Privacy Issues in Vehicular Ad Hoc Networks

Florian Dotzer

BMW Group Research and TechnologyHanauerstrasse 46

80992 Munich, Germanyflorian.doetzer@bmw.de

Abstract. Vehicular Ad hoc NETworks (VANETs) demand a thoroughinvestigation of privacy related issues. On one hand, users of such net-works have to be prevented from misuse of their private data by author-ities, from location profiling and from other attacks on their privacy. Onthe other hand, system operators and car manufacturers have to be ableto identify malfunctioning units for sake of system availability and secu-rity. These requirements demand an architecture that can really manageprivacy instead of either providing full anonymity or no privacy at all.In this paper we give an overview on the privacy issues in vehicular adhoc networks from a car manufacturer’s perspective and introduce anexemplary approach to overcome these issues.

1 Introduction

A mobile ad hoc network (MANET) consists of mobile nodes that connectthemselves in a decentralized, self-organizing manner and may also estab-lish multi-hop routes. If the mobile nodes are cars this is called VehicularAd Hoc Network (VANET). The main difference between VANETs andMANETs is that the nodes move with higher average speed and the num-ber of nodes is assumed to be very large1. Apart from that, VANETs willbe operated or at least rolled-out by multiple companies and the nodesbelong to people within different organizational structures.

One important property that characterizes both MANETs and VANETsis that they are self-organizing and decentralized systems. Successful ap-proaches for security and privacy therefore must not rely on central ser-vices or mandatory connections to some fixed infrastructure. However, asconnections to central authorities may not be completely inevitable, weassume that in some exactly specified situations such as during produc-tion or regular maintenance processes, a car would have access to centralservices.1 At the moment, there are in the order of some hundreds of millions of cars registered

worldwide.

1.1 Applications for VANETs

Fig. 1. Local Danger Warning

One of the most promising applications in the various car manufactur-ers’ activities are local danger warning messages. In Fig. 1 you can see asimple example of such a system. The idea is that cars can generate mes-sages about safety related events, such as accidents, road conditions, theirown behaviour (e.g. emergency braking) and so on. These messages willthen be distributed using wireless communication systems to neighboringcars. If there are no immediate neighbors, cars may also store messagesand deliver them by moving along the road until new communicationpartners are found. The cars’ systems can therefore gather informationthat is relevant for their human drivers. The drivers can then be informedabout relevant events, depending on context and situation.

Safety related events are quite different in the way they can be de-tected, as pointed out in [1]. First, there are events that can be detected bya single car’s sensors. In that case local sensor information is aggregatedand if there is a matching event, a message will be sent out.2 Second,there are events such as traffic jams, that may not be detected by a singlecar, but if multiple cars’ position information is aggregated, a car mayconclude that it is in or before a traffic jam. In this example, it is easy tounderstand, that matching the information is critical for reliability, butmay also affect privacy.

2 This is on a logical level. In our system, the number of messages related to one eventdepends on different environment parameters.

Other applications are more related to entertainment, media and non-safety information. For example car-to-car messaging, information down-load at gas stations or public hotspots, and car-to-car information ex-change such as points of interest. Some of these applications will be free,while others would require a service subscription or a one-time payment.

In the context of privacy it is important to mention that in order tooperate such a network it seems inevitable that nodes exchange neigh-borhood information on a regular basis. Every node will once in a whilesend a hello beacon, containing at least an identifier, a timestamp basedon a global system time3 and its position.

1.2 VANET Privacy in Research Projects and Standardization

Currently, there are some car-to-car network research projects which haveoperational prototypes, such as FleetNet [2], Carisma [3] and VSC. How-ever, only the VSC project dealt with security, where privacy has onlybeen a minor issue. Out of the ongoing funded research projects, such asVSC-2, NOW, Prevent, Invent VLA, etc. only NOW and VSC-2 madeconsiderable efforts to accomodate privacy so far. Nevertheless, securityand privacy are enabling technologies for the applications those projectsenvision. The Car-to-Car Communications Consortium, which has beenfounded recently, aims at standardizing car-to-car communications. Itstrongly encourages privacy enhancing concepts in this context. Otheractivities, such as IEEE’s P1556 working group, have been raising secu-rity and privacy concerns and standards bodies like ISO’s TC204/WG16are discussing privacy now.

It seems that privacy has been recognized as an enabler for VANETs.But we are still lacking appropriate technologies and architectures toaccomodate the requirements.

In section 2 we will outline several problems related to privacy inVANETS. In section 4 we will present one potential solution and evaluateits advantages and disadvantages. Section 3 will point to related work. Insection 5 we will discuss open points and conclude in section 6.

2 Privacy Issues

2.1 Why is Privacy Important for VANETs?

We live in a world where almost any data is available electronically. Whatprotects us from Orwell’s nightmare is mainly the incompatibility of the3 In our case, a global system time is based on satellite navigation

systems and organizational separation. Cars are personal devices, theyare usually kept for a long time and in the future they will probably storelots of personal information as well. In many societies, cars are statussymbols and a lot of personal behavior can be derived from the car a per-son is driving. Last but not least, most of the future’s automobiles willbe equipped with navigation systems and therefore technically be ableto gather complete movement patterns of its user. All of this would notbe much of a problem as long as the car is an isolated system. But fu-ture cars will have various communication capabilites. Electronic tollingsystems, internet access, maintenance systems, software and media down-load, off-board navigation systems are just some examples why cars willget connected.

Although most people are not aware of the implications informationsociety has on their privacy, their perception is (hopefully) changing overtime. Discussions about Radio Frequency Identification Tags have alreadygenerated protests in european countries. In the automotive market, cus-tomers can choose among a large variety of products and there is a strongcompetition among automakers. Customers that are concerned about anew technology would probably pick products that reflect their concerns.It is therefore a vital interest of all car manufacturers promoting car-to-car communication technology, to pay close attention to security andprivacy of such systems.

A very dangerous and often ignored fact about privacy is that inno-cent looking data from various sources can be accumulated over a longperiod and evaluated automatically. Even small correlations of the datamay reveal useful information. For instance, the knowledge about specificsensor characteristics may give some hints about the make and the modelof car. This in turn may be related to other information to identify aspecific car. And once privacy is lost, it is very hard to re-establish thatstate of personal rights.

Privacy sometimes contradicts with security requirements. While sys-tem operators want to find or identify attackers to take proper coun-termeasures, the ability to do so may be used for less noble reasons.Newsome, Shi, Song and Perrig presented a paper about sybil attacks insensor networks [4]. One of their proposed countermeasures is registeringnodes in the network. This concept is somewhat similar to the idea ofelectronic license plates. While their approach is absolutely reasonablefor sensor networks, registration could turn out to be a major privacyconcern in VANETs.

In section 4 we will outline a solution that address both, security andprivacy concerns.

2.2 Privacy Threats

During our work, we found a couple of situations, where privacy should bediscussed. As mentioned before, sometimes it is not desirable to achieveperfect privacy. But it has to be decided which degree of privacy is nec-essary under given circumstances and the system has to be designed ac-cordingly.

In the following we will give some examples for the problems we haveto tackle in a widespread VANET.

– The police uses hello beacons4 to calculate driving behavior and issuesspeeding tickets.

– An employer is overhearing the communications from cars on the com-pany parking lot. After distinguishing which car-identifier belongs towhich employee he automatically gets exact arrival and departuredates.

– A private investigator easily follows a car without being noticed byextracting position information from messages and hello beacons.

– Insurance companies gather detailed statistics about movement pat-terns of cars. In some cases individual persons may be charged fortraffic accidents based on gathered movement patterns.

– A criminal organization has access to stationary communication boxesand uses the accumulated information to track law enforcement vehi-cles. The same technique could be used by a foreign secret service totrack VIPs.

As we can see from these examples, most issues are related to positionand identifiers. More specifically, either keeping identifiers and relatingthem to other received identifiers (re-recognition) or correlating the iden-tifier with a real-world identity (identification). Analyzing the relationsof various position-identifier pairs, a multitude of attacks on privacy canbe carried out, where the given examples represent only a small subset.

The first example might be the easiest to resolve, because in mostcountries a defendant is innocent until it can be proven that he is guilty.In our case that means that the police must be able to prove that the

4 Hello beacons are used in mobile ad-hoc networks to maintain information aboutthe nodes’ neighborhood.

culprit is really the one who was speeding. So instead of using one’s orig-inal identity in the system, a pseudonym may be used. Unless there isno perfectly provable mapping between the pseudonym and real-worldidentity, the police would have a hard time issuing a ticket. In the secondexample this may not be enough, because the employer has other meansof correlating real-world identities and car-identifiers. And he may guessas well. In this case, it would be desirable to change the car’s identifiersfrom time to time. In the third example however, even these precautionswould not be sufficient. To prevent being followed, the car’s identifierwould have to be changed while moving. One possible approach are geo-bound pseudonyms, discussed in section 5.2 Note that a concept consid-ering changing identifiers on application layer also means that all lowerlayers must change their addresses / identifiers at least as often as appli-cation layer IDs. This would require frequent changes of MAC-addressesand network addresses for instance. Some simple experiments with ourprototypes have shown that this is doable in principle, but remains an ex-tremely challenging task for large systems. In addition this will definitelydecrease overall performance due to collisions and/or increased signalingoverhead.

In scenarios where a car communicates with a dedicated partner, weassume that in some cases the car’s real identity will be required for serviceusage. In such a case it is obvious that the communication partner has theidentity anyway, so the identity must only be protected from neighborsoverhearing the communication. In [5] we proposed a vehicle - traffic lightcommunication protocol that keeps the identity of the vehicle hidden fromthird party observers.

A good thing about mobility is that real (communication-)traffic analy-sis would probably be hard to do, since nodes usually move at high speedand in large geographic areas. But nevertheless, an attacker might use theproperties of communicating vehicles as an aid for tracking a specific car.Even if identifiers are anonymized and addresses are changed frequently,there are ways to distinguish a node from others, such as characteristicpacket sizes, special timings, RF-fingerprints 5.

2.3 Privacy Related Requirements

After the previous sections, we now identify a number of requirements toachieve adequate privacy.

5 An RF fingerprint in this context means that the hardware of a node has a specificsignature within the radio spectrum.

1. It is possible to use pseudonyms as identifiers instead of real-worldidentities.

2. It is possible to change these pseudonyms.3. The number of pseudonym changes depends on the application and

its privacy threat model.4. Pseudonyms used during communication can be mapped to real-world

identities in special situations.5. A set of properties and/or privileges can be cryptographically bound

to one or more pseudonyms.

This discusses only the primary requirements with respect to theVANET messaging system. There might be other important things toconsider such as user interfaces and usability issues.

3 Related Work

There has been some work in various areas relevant for us. Samfat, Molvaand Asokan provide a classification for mobile networks such as GSMand CDPD, where they map privacy requirements to various networkentities (home domain, remote domain, legitimate network entities, andeavesdroppers)[6]. They also discuss the effects of these requirements onsystem design.

Golle, Greene and Staddon have presented a very useful paper [7] ondetection and correction of malicious data in VANETs. We share theiropinion that comparing the data of different information sources is afundamental approach to solve problems with aggregation of sensor data.Concerning privacy they point out that there is a tradeoff between privacyand detection of malicious data depending on how often an identifier ischanged. Hubaux, Capkun and Luo gave an overview on security andprivacy in VANETs in [8]. Others are investigating ”Metropolitan AreaAd Hoc Networks” [9] and Yih-Chun Hu has shown how attackers canget privacy-sensitive information in this context.

Weimerskirch and Westhoff presented a protocol [10] that allows nodesthat do not have any additional knowledge to re-recognize themselveswhen meeting again. Their approach allows maximum privacy while stillproviding immutable and non-migratable identities. There has also beensome work on mapping identifiers and cryptographic material. In [11]and [12] the authors describe a way to derive identifiers from pre-existingcryptographic keys in such a way, that they are statistically unique andcryptographically verifiable. Going the other way around and starting

with given identities such as email addresses, Shamir presented an iden-tity based signature scheme in [13], but he was unable to do encryptionusing this concept. It was Boneh / Franklin and Cocks who indepen-dently proposed ways to do identity based encryption in [14] and [15]respectively.

4 An Approach to Privacy in VANETs

4.1 Identification and Addressing

An intriguing question in the context of privacy is whether we need iden-tification in a VANET or only some form of addressing. In the latter case,we only have to make sure that messages reach their destination(s), whileidentification of a sender depends on the application’s requirements andmust therefore be solved by the application itself. In the case of safety-related messages there is no need for identification. What we need here isan assertion that the sender is equipped with standard-compliant sensors/ communication system and that it is working according to specifica-tions.

4.2 Architecture

In our recent work, we have been looking at a trusted third party approachsupported by smart cards. A major requirement has been the use of non-interactive protocols, since most security-related messages will be sent inbroadcast6 style.

The fundamental idea in our architecture is that there will be anauthority A, that is trusted by all parties participating in the network:customers, manufacturers, system operators, service providers, etc. Gor-don Peredo has presented such an architecture in [16]. The authority mustbe independent from other parties’ interests and obtain special legislativeprotection. Authority A stores real-world identities and maps one or morepseudonyms to each identity. The mapping is kept secret and will only berevealed in exactly specified situations.

4.3 Assumptions

In order for our system to work, we assume that every car will be equippedwith a hard-mounted, non-removable tamper resistant device such as a6 Note broadcast here is on application level. This does not necessarily mean that

data link layer transmission is broadcast

smart card. It offers two main features: secure memory to store secretsand secure computation to execute small programs and cryptographicalgorithms. In our prototype implementation we use G&D’s Java Card[17], [18]. We further assume that during production of a car a secureconnection between this device and authority A is available. This can berealized using Smart Card Management Systems such as Visa’s GlobalPlatform [19], which enables ”secure channels” from smart cards to back-end hardware security modules (HSMs) [20].

4.4 Three Phases of Operation

We distinguish three phases in the lifecycle of a single vehicle. The initial-ization phase where the systems of a vehicle are set up. The operationalphase as the major mode of operation, where vehicles can send messagessigned according to a chosen pseudonym. And the credential revocationphase, where predefined situations can lead to the disclosure of a vehicle’sreal ID and the shutdown of its system.

��

���������������������

� ��������

������� ��

� �������� �������� �������

������������� ���������������� ����������� � ����

�������

� �����������������

� ��������

��

����� �� ���

������� �

������� �

Fig. 2. Phase I

Initialization Phase Fig. 2 gives an overview on the entities in this ar-chitecture. Each car is equipped with a smart card during its productionthat is fixed physically and cannot be removed without destruction. Thesmart card (and therefore also the car) is associated with a unique, im-mutable and non-migratable electronic ID. A secure communication linkis established between the smart card and authority A. The smart cardtransmits the ID (1) and the authority cryptographically derives a setof pseudonyms from that ID after checking it. The pseudonyms are thentransmitted back to the smart card (2). Now the car is ready to subscribefor various services. For every pseudonym (3) the car can get multipleservice subscriptions from organization O, typically a car manufacturer.For every pseudonym organization O generates a set credentials, one foreach service and sends it back (4). The car is now ready for use.

��

��

������

������

� ������������������������� ������

� ���������

��������� �

� ���������

��������� �

Fig. 3. Phase II

Operational Phase During normal operation a car may choose any ofits pseudonyms and the related credentials to testify its rights or sign mes-sages, see Fig. 3. A communication partner can therefore always check the

credentials in order to verify the car’s compliance with common standards,its right to use a service or other properties that have been approved byorganization O.

��������

�

��� �

��������� ��������������� ���

� � �������

���� �����

�������� ��

���� �����

� ���������������� ����

� � �������

�

�������� � �

� �

������ �������������������

� ������

� �������������

Fig. 4. Phase III

Credential Revocation Phase Fig. 4 shows what happens if a vehi-cle sends wrong data. If there is a serious malfunction of a car such astransmission of malicious data (1), other participants of the network willfile reports and send their evidence to organization O (2). OrganizationO must gather the evidence of this malfunctioning unit in order to applyat authority A for identification resolution and service shutdown (3). Ifthe evidence is sufficient to allow for ID disclosure, authority A will com-pute a reverse mapping from a pseudonym to the real identity (4). Thus,organization O can find malfunctioning or malicious nodes and thereforemaintain the long-term availability of the system.

Note that during the normal operation, the ID, all pseudonyms andcredentials are stored in a tamper resistant smart card and therefore someprotection against misuse is provided.

4.5 Evaluation

One alternative to our approach is to use pseudonyms that are not relatedto a real ID. The downside of this concept is that it is not possible to finda certain malfunctioning or misbehaving nodes. However, in some cases itmay be sufficient to guarantee that every device can only use one singlepseudonym at a time.

The other extreme, using unique identifiers, does not provide sufficientprivacy.

5 Additional Considerations

The approach we presented in section 4 is one of many possible solutions.There are some general issues that we believe have to be solved.

5.1 MIX-Zones

[21] defines anonymity as ”the state of being not identifiable within a setof subjects, the anonymity set”. That is something to keep in mind whenproposing to change pseudonyms on the move. For example if a vehicleusing pseudonym A does not want to be tracked and therefore changes itspseudonym to B. If an observer monitors all communication traffic aroundthis vehicle and if this vehicle sends messages during observation (such asbeacons), then the observer can relate pseudonym A and B as long as thisvehicle is the only one (or one of few) changing its pseudonym. In otherwords, if you cannot hide in a crowd of pseudonym changing vehicles, youmust assume that an observer can link your old pseudonym and your newone, making this process useless.

There are two straightforward approaches to this problem. First, youdon’t transmit something using your pseudonym for a sufficiently longtime before and after a pseudonym change. Or second, the system designspecifies times where all cars within a certain region, called MIX-zone,change their pseudonym. Such a region would ideally be a place, wherea lot of vehicles are within communications range. There must be a suf-ficient number of such places to ensure that vehicles can change theirpseudonyms frequently. It remains an open question what happens if thereare not enough other nodes changing their pseudonyms at the same place.

5.2 Geo-bound Pseudonyms

In some scenarios, where (road-)traffic monitoring and generation of move-ment patterns are of major concern, we already concluded that it is desir-

able to change pseudonyms on the move. However, when thinking aboutdecentralized trust in a mobile ad hoc network, for some concepts, suchas keeping reputation information, it is necessary to re-recognize cars.This requirements can fortunately be reduced to re-recognition of nodeswithin a certain area. In such cases, it may be useful to dedicate a setof pseudonyms to predefined regions. That means for every geographicposition there is a set of associated pseudonyms available, being a truesubset of all pseudonyms used by that single vehicle.

Note that the boundaries of those individually different regions mustreflect the arguments of the previous section.

5.3 Feasibility of Organizational Solutions

Apart from purely technological questions, we need to investigate whetherorganizational solutions such as the one we proposed in section 4 are fea-sible economically and legally. A company that sells products worldwidehas to consider many different legal systems. Especially civil rights arehandled quite differently and privacy is something that people cannot relyon in many countries. Regarding our approach, it has to be determinedfor each country in question whether there are regulatory aspects thatrequire a system operator to provide access to central identification data.The architecture that we presented will only work in a legal environmentwhere authority A is protected from outside access other than specifiedrevocation requests. The incidence documented on [22] shows that evenin countries with strong privacy laws such as Germany this is a difficulttask and would require intensive lobbying. The problem with a centraldatabase is that once it is there, there will always be voices in favor ofexploiting it.

Another downside of the proposed solution is that authority A mustnot be within organizational control of a single (car-) manufacturer. Un-fortunately that means that multiple companies must agree on the modesof operation, standards have to be defined and a business model has tobe created for the operation of centralized services.

6 Conclusion

In this paper we discussed some threats to privacy in VANETs and ar-gued why privacy is important. We also pointed out that the degree ofprivacy depends on user preferences, environmental settings, and appli-cation requirements and should therefore be adjustable. We proposed a

possible solution, based on prototypical experiments that we made anddiscussed its strengths and weaknesses.

In the future, we will further improve the presented concept and lookat alternative approaches more thoroughly. Maybe it is possible to oper-ate a traffic-related car-to-car messaging system without using identifiersand without requiring nodes to send periodic beacons. This would be de-sirable, not only from a privacy perspective, but also from a complexityand cost viewpoint. At the moment it is unclear if such an approach isfeasible.

7 Acknowledgements

We would like to thank Uwe Baumgarten for inspiring discussions andvaluable comments. We would also like to thank the anonymous reviewers,whose comments and suggestions stimulated new thoughts and helped toimprove the paper.

References

1. Doetzer, F., Kosch, T., Strassberger, M.: Classification for traffic related inter-vehicle messaging. In: Proceedings of the 5th IEEE International Conference onITS Telecommunications, Brest, France (2005)

2. Franz, W., Eberhardt, R., Luckenbach, T.: Fleetnet - internet on the road. In:Proceedings of the 8th World Congress on Intelligent Transportation Systems.(2001)

3. Kosch, T.: Local danger warning based on vehicle ad-hoc networks: Prototype andsimulation. In: Proceedings of 1st International Workshop on Intelligent Trans-portation (WIT 2004). (2004)

4. Newsome, J., Shi, E., Song, D., Perrig, A.: The sybil attack in sensor networks:analysis & defenses. In: IPSN’04: Proceedings of the third international symposiumon Information processing in sensor networks, ACM Press (2004) 259–268

5. Dotzer, F., Kohlmayer, F., Kosch, T., Strassberger, M.: Secure communicationfor intersection assistance. In: Proceedings of the 2nd International Workshop onIntelligent Transportation, Hamburg, Germany (2005)

6. Samfat, D., Molva, R., Asokan, N.: Anonymity and untraceability in mobile net-works. ACM International Conference on Mobile Computing and Networking(1995)

7. Golle, P., Greene, D., Staddon, J.: Detecting and correcting malicious data invanets. In: VANET ’04: Proceedings of the first ACM workshop on Vehicular adhoc networks, ACM Press (2004) 29–37

8. Hubaux, J.P., Capkun, S., Luo, J.: Security and privacy of smart vehicles. IEEESecurity & Privacy 2 (2004) 49–55

9. Jetcheva, J., Hu, Y.C., PalChaudhuri, S., Saha, A., Johnson, D.: Design and eval-uation of a metropolitan area multitier wireless ad hoc network architecture. In:Proceedings of the 5th IEEE Workshop on Mobile Computing Systems & Appli-cations, Monterey, CA, USA, IEEE (2003) 32 – 43

10. Weimerskirch, A., Westhoff, D.: Zero common-knowledge authentication for per-vasive networks. In: Selected Areas in Cryptography. (2003) 73–87

11. O’Shea, G., Roe, M.: Child-proof authentication for mipv6 (cam). SIGCOMMComput. Commun. Rev. 31 (2001) 4–8

12. Montenegro, G., Castelluccia, C.: Statistically unique and cryptographically ver-ifiable (sucv) identifiers and addresses. In: Proceedings of the Network and Dis-tributed System Security Symposium (NDSS). (2002)

13. Shamir, A.: Identity-based cryptosystems and signature schemes. In: Proceedingsof CRYPTO ’84, Springer-Verlag (1984) 47–53

14. Boneh, D., Franklin, M.: Identity-based encryption from the weil pairing. In:Proceedings of CRYPTO 2001, Springer-Verlag (2001) 213–229

15. Cocks, C.: An identity based encryption scheme based on quadratic residues. In:Proceedings of IMA 2001, Springer-Verlag (2001) 360–363

16. Peredo, G.: Brake-ing news – technologies for inter-vehicle communication (2003)17. Sun Microsystems: Java card 2.2 runtime environment specification (2002)18. Sun-Microsystems: Java card 2.2 virtual machine specification (2002)19. Global Platform: Global platform card specification (version 2.1) (2001)20. Dotzer, F.: Aspects of multi-application smart card management systems. Master’s

thesis, Technical University Munich (2002)21. Pfitzmann, A., Kohntopp, M.: Anonymity, unobservability, and pseudonymity -

a proposal for terminology. In Federrath, H., ed.: Proceedings of Workshop onDesign Issues in Anonymity and Unobservability, Springer (2001) 1–9

22. Independent Centre for Privacy Protection: First partial success for an.on (2003)23. Wright, J., Stepney, S., Clark, J., Jacob, J.: Designing anonymity - a formal basis

for identity hiding. Internal yellow report, York University, York, UK (2004)