1s to 9s (13m to 112m). Due to the absence of CACC, fixed separation was achieved by engaging the cruise control on both vehicles and performing many trial runs. Figure 5a shows the correlation as a function of the time difference between sampling of the same location. We observe that the temporal correlation drops to fairly low values after a few seconds. This is an important property to prevent pre-recording attacks, where the adversary traverses the platoon route ahead of time to collect historic RSS data and use these data to defeat a PoF verification. Figure 5b shows the temporal correlation for a longer timescale.
From the experimental evaluation of the the spatial and temporal correlation of the large-scale fading effect, we can conclude that it is a good candidate to differentiate a following vehicle as drops to low values for separations larger than the platooning distance (beyond 50m) and also remains low between samples collected at even just a few seconds apart (this is inline with the typical channel coherence time of outdoor channels for large-scale fading).
Iii-C Proof-of-Following Protocol
Based on the above, the high level idea of our PoF protocol is to compute the correlation between the smoothed RSS samples gathered by the candidate and verifier (corresponding to large-scale fading), and compare it with a threshold . Suppose the correlation function follows the deterministic model in Eq. (2), given a required distance threshold , setting will make all vehicles following within pass the PoF test () and all others will fail. However, the correlation model expressed in Eq. (2) is for the average correlation, and in practice certain correlation instances will fluctuate around the average, due to changes of the environment/terrain as vehicles move. A single test designed according to the correlation model will only provide a weak probabilistic guarantee for passing or failing the test at different distances (the CDF of the correlation would be required), which may not be enough or desired. Thus, we opted to organize the RSS data in shorter correlation tests instead of a single long test. Repeated tests is a standard mechanism for improving the test robustness for a valid candidate while driving the adversary’s probability of passing verification to zero.
|Parameters (, , , , )|
|Decrypt: , REQ,|
|Decrypt: , REPLY,|
|Align , ,|
|Form , ,|
|Continuous following verification:|
|Repeat collection and verification|
Iii-C2 Protocol Details
We now present our PoF protocol based on the correlation of RSS samples. In PoF, the verifier verifies the following property of candidate . A PoF consists of four phases, namely initialization, collection, PoF verification, and continuous following verification. The steps of the PoF are shown in Fig. 6. Here, we assume that and have already mutually authenticated using their PKI credentials. Their public/private keys are further used to secure their message exchanges during the PoF.
A candidate sends a platoon join request message REQ to the verifier . The message is signed with and then encrypted with The candidate prepends the verifier’s ID to REQ.
The verifier decrypts the message with and verifies the signature with . If verification passes, triggers a proof-of-following verification by sending a reply message REPLY. The message is signed with and then encrypted with The message also contains a) the start and end times of RSS sampling, and b) the sampled frequency and sampling rate.
decrypts and verifies the signature of It then records the start and end times of the collection phase. Loose clock synchronization is achieved via the GPS clocks of each vehicle.
Collection phase. In this phase, and sample the agreed frequency at the agreed sample rate between the start and end times.
The verifier and the candidate simultaneously collect RSS samples and , respectively.
where is the RSS sample collected by vehicle at time .
The candidate reports his recording to the verifier signed and encrypted. The verifier decrypts and verifies the signature. If verification passes, it moves to the PoF verification phase.
PoF verification phase. In this phase, verifies the “following” claim of the candidate by computing the RF correlation between the reported RSS measurements and its own recorded measurements .
The verifier aligns and using the respective timestamps. This is done by aligning the first sample (the two vehicles use the same sampling rate). then updates the RSS sets and to
where each sample is time-aligned with sample
The verifier separates and into subsets of size samples. Let denote the -th subset of set .
The verifier compares each correlation value with a passing threshold . if a fraction () of correlation values exceed the passing threshold , the verifier ACCEPTS. Otherwise, the verifier REJECTS. That is, the verification test is passed if
where is the indicator function.
Continuous following verification phase.
If the candidate passes the PoF verification, it is accepted in the platoon. Continuous following verification can be achieved by repeating the collection and verification phases continuously.
In this section, we evaluate the correctness and soundness of the PoF verification. We first describe our experimental testbed, we demonstrate how to select the test parameters, and then present experimental results in freeway, urban, and highway environments.
To evaluate the PoF verification protocol, We developed two setups based on the NI USRP platform [NI]. The first setup was employed in the freeway and urban driving experiments whereas the second setup was employed in the highway driving experiments.
Setup 1. We used a Nissan Sentra and a BMW X5 acting as the verifier and the candidate , respectively. The two vehicles had cruise control capabilities (not adaptive), but were otherwise manually operated.
We placed at the trunk of each vehicle the equipment shown in Fig. 7. A USRP N200 radio device was connected to a VERT900 antenna. The USRP was programmed to implement an OFDM receiver for LTE signals. It operated at 1.972GHz with a 4MHz bandwidth, which is the frequency used for personal communications service (PCS) in LTE. We set the gain of the antenna to 10dB and the sample rate to 20Hz. A Razer blade stealth laptop was connected to the USRP for recording the RSS data. The laptop was also connected to a GPS receiver to record positioning information. The GPS device recorded latitude and longitude and time at 5Hz sampling rate. The synchronization between the RSS and GPS data was achieved via the laptop clock.
Setup 2. In setup 2, we formed a two-vehicle platoon for driving in a highway environment. Here, the verifier (Honda Pilot) led the platoon with cruise control engaged, whereas the candidate (Toyota RAV-4) followed the verifier with adaptive cruise control engaged. The candidate vehicle is equipped with a LiDAR to measure the distance to the lead vehicle. This allowed for an easier and more accurate control of the separation distance between the two vehicles at highway speeds. Although setup 2 is superior to setup 1 from a platooning perspective, it was not always available to us to conduct the experiments that spanned many hours and days, so we limited it to highway experiments were maintaining constant distance presents more challenges.
The data collection setup was identical to that of Setup 1, with the central frequency set to 875MHz with 4 MHz bandwidth and the antenna gain was 20 dB. The new frequency was selected based on the signal availability at the specific part of the highway were experiments were conducted.
|Number of samples in subsets and|
|Moving average window size|
|Number of RSS subsets, correlation values, and correlation tests|
|Passing threshold for a single correlation test|
|Fraction of correlation tests to pass PoF verification|
|Passing rate of a single correlation test achieved by|
|Passing rate of correlation tests achieved by|
Iv-B PoF Test Parameter Selection
The PoF test is controlled by the selection of the , , , , and parameters. For clarity, we summarize the definition of these parameters in Table I. In this section, we show how to select the parameter in practice and then evaluate the PoF protocol in three driving environments.
To select and , we performed experiments on a freeway section of length 1.4 miles using Setup 1. The particular section was not accessible to other traffic and was located next to a highway. This presented an ideal situation for controlling the separation between the candidate and the verifier. The two vehicles were driven at 30Mph over multiple runs and at different separations . We collected RSS data using the radio testbed and processed the collected data using various test parameters.
Selecting . The subset size determines the number of samples used in a single correlation test. It must be long enough to ensure that the RSS values exhibit high correlation, but should not prolong the completion of the PoF verification. We experimented with computing the correlation for different lengths . For each , we reuse the second-half samples in each subset to form the first-half samples for the following subset to reduce the number of required samples and test duration. Figure 8a shows as a function of the separation distance between the candidate and the verifier. Generally, when a larger is selected, the correlation increases (except for ranges over 90m where the two RSS sequences are uncorrelated, so does not play a significant role). From Fig. 8a, we can see that beyond the gains in correlation are relatively small compared to the required increase in the number of samples. Without loss of generality, we fix in each subset for all the following evaluations. Similarly, in each subset, we reuse the second-half of samples to the following subset to reduce the test duration.
Selecting . The length of the moving average window impacts the elimination of small-scale fading from the RSS data. Intuitively, a larger window leads to a more stable moving average, and a higher correlation , but the moving average becomes more predictable. In Fig. 8b, we show the correlation as a function of the separation distance for different values . As expected, we observe an increase in correlation with for smaller distances, whereas the impact of is small for large distances because the two RSS sequences become uncorrelated. Moreover, the increase in correlation diminishes after . Based on these observations, we selected a 20-point moving window size for all further evaluations.
Selecting , , and . Let denote the probability of passing a single correlation test when an RSS subset is used to compute . This probability depends on the selection of and the following distance . For a total of tests, a PoF is passed if Assuming independent tests due to the use of different subsets, the probability of passing a PoF verification consisting of correlation tests is
Let denote the probability of passing the PoF verification for a valid candidate and to be the passing probability for an adversary . Probability is derived from Eq. (5) by substituting the probability of passing a single correlation test at , given the selection of Similarly, is derived from Eq. (5) by substituting the probability of passing a single correlation test at some distance , The equal error rate () is defined as
The first step in determining the minimum is to select To understand the interplay between , and the PoF passing rate , we generated the PDF of the correlation for three representative following distances. The respective PDFs are shown in Fig. 8c. From the PDF, one can select a desired to satisfy a required passing rate for valid candidates for a given For instance, we chose for and for The distance of is representative of a following-afar adversary.
Given , we performed an exhaustive search over the two remaining free variables and to minimize the Here, we limit to 40 to ensure that a PoF test adheres to a time limit and also limit such that takes integer values between 1 and . Figure 8d shows the as a function of the total number of correlation tests , when the optimal is selected. As expected, the decreases with and eventually obtains very small values. Here, a that satisfied a desired requirement can be selected at the expense of a PoF test duration. For the freeway experiments, we have selected a value of
An alternative method for selecting and under fixed is to first determine two following distances from the platooning requirements. The first distance is that of the valid candidate, namely , whereas the second is that of the afar adversary that we try to prevent against. We then compute the threshold for a single correlation test from the exponential model in eq. (2) by setting . Once is fixed, we select to maximize the gap between the passing rate of a valid candidate and the passing rate of the adversary. Given that the average correlation model may not hold for all driving environments, we opted to use the exhaustive search method to explore the performance of the PoF.
Iv-C Evaluation of PoF on the Freeway
For the freeway experiments, we employed Setup 1, with the two vehicles driving at approximately at 30Mph. Because the specific freeway section was closed, we were able to control the following distance between the two vehicles. We drove the vehicles at following distances between 10m - 115m.
Based on the parameter selection we discussed in the previous section, we set , and We then performed an exhaustive search to find the optimal threshold values and that minimize the Figure 9 shows the minimum EER for different values of valid following distance when the adversary follows at 90m. The optimal values of and that minimize the for each following distance are also shown. First, we observe that our method achieves a fairly low . Moreover, the optimal and do not vary significantly with the change of
In Fig. 10, we show the PoF passing rate as a function of the following distance for the optimal and values obtained from minimizing the . When a candidate is within a following distance between 10m-40m the passing rate is close to 1. The passing rate drops to zero for distances larger than 90m. The method leaves a “guard” zone between 40-90 where the passing rate is from 0.2 to 0.4. This zone cannot be considered to be secure as an adversary following in this zone could pass a PoF test with non-negligible probability. This is because the correlation degrades gracefully with distance and does not exhibit a step-function type of behavior.
Ideally, for any environment, we estimate the distribution ofwith different distance, and set . However, in practice, the distance between two vehicles is difficult to control due to the traffic, especially in urban and highway areas, which thwarts us from selecting with CDF of . Instead, we are interested in evaluating PoF for certain given distance bound, from which we select based on the statistically relationship between the passing rate of a single correlation and the threshold . After that, and can be chosen with minimum . For all the following results, we also use 30 of experimental data as a training sequence for parameter selection, and the remaining 70 for testing.
