Connected Vehicles: Surveillance Threat and Mitigation

Intelligent Transportation Systems (ITSs) are an upcoming technology that allow vehicles and road-side infrastructure to communicate to increase traffic efficiency and safety. To enable cooperative awareness, vehicles continually broadcast messages containing their location. These messages can be received by anyone, jeopardizing location privacy. A misconception is that such attacks are only possible by a global attacker with extensive resources (e.g. sniffing stations at every intersections giving a full city-wide coverage). In this paper, we demonstrate the feasibility of location tracking attack in an ITS in the presence of a mid-sized attacker (i.e. an attacker that has partial network coverage but can choose which parts to cover). We conduct an empirical study on the campus of the University of Twente by deploying ITS hardware on a small scale. As road intersections are likely targets for an attacker to eavesdrop, we propose a graph-based approach to determine which intersections an attacker should cover. We also derive a cost analysis that gives an indication of the financial resources an attacker needs to track a vehicle. To mitigate location tracking attacks, we assess the benefit of pseudonym change strategies and propose a privacy metric to quantify a vehicle’s level of privacy in the presence of mid-sized attackers. Experiment results demonstrate that tracking is feasible even if such an attacker covers a small number of intersections. For example, with only two sniffing stations, a mid-sized attacker can track the target vehicle on a zone-level 78% of the time, and on a road-level 40% of the time. Pseudonym schemes harden tracking by increasing the number of sniffing stations required.