Establishing safety and trust in the V2X ecosystem
The V2X ecosystem, which adheres to IEEE1609 standards, is revolutionizing transportation systems and facilitating smooth communication among vehicles, transportation infrastructure, and network services. As this ecosystem evolves, the integration of pedestrians/cyclists and additional services will have a pivotal role in enhancing both road safety and efficiency. Nevertheless, the automotive industry as a whole faces considerable obstacles in establishing trust and maintaining safety in this intricate ecosystem. This article explores the safety framework of V2X and the identification of misbehavior. Through this exploration, it lays the groundwork for discussing diverse methods for evaluating the reliability of received data.
V2X safety framework and trust hierarchy:
The V2X safety framework sets up the protocols needed to guarantee the integrity, authenticity, and privacy of communication, along with the anonymity of participants within the ecosystem. Trust plays a pivotal role within the V2X safety framework, as it is structured in a hierarchical manner among the participating entities. This trust hierarchy forms the basis for secure and reliable communication within the V2X ecosystem.
- At the top of the trust hierarchy are one or more trusted authorities that publish lists of trusted root certification authorities (RootCA). The authorities sign these trusted lists with their credentials (certificates as “trust anchors”). The conformity of the registered members (RootCAs) and new candidates with the rules is assessed by the authorities through policies and audits.
- The RootCAs in turn have the authority to issue and revoke certificates for end entities (for example, vehicles, traffic lights), ensuring that only secure legitimate end entities can participate in the V2X network.
- At the communication level, vehicles, traffic infrastructure, pedestrians/cyclists and network services legitimize themselves with these certificates.
Fig. 1: V2X trust hierarchy
Privacy is particularly challenged by the authentication requirements, especially for vehicles, cyclists, and pedestrians. This would make it possible, for example, for traffic infrastructure (for example, traffic lights) to create movement profiles of passing vehicles. Consequently, a two-step approach has been established for the registration of end users, resulting in their anonymization.
- First step: Registering an end entity through a RootCA guarantees the basic authorization required to participate in the V2X ecosystem. The RootCA generates an “enrollment certificate” that assigns a unique ID to the end entity.
- Second step: With the issued “enrollment certificate”, the end entity can request a number of authorization tickets/certificates (authorization). These tickets are valid for approximately one week. During this period, the end entity uses the tickets randomly to sign V2X messages. The recipient cannot link the tickets to each other or to a specific end entity.
- The implementation of this mechanism differs somewhat between the EU and the USA/CN.
- Various approaches are examined regarding the utilization of authorization tickets, such as employing a ticket for a two-kilometer distance or for a duration of five minutes prior to switching to a different ticket. This mechanism is important for the later discussion on building trust among end entities. Each time a ticket is switched, the transferring entity appears as a new instance. As a result, the frequency of ticket switching should be kept at a moderate level.
The successful enrollment and validation of an end entity indicates to the other members in the V2X network that this end entity adheres to the local V2X standards and has implemented the necessary system profiles. Therefore, a successfully authenticated end entity indicates that the received data meets the basic quality requirements of V2X.
Local functional safety requirements
Measures have been implemented in the ego vehicle - the "own” vehicle - receiving V2X data, to ensure the quality and precision of the data produced by its sensors. Suitable components and methods have been selected for the various automotive safety integrity (ASIL) levels in order to implement specific (driving) functions.
If the ego vehicle receives data from other end entities, it does not know the circumstances under which this data was generated. It is also unknown whether the data was generated with an ASIL. End entities that are not vehicles may have been developed without considering functional safety. Even if the transmitting end entity were another vehicle, the ego vehicle would lack the capability to determine if the data meets the requirements for a particular ASIL level and could be applied locally in critical functions.
Conversely, the data that is received may be at risk of compromise as a result of a malfunctioning device in the transmitting end entity, such as GPS calibration issues, or as a result of a cyber attack.
Framework for the detection of misbehavior
Misbehavior can be caused both by faulty devices and by malicious actors. Malfunctioning devices can provide incorrect data, for example a GPS position. The cause of the malfunction could be a defective device, incorrect implementation or behavior in particular edge cases.
Two types of attacker can be distinguished in the case of malicious actors:
- “Malicious” V2X devices with necessary hardware, software and valid V2X credentials that allow them to inject fake information into the V2X network and other “unsuspecting” devices.
- External attackers who manipulate the environment to cause sensors to malfunction or cause sensors to read data incorrectly.
The potential presence of misbehavior makes it necessary for the ego vehicle to check the received data locally. Various methods could be used to validate incoming data:
- Check the protocol parameters
- Check the plausibility of values against threshold values, for example speed < 400 km/h
- Check the consistency of data with previous messages, for example change of direction by 90° in milliseconds
- Data synchronization with external data, for example positioning in HD maps
- Data synchronization with internal sensor data and the environment model
It is advantageous from a network operations standpoint to remove numerous faulty or compromised devices from the V2X network. Otherwise, the network's integrity would be compromised by these preexisting issues.
Different regions are currently working on developing standards to identify and address instances of misbehavior in end devices. These standards aim to establish guidelines for reporting such incidents and outline the procedures that central authorities, also known as misbehavior authorities, should follow when handling these reports. Mechanisms for revoking end devices have already been defined. Nevertheless, identifying and correcting misbehavior comes with costs. For the vehicle, for example, the early implementation in China shows that updating revocation lists for end entities in the vehicle can account for up to 25% of the messages exchanged with the security backend and 90% of the data volume.
Despite having a system in place to identify misbehavior, the ego vehicle still faces the challenge of determining the reliability and usability of the data it receives for safety-critical functions.
Global versus local trust
The safety mechanisms presented here attempt to minimize the risks for the system and its participants. V2X only allows authorized vehicles to participate, effectively eliminating a significant number of instances of misbehavior within the system. This prevents gross irregularities in the system.
In the future, vehicles will be almost overwhelmed with data and will be compelled to assess its reliability. A vehicle has an architecture that is based on many technical subsystems. Individual errors can have a fatal impact on a driver's safety. V2X introduces a system where numerous vehicles can simultaneously be impacted by errors. The data sent in V2X must therefore be checked for data quality and reliability in terms of functional safety. The responsibility for this task always lies with the ego vehicle and cannot be assured by the global systems.
Many other functions and systems will also depend on this in the future, such as autonomous driving or valet parking. Read here to find out how this local trust in data can be established.
Your experts at msg
Are you engaged in the ever-evolving realm of V2X communication, connectivity, and autonomous driving? You undoubtedly comprehend the intricacy and difficulties associated with these technologies. msg's experts are available to offer guidance throughout your journey and cater to your unique requirements.
We possess vast knowledge and experience in systems engineering, encompassing architecture, safety, and security. Additionally, we specialize in testing advanced, widely distributed vehicle architectures. This expertise allows us to offer you comprehensive assistance in developing and implementing cloud-based remote ADAS solutions. We not only assist you in designing, but also in ensuring the protection of these functionalities to transform the concept of autonomous driving into a tangible reality.
Furthermore, we leverage our proficiency in machine learning and analytics to efficiently examine and harness the vast amounts of data produced throughout the development of these cutting-edge technologies. It is essential to have these capabilities in place to guarantee the reliability and safety of driving functions.
If you are encountering difficulties with connectivity, V2X, and ADAS, or if you simply wish to learn more about our services, please feel free to contact us. We are well-prepared to enhance your projects with our expertise and collaborate with you to shape the future of mobility.