Iv-D Evaluation of PoF in an Urban Area
For the urban area experiments, we used Setup 1 to drive the two vehicles along a 2.5-mile city route. Except stops at red lights, the vehicles normally run at a speed up to 40Mph and always followed each other. Figure (a)a shows the following distance over time. The following distance was fairly stable with an average of about 11 meters. Since the mixed traffic did not allow us to precisely control the following distance , we did not obtain the PDF of the correlation for different distances as we did for the freeway experiments. Thus, we select optimal values of , , and by minimizing the .
Iv-D1 Parameter Selection
Selecting . According to Sec. IV-B, the single test passing rates for and should satisfy and , respectively. To select the threshold , we first plot and as functions of the single test correlation threshold , based on our experimental data (Fig. (a)a). From this we set the range of to be , in order to satisfy and .
Selecting and . Recall that we use tests and fraction of passing to drive the probability of successful verification for the candidate vehicle and an adversary to one and zero, respectively. In Fig. (b)b, we show the minimum for against the corresponding , Values of are shown in Fig. (c)c. We can see that with the corresponding and minimize the .
Iv-D2 Remote adversary
In the following, we show results for a remote adversary, who pre-records RSS data on the known platoon route and replays it to pass the PoF verification. We let the Nissan Sentra serve as a remote adversary by prerecording RSS for 70 minutes ahead on the same route of the platoon. Then the selected parameters above are used in all PoF verification test sets. Each test set will output accept or reject after 19 correlation tests. We run the PoF tests for multiple times (continuous verification) and calculated the PoF test passing rate. In Fig. (d)d, we show the PoF passing rate versus the number of correlation tests . For each , the PoF passing rate was computed over 10 PoF runs. We observed that the PoF passing rate for increases with the number of correlation tests, while it decreases for . After 19 correlation tests, achieved PoF passing rate, and the verifier rejected the adversary (). This shows that in an urban environment, our PoF protocol can successfully differentiate a legitimate candidate from a remote adversary.
Iv-D3 Following-afar adversary
We then evaluate the performance of PoF with a following-afar adversary, who follows the platoon from far-away and tries to pass the verification by transmitting real-time recorded RSS data. This adversary was realized by the Nissan Sentra driving at least 125 meters behind the leading vehicle Due to the presence of traffic lights on the city streets, the distance between and varied during the experiment, as shown in Fig. (b)b, where was 125 meters on average.
We select the parameters with training sets collected by a following-afar adversary following the same steps in Sec. IV-D1, and show the details in Fig. 13(a)-(c). Similarly, we plot the convergence curve of the PoF passing rate for and over 15 PoF verifications in Fig. (d)d. Again, we can see that PoF is secure against the following-afar adversary. Besides, we observe that the PoF passing rate under such parameter selections converges faster than that under a remote adversary.
Iv-E Evaluation of PoF on the Highway
We ran experiments on a highway environment, using the Setup 2. The two platoon vehicles drove 6.4 miles in 6 minutes along a heavy traffic route. The distance between the verifier and candidate was quite stable (Fig. (c)c), with a 53.4m average.
Iv-E1 Remote adversary
We drove the Nissan Sentra to pre-record the RSS on the same route as the legitimate platoon. Due to the high speed on the highway, the channel varied much more rapidly compared to urban areas. Therefore, for this experiment, we pre-recorded the RSS data 40 minutes ahead of time to mimic a remote adversary. The results for parameter selection were plotted in Fig. 14a-c, where we selected , and . In Fig. (d)d, we showed the convergence curve of PoF passing rate for both and over 13 PoF runs, where the legitimate candidate was verified with certainty for and the remote adversary was always detected for , respectively.
Iv-E2 Following-afar adversary
Next, we evaluated the following-afar adversary. The adversary followed the verifier at a distance of at least 100m. The following distance trace is shown in Fig. (d)d. The average following distance was 250m and varied significantly due to heavy highway traffic. The results of parameter selection are shown in Fig. 15(a)-(c). We selected , , and . The PoF passing rate averaged over 10 runs is shown in Fig. (d)d, where we observe that and when and , respectively. We can see that the PoF yields better performance against the following-afar adversary (lower EER and faster PoF passing rate) than the remote adversary, mainly because the distance between the verifier and the adversary is larger in the highway and vehicles travel at high speeds.
Iv-F Evaluation of RSS Randomness
Another approach for a remote adversary is to predict real-time RSS data from pre-recorded data. We use approximate entropy to evaluate the randomness of the moving average values used to compute the correlation. Approximate entropy is preferred to sample entropy because it is a more accurate randomness measure when the number of samples is limited [pincus1991approximate]. We calculate the approximate entropy of following standard steps in [richman2000physiological, chou2014complexity]. For the two parameters and required for approximation entropy calculation (i.e., the length of compared run of data and the similarity criterion, respectively), we use typical values and as done in [chou2014complexity], where
is the standard deviation of. The for the urban and highway environment is 0.4730 and 0.3088, respectively. The of a perfectly repeatable time series is about 0 [yentes2013appropriate], and is around 0.6 for binary expansions of some common irrational numbers [rukhin2000approximate]. Hence, our results indicated that the large-scale fading in dynamic traffic is random and unpredictable enough. Furthermore, it would be difficult for the attacker to pass the verification by predicting the RSS measurement of verifier .
Iv-G Duration of the PoF Protocol
The duration of each PoF protocol run includes the time for both vehicles to collect RSS measurement, message transmission and PoF test computation at the verifier, where the time of RSS data collection dominates. The number of the RSS samples needed for the test is decided by the parameters we select. Since we reuse RSS samples for two consecutive subsets, it requires RSS samples to complete correlation tests, which takes seconds for data collection. For the two types of adversary in urban and highway environments, we fixed , , and our sampling rate was 20Hz. Therefore, about 200 seconds is required for each PoF protocol run. This is a reasonable cost as vehicle platoons are intended to travel for relatively long periods of time.
V Related Work
Physical context verification for connected vehicles/platoons. Specific to vehicular applications, various methods have been proposed to verify claimed physical properties of vehicles [Nguyen2019Physical, so2019physical, Nguyen2020Enhancing, Kamel2020Simulation, sun2017data, sun2020svm]. For example, secure localization/tracking [Nguyen2020Enhancing] or motion verification approaches [sun2020svm, sun2017data], which check the consistency between a vehicle’s claim with other measureable features of wireless signals (e.g., Angle-of-Arrival or Doppler Shift). However, the problem of misbehavior detection is different from platoon membership verification, and verifying the exact location of a vehicle may be too taxing.
The works closest to ours are those directly addressing platoon membership authentication [han2017convoy, juuti2017stash, vaas2018get]. Han [han2017convoy] leveraged the physical context to authenticate a new candidate. They observed that platooning vehicles will record similar vertical accelerations due to uneven road conditions. However, this approach does not prevent record and replay attacks since the road surface condition rarely changes. Vaas [vaas2018get] and Juuti [juuti2017stash] used driving trajectory as a proof for platoon membership, which compares a candidate vehicle’s future route with a trusted vehicle in the platoon. After being promoted as a co-presence vehicle, the platoon then authenticates its V2V messages. However, the trajectory can be predictable, especially by a following afar adversary. Compared with above works, our scheme can defend against both replay and following-afar attacks.
Distance bounding. In distance (upper) bounding (DB) [brands1993distance, hancke2005rfid], a verifier interacts with a prover to obtain assurance that the prover is at a distance at most from the verifier. The general idea of DB construction is to combine a challenge-response protocol for authentication with a round-trip time measurement in a fast bit exchange to bound the distance between and . This binds the prover’s digital identity with its physical location. A DB protocol typically prevents the distance fraud, which involves a malicious prover who wants to reduce its distance to the verifier. Other types of attacks considered by DB protocols include Mafia fraud (relay attack) and Terrorist fraud (collusion attack), etc. [Avoine2018survey].
PoF is related to DB in the sense that the latter can be used to achieve PoF, by repeatedly applying DB multiple times. It can achieve the strongest form of PoF, i.e., differentiating between an always following vehicle from another one that is not always following within the distance threshold. However, a major challenge for implementing DB in practice is that it requires advanced hardware to reduce the processing time if the RF modality is used (since EM travels at the speed-of-light) [rasmussen2010realization], and other modalities (such as acoustic or ultrasound) requires out-of-band channels or hardware interfaces [hancke2005rfid]. This makes DB difficult to be adopted in practice.
In contrast, our PoF definition is a relaxed form of continuous proximity verification, as we only aim at differentiating between an always-following vehicle and always-non-following adversary. Correspondingly, our PoF protocol construct is very low cost, only relies on sensing in-band RF signals, thus it is compatible with commercial-off-the-shelf devices.
Physical context-based proximity verification. The underlying idea of context-based proximity verification is to leverage common context that is observable by two of more devices in close proximity to establish a shared secret and authenticate the devices, while an adversary that is located far away cannot obtain a similar context. Works in this domain can be divided into two broad categories: in-band (using RF modality) or out-of-band (other modalities) methods. The former leverages the properties of small-scale fading of wireless signals to verify the co-presence of devices (e.g., [mathur2011proximate, shi2013bana, wu2018survey]). Small-scale fading is mainly caused by the multi-path distortion of wireless signal propagation, which typically decorrelates quickly up to a half or a few wavelengths (e.g., the wavelength is 12.5cm for 2.4GHz). Thus, the applications they consider are mainly indoor/static settings or confined environments, which makes it unsuitable for vehicle platoons.
On the other hand, out-of-band methods use a variety of modalities, such as ambient luminosity [miettinen2014context], audio [schurmann2011secure], etc. While they do not have the restriction of limited proximity range of the small-scale RF fading, they require the devices to possess the same sensing hardware. Recently, the problem of context-based device pairing for heterogeneous Internet of Things (IoT) devices was studied by Han [han2018you] and Li [li2020t2pair], where devices may not share the same sensing interface. However, one challenge of all the out-of-band approaches is that, the sensing modality may lack enough entropy. In contrast, we leverage the large-scale wireless fading, which only requires a common RF interface, is easy to measure, it is constantly changing, and is suitable for typical following distances in vehicle platoons.
Vi Future Directions
Vi-a Verification of Other Physical Properties
Our current PoF construct verifies continuous following of vehicles within the following distance. For strict platooning membership verification, additional physical properties need to be verified. Those include the relative positioning of the platoon members and lane restrictions. It is possible to extend our PoF construction to verify these properties. For example, to verify the relative position of a vehicle, we can leverage two vehicles already accepted by the platoon (called vehicle A and B). Assume vehicle C wishes to prove it is located between A and B, C can send its RSS samples to both A and B which simultaneously uses the PoF (with the same ) to verify C is in their proximity, thus proving C is located in the intersection of A and B. If C is following behind A and B, this can also be proved if is in the range of but not or by repeating tests with different , as the following distance threshold is adjustable in our scheme by changing .
Verify traveling on the same lane is more challenging. The method in [han2017convoy]
used acceleration measurements to capture the road surface variations for lane verification, but it is susceptible to pre-recording attacks as the surface does not change drastically over time. In the RF domain, one can use other features extractable from wireless signals, such as the angle-of-arrival (AoA) and Doppler shift. With multi-antenna receivers that may be standard with the advent of 5G, a verifier vehicle can use beamforming to determine the AoA of signal arriving from a candidate. If the latter is following closely in the same lane, it implies that the AoA is eitheror . AoA has been previously adopted to verify incoming signals’ directions of devices to enhance WiFi security [xiong2013securearray, xiong2010secureangle], as well as in a vehicular network for secure motion verification [sun2020svm]. It is very difficult for an adversary that is not in the correct direction to spoof the AoA from itself (without deploying artificial reflectors). A high mobility scenario makes it nearly impossible.
If only a single-antenna transceiver is available, one can exploit the Doppler shift (DS), which reflects the relative speed. If the candidate follows the verifier closely at the same speed and lane, it should be able to measure similar DS from V2V signals from other vehicles traveling on the same or the opposite direction. Any vehicle on another lane would not measure the same DS due to different angles.
Vi-B PoF from Other Sensing Modalities
A very interesting problem to explore is to construct PoF protocol from other sensing modalities or use a multi-modal approach. Visible light or sound are good candidates due to their high attenuation with distance. Since the ambient light or sound may not contain enough entropy in all driving environments, we can let the verifier vehicle amplify the randomness artificially with dedicated sources (e.g., periodically display random pictures in a LCD screen attached to the rear of the vehicle, with the candidate vehicle capturing these images via a camera). A far away vehicle would not be able to capture the same picture at high resolution, thus will fail the PoF test.
Cameras can also be used to capture the ambient physical environment as the platoon travels on the road. Imagine a verifier and a candidate traveling on the same highway. Using cameras, they should be able to capture, analyze and cross-correlate images of transient environment features. For instance, the two vehicles could capture, and timestamp, images of a passing by semi-truck (moving element) with some static feature in the background (building, tree, billboard, etc). This will ensure that the two vehicles see the same physical environment at the same location and time, and thus must be co-traveling within the following distance.
Another approach is to measure the following distance using LiDAR. The verifier could randomly perturb the following distance by subtly accelerating and braking. A valid candidate would be able to accurately measure the distance changes and report them to the verifier. If both parties agree on the perturbations, the PoF test is passed. We will explore these extensions in our future works.
We proposed a novel security primitive called Proof-of-Following (PoF) that binds the physical property of “following” to the candidate vehicle’s digital identity. Our PoF protocol allows a candidate vehicle to continuously prove to a verifier vehicle that it follows the verifier within the typical platooning distance. We exploited the large-scale wireless fading from cellular towers as an easy-to-measure solution correlating the motions of vehicles. Our approach has a remarkable advantage in hardware requirements as only the RF modality is required, which is widely available in outdoor environments. We conducted extensive real-world experiments in the freeway, urban and highway environments to evaluate the performance and security of our PoF protocol. Results showed that PoF is resistant to both pre-recording and following attacks with overwhelming probability and robust performance.
Appendix A RSS Trace Samples
An important security aspect of using the RF modality to construct a PoF is the unpredictability of the RSS samples. In this section, we show visually that the RSS samples used to compute the correlation are constantly changing with mobility and have high entropy. We start with showing the RSS samples obtained in static scenarios, followed by that collected from mobile scenarios.
A-a RSS Traces in a Static Outdoor Scenario
We parked two vehicles and at the roadside of a freeway. The two vehicles were separated by distance . The receivers on the two vehicles were initialized simultaneously with the same configuration (central frequency, bandwidth, sampling rate, etc.) to simultaneously record the RSS of signals from the same cellular tower. In Fig. 16, we show s trace of 1,200 RSS samples after taking a 20-point moving average, when is 25m and 250m, respectively. We can observe that when the two vehicles are closer, the RSS samples they collected are more similar. Besides, even in this static scenario, the RSS samples are changing due to the dynamic outdoor environment.
A-B RSS Traces in a Mobile Outdoor Scenario
We further collected the RSS samples in a mobile scenario. We drove the two vehicles on a highway environment at 65Mph. We collected RSS samples using the same method as in the static case. Figure 17, shows the 20-point moving average for 1,200 RSS samples recorded at the two vehicles when these are separated by average distances of m and m, respectively. We considered a larger initial following distance (m) as it is the minimum safe distance on the highway (i.e., two seconds safe distance). Similarly, the RSS samples appear to be more similar when the two vehicles are close and appear to be uncorrelated at a larger distance.