Sage Journals: Discover world-class research

Abstract

Vehicular ad hoc networks have been identified as a key technology for enabling safety and infotainment applications in the context of smart and connected vehicles. In this sense, diverse approaches of multi-hop broadcast protocols have been proposed to collect and disseminate context information through the network. However, before vehicular ad hoc networks applications fulfill their expected potential to connect smart vehicles, several issues must be addressed. Among these issues, those related to security are of particular importance. In this article, the main security issues of broadcast message dissemination in vehicular ad hoc networks are discussed. Moreover, a review of the most relevant threats and proposed solutions to secure broadcast message dissemination in vehicular ad hoc networks is presented and discussed. As mentioned, security is an important topic which has not been fully addressed in vehicular ad hoc networks; therefore, the aim of this article is to introduce security issues and proposed solutions related to three main security concerns associated with the message dissemination process in vehicular ad hoc networks: network access, data consistency, and broadcast protocols.

Keywords

Multi-hop broadcasting security secure broadcast dissemination vehicular ad hoc networks

Introduction

Intelligent transport systems (ITSs) aim to improve the performance of surface transportation systems by enabling vehicles to cooperate with each other autonomously.¹ Among industry manufacturers, governments, and standardization bodies, safety applications (e.g. vehicle collision warning and cooperative cruise control) have attracted most of the attention as there is a growing interest in reducing road traffic accidents, preventing injuries and saving lives.

The development of ITSs encompasses efforts in wireless communications systems, networking protocols, security and localization. In this sense, a research area that has drawn significant attention is that of vehicular ad hoc networks (VANETs), because of its potential to fulfill ITSs communication requirements.¹ VANETs provide the radio interface required by vehicles (wireless transceivers based on IEEE 802.11p, which operate on the dedicated short-range communication (DSRC) band)² to communicate with each other using vehicle-to-vehicle (V2V) or vehicle-to-infrastructure (V2I) communications. As illustrated in Figure 1, vehicles can also communicate with other nearby entities through vehicle-to-pedestrian (V2P) or vehicle-to-anything (V2X) wireless links, thus making possible a wider variety of applications for ITSs.

Figure 1.

Generic VANET architecture and devices in ITS scenarios.

VANETs attract researchers from different fields to develop efficient and secure applications, addressing aspects regarding cooperative communication, security, and privacy.³ A key requirement in VANETs applications is how to efficiently perform message dissemination from one node to unknown and unspecified nodes located in a geographic region, referred to as the zone of relevance (ZOR). Because the transmission range of the transceiver of each vehicle is usually restricted to a few hundreds of meters, message dissemination is accomplished by means of broadcast dissemination protocols through multiple hops. These protocols operate at the network layer, and they can be broadly classified into receiver-oriented or sender-oriented, depending on where the rebroadcast decision is made. In any case, the main goal of such protocols is to timely deliver information from the source (e.g. a vehicle nearby a crash site) to vehicles located in a given ZOR, reducing the number of redundant broadcasts.

The design of broadcast dissemination protocols for VANETs has been an active research area for over a decade.^4–7 The simplest dissemination protocol is simple flooding, where each node that receives a packet for the first time retransmits it with no further restrictions. When using wireless technologies employing a contention-based medium access control (MAC) mechanism, simple flooding can easily cause the broadcast storm problem (BSP),⁸ that is, the network performance is degraded because of the large number of redundant retransmissions and collisions. This is the case with the IEEE 802.11p standard,⁹ which currently is the most prominent option to enable vehicular communications using (the contention-based) carrier sense multiple access with collision avoidance (CSMA/CA) MAC mechanism.

The research area of broadcast dissemination protocols still has challenges to be addressed. In particular, securing the dissemination process from various malicious threats related to the broadcast nature of the wireless medium in VANETs. Notice that the spread of malicious information in VANETs could have disastrous consequences, such as life-threatening situations (e.g. a malicious hacker could insert or modify life-critical information) or financial losses (e.g. for infotainment services). Nowadays, the most common approach for securing VANETs is the one recommended by IEEE 1609.2 standard, which is based on entity-centric trust¹⁰ and relies on a public key infrastructure (PKI). Thus, road-side units (RSUs) acting as trusted authorities to manage digital certificates are required. However, the PKI approach has significant financial and logistical difficulties to deploy an entity-centric based solution for VANETs.¹¹

Another security issue in VANETs arises when a legitimate sender (insider attacker) broadcasts bogus or altered messages, which could decrease the network efficiency and potentially lead to life-threatening situations. The PKI approach fails to prevent these attacks. Thus, data-centric security methods based on data consistency are needed.^12,13 The main idea behind data-centric security is to rely on physical models, local sensors and redundancy to detect spurious data. For instance, using data redundancy, a node could detect a false crash alert message if it does not overhears similar warning messages from nodes nearby the crash geographic location.

In addition to external and insider attacks on disseminated messages, information inherent to the operation of broadcast dissemination protocols (i.e. control information) is also vulnerable. By disturbing the protocol operation, attackers could force the relay/drop of spurious/honest messages to tamper with the VANET normal functioning.

To successfully deploy the envisioned VANET applications in ITSs,^14,15 it is of paramount importance to provide timely, accurate, and trustworthy message dissemination. This is still an open research issue that calls for the design of innovative, robust, and reliable broadcast dissemination protocols able to prevent the manipulation of the dissemination process.

It is important to note that besides multi-hop broadcasting protocols, single-hop broadcasting schemes can be used to disseminate information within a VANET. In this sense, there are particular security issues in the message dissemination process in VANETs depending whether packets are communicated in single-hop or multi-hop. In single-hop broadcasting, each vehicle periodically broadcasts selected records stored on their OBU to its one-hop neighborhood. For this case, the demanded security services are mainly centered in the entities involved, that is, the sender and receiver nodes must guarantee mutual authentication, data confidentiality, and integrity checks. However, in multi-hop broadcasting, a packet is spread in the VANET through multiple hops, where different vehicles (each further away from the message source node) act as relay nodes. In this case, additional security issues arise centered on data, that is, reliability and trustworthy of disseminated data are now required. Hence, securing multi-hop broadcasting is a more challenging task than securing single-hop broadcasting.

This article focuses on the analysis of security issues in multi-hop broadcasting. Specifically, the study is on the security issues related to the network access to ensure that messages are sent from legitimate senders, data consistency to prevent that legitimate senders (insider attackers or vehicles with faulty sensors) disseminate spurious information, and network protocols operation to ensure a secure and reliable broadcast dissemination.

Contributions

Different to previous related works, this article analyzes the main threats and vulnerabilities of dissemination protocols and discusses potential solutions considering the particular vulnerabilities of different representative dissemination protocols. Thus, the main contributions of this work are as follows:

An in-depth analysis of entity- and data-centric security approaches to handle common attacks of data or node manipulation in VANETs. Potential solutions to relevant attacks to the dissemination process considering both approaches are highlighted.

The main weaknesses inherent to the broadcast dissemination process that could represent a security void are identified. Such vulnerability analysis is focused on three main features: (1) the decision of relaying/dropping a broadcast packet made at each potential relay node, (2) the cooperative nature of nodes in safety applications, and (3) the prevalent use of CSMA/CA at the MAC layer for VANETs communications.

The most relevant security approaches that could address the previously mentioned weaknesses are identified and discussed.

The rest of the article is structured as follows. Section “Broadcast message dissemination in VANETs” introduces core concepts related to broadcast dissemination in receiver-oriented and sender-oriented protocols. Section “Security threats for broadcast message dissemination in VANETs” surveys common attacks in VANETs and security services affected. Section “The entity-centric approach for securing the broadcast dissemination” presents a detailed analysis of different entity-centric security approaches proposed in the literature for securing VANETs. Section “The data-centric approach for securing the broadcast dissemination” presents the performed analysis of vulnerabilities for most representative broadcast dissemination protocols. In addition, this section also presents identified data-centric solutions for identified security threats. The most relevant open issues and challenges for secure message dissemination in VANETs are discussed in section “Challenges and open issues.” Finally, concluding remarks are provided in section “Conclusion.”

Broadcast message dissemination in VANETs

Broadcast message dissemination in VANETs enables the deployment of safety and infotainment¹⁶ applications by sharing messages among moving vehicles. It can be of two kinds: single-hop broadcasting and multi-hop broadcasting.

In multi-hop broadcasting, the message is disseminated toward a ZOR by means of relay vehicles, that is, vehicles located between the source and the ZOR. Relay vehicles perform the rebroadcast decision in a distributed manner, considering context information and the information contained in the disseminated message. However, in single-hop broadcasting, an information message is not flooded through the network. Instead, each vehicle stores the received broadcast messages in its OBU. Periodically, vehicles broadcast selected records about traffic information from its database to its one-hop neighborhood. In these protocols, the most relevant design choices are the broadcast interval and how to choose the information that needs to be broadcasted. In general, context information gathered from sensors or other vehicles is the base for both design choices.¹⁷ As such, data-centric solutions presented in this article could also be applied to information requirements of single-hop algorithms. However, note that in single-hop algorithms redundancy information is intrinsically provided, as important information (e.g. a warning message) is periodically broadcasted by participating vehicles. Thus, securing multi-hop broadcast message dissemination is more challenging than securing single-hop broadcast dissemination. Therefore, the rest of this article focuses in the analysis of security issues in multi-hop broadcasting, leaving the discussion of security issues in single-hop broadcasting for a future contribution.

Generic architecture of broadcast dissemination protocols

To address the BSP, enhanced multi-hop broadcast dissemination (hereafter broadcast dissemination) protocols use a variety of relay decision criteria to select a subset of relay nodes,^7,17–19 instead of letting all intermediate nodes rebroadcast the received messages.

Despite the particular criteria used by the relay decision mechanism, broadcast dissemination protocols have a generic architecture, as illustrated in Figure 2. The message is delivered to the broadcast dissemination protocol at the delivery point 1 $(D P_{1})$ . Such message may come from the application layer of the same vehicle or from another vehicle in the network. The protocol makes the relay/drop decision before the delivery point 2 $(D P_{2})$ , according to the dissemination policy used.

Figure 2.

Generic architecture of broadcast dissemination protocols.

As it will be detailed in section “Shared vulnerabilities of different broadcast dissemination approaches,” broadcast dissemination protocols share the same security vulnerabilities at $D P_{1}$ and $D P_{2}$ , as the relay decision mechanism operates between such points. However, there are some vulnerabilities which are tailored to the specific broadcast dissemination protocol operation. To better explain this issue and to gain more insight into security challenges of broadcast message dissemination, the two main families of broadcast dissemination protocols found in the literature are discussed next.

Receiver-oriented broadcast dissemination protocols

In this approach, the relay decision is locally made at each potential relay. Specifically, upon a packet reception, each potential relay node $(R_{p})$ locally computes its relay priority (e.g. probability) based on both, its own information and the one contained in the packet (e.g. transmission power). If the computed priority reaches a predefined threshold, the received packet is retransmitted after a waiting time, otherwise the packet is dropped.

There are several receiver-oriented protocols proposed.^7,20 Recent research on this topic has shown that position is a critical parameter when designing information dissemination protocols for VANETs.²¹ Moreover, GPS and navigation systems are the common location providers for broadcast dissemination protocols. Thus, using the distance between nodes has become a de facto standard in the design of broadcast dissemination protocols for VANETs. Therefore, the discussion of challenges to secure information requirements of receiver-oriented protocols is performed based on distance-based protocols. Additionally, the counter-based approach, which is a simple dissemination approach with minimum information requirements is also considered for the security analysis presented in this work. Basic operation of both distance-based and counter-based protocols is detailed in the following paragraphs.

Counter-based protocols

These protocols^22–25 aim to mitigate the BSP by inhibiting the rebroadcast of a message if the number of received copies $(c_{m})$ within a waiting time reaches a maximum allowed threshold. A node rebroadcasts the received message if it does not overhears any retransmission after a predefined waiting time. For the implementation of this kind of protocols, no further hardware is needed besides the wireless transceiver.

Distance-based protocols

In these protocols, the relay nodes should rebroadcast the warning messages such that the additional coverage at each hop will be the largest possible.^26–28 Generally, it is assumed that each node obtains its own geographic location by means of a GPS-like service. The basic distance-based approach is, the larger the distance between the current and potential next relay nodes, the higher the relay priority of the potential relay.

More specifically, upon receiving a packet $m$ from node $n$ , a potential relay, $R_{p}$ , uses the location information included within $m$ to compute its relay priority. Two of the most relevant approaches to compute the relay priority are probabilistic and delay-based approaches. When the probabilistic approach is used (e.g. Wisitpongphan et al.⁷), nodes located nearby the radio range border of the current relay must calculate a higher relay probability. Similarly, in the delay approach,²⁹ potential relay nodes located at the radio range border of the current relay must compute a shorter waiting time to rebroadcast the message.

Sender-oriented broadcast dissemination protocols

It has been argued that receiver-oriented protocols struggle to eliminate redundant broadcasts.¹⁸ Thus, several sender-oriented protocols for broadcast message dissemination in VANETs have been proposed in the literature^30–35 with the aim of overcoming this issue. In sender-oriented protocols, the current relay node selects a set of relays nodes among its neighbors before relaying a packet. The identifier of each relay node within the set is attached in the headers of the broadcasted packet. Upon a packet reception, a potential relay will rebroadcast the message only if its own identifier is included in the headers of the received packet. In order to define the set of relay nodes, the current relay node assesses the fitness of its neighbors considering information related to link quality and stability, such as received power and neighbors location. Commonly, this information is gathered from neighbor vehicles by means of periodic beacons exchange. In Figure 3, the messages flow within a generic sender-oriented protocol is illustrated. In particular, this figure shows the core modules commonly found in these protocols, namely, one-hop neighbors table, selection rules, and relay selection mechanism.

Figure 3.

Generic modules of a sender-oriented protocol.

As it will be discussed later through a detailed vulnerability analysis presented in section “Vulnerability analysis of sender-oriented broadcast dissemination protocols,” the specific vulnerabilities of sender-oriented protocols are highly related to the required context information (e.g. distance and number of neighbors) and the defined set of rules to rank its neighbors. Therefore, for the sake of clarity, two representative sender-oriented protocols^18,36 found in the literature are presented in the following paragraphs.

Density-aware reliable broadcasting

In the density-aware reliable broadcasting (DECA) protocol,³⁶ the next relay node is the neighbor located toward the message propagation direction that has the highest density of neighbors reported. To increase its reliability, DECA includes an implicit acknowledgment (iack) mechanism which is implemented as follows: after a random waiting time, the potential relay nodes that also received the broadcast message will retransmit it if they do not overhear the same message from the selected relay node.

Fuzzy logic broadcast

Fuzzy logic broadcast (FUZZBR)¹⁸ ranks neighbor vehicles using a fuzzy inference system based on three parameters gathered by means of beacon messages: vehicle mobility, inter-vehicle distance, and link quality. The node with the highest rank, among current relay node neighbors located toward the message propagation direction, is selected as the next relay node.

FUZZBR also considers an iack mechanism where the packet is retransmitted by the current relay to the same chosen relay a predefined number of times.

Security threats for broadcast message dissemination in VANETs

This section provides first a broad perspective of efforts made so far about security in VANETs, covering aspects such as security requirements, attacks, attackers, challenges, approaches, and directions of security solutions. Then, attacks against the broadcast dissemination process are classified into three groups to discuss the potential consequences of such attacks in broadcast dissemination.

VANETs security in the literature

Outsider attackers in VANETs are generally passive, that is, they eavesdrop the wireless channel but do not try to interfere with the message flow between vehicles. However, they can be particularly harmful if sensible information such as identity, position, direction, and velocity is accessed and used to track and monitor vehicles. Therefore, protecting privacy is one of the major concerns related to security in VANETs.^37–39

However, insider active attackers of a VANET can directly cause network traffic to be dropped (drop), modified (fabrication, modification, and deletion), re-injected (replay), or redirected (redirection) to a different destination or to take a longer route to the destination by increasing communication delays. Using these basic malicious actions, an attacker (vehicle) within a VANET has the potential to launch more complex and elaborated attacks, the most documented attacks in the literature are introduced in Table 1. These attacks compromise the VANET by affecting one or more security services, as it is shown in Table 2, and different cryptographic solutions have been proposed to address them.

Table 1.

Attacks commonly found in VANETs.

Attack	Attacker’s purpose	Basic attack(s)
Sybil^40–42	Simulate multiple nodes by generating multiple identities for it. A vehicle can claim to be in different positions at the same time	Fabrication
Bogus information^37,39,40	Transmit incorrect information in the VANET for its advantage	Fabrication, modification, deletion
Impersonation/Masquerading^37,9,40–43	Send messages on behalf of other vehicles to create chaos, traffic jam, or accidents	Fabrication, modification, deletion, replay
Denial of service (DoS)^37,39,40,41	Bring the network down, that is, by transmitting dummy messages to jam the channel. Attacks that lead to this one are⁴¹ flooding, jamming,⁴³ broadcast tampering, and blackhole	Fabrication, replay, modification
Blackhole⁴⁰	Discard the received packets	Drop
Wormhole^39,40	Avoid the proper dissemination of the message to other vehicles by creating a fake optimal communication path with other colluded vehicle	Redirection
Grayhole⁴²	Discard some percentage of messages received	Drop
Message delay/suppression^37,39,42	Modify, delete, or alter existing data	Modification, deletion
Hardware tampering^37,43	Physical damage of vehicle’s sensors	Fabrication
GPS spoofing^41,42	Deceive legitimate vehicles by hiding its actual position	Fabrication
Illusion attack⁴²	Control and mislead the sensors to generate false data (position and velocity)	Fabrication
Timing/replay attack³⁷	delay message dissemination by retaining then transmitting the network messages	Replay
Identity revealing⁴¹	Obtain vehicles identity (and possibly driver’s personal data)	–
Location tracing^41,42	Build the profile of a particular vehicle using location and other data obtained from intercepted messages	–

VANET: vehicular ad hoc network.

Table 2.

Common security services affected by attacks in VANETs.

Security service	Objective	Main attacks
Authentication	Ensure the identity of each VANET’s vehicle and the authenticity/integrity of data transmitted in the network	Sybil, GPS spoofing, impersonation, black/worm/gray hole, replay
Message Integrity	Prevent alteration attacks for possible modifications (maliciously or accidentally) of messages transmitted	Replay, masquerade, illusion
Availability	Keep the wireless channel available to communicate messages	DoS, jamming, black/gray/worm hole, hardware tampering, message delay/suppression
Non-repudiation	Ensure that once a vehicle sends/receives a message in a VANET, it cannot deny that action later	Impersonation
Privacy	Ensure that sensitive vehicles’ information such as identity and position is not used for tracking/profiling	Identity revealing, location tracing

VANET: vehicular ad hoc network; