Side-Channel Security Analysis of Connected Vehicle Communications Using Hidden Markov Models

This paper investigates side-channel vulnerabilities of a wireless communication application in vehicular environments (DSRC/WAVE) protocol implementation of a traffic intersection application. A prototype roadside unit (RSU) was implemented using real DSRC devices. The functionality of the WAVE short message (Wsm)-channel is extended to include an implementation of WAVE short message protocol (WSMP) for broadcasting GPS data and RSU instructions in vehicular communications. In the example used, DSRC is used to replace an intersection stoplight. Denial of service attacks are executed that leverage DSRC RSU timing and packet size side-channels to selectively disable the stoplight. Simulations are implemented to determine our ability to stealthily drop packets so as to force two vehicles to collide. Hidden Markov models (HMM) and Support Vector Machines (SVM) are constructed from sniffed side-channel information. We use inter-packet delay time and packet size side-channel information to design our attackes. In operational networks, packets should be encrypted in order to hide the contents of the packet payloads, but packet sizes and timing are not affected by encryption. HMMs were inferred using only side-channel information. The inferred HMMs track the protocol status over time. The SVM classifier was inferred using both side-channel data and packet payloads. At run-time, though, the SVM only had access to side-channel information. Simulation experiments were implemented to test HMM and SVM ability to identify packets used to signal vehicles to stop and yield right-of-way. Timing HMM side-channel attack caused collision with 2.5% false positive rate (FPR), while the packet size one resulted 9.5% FPR.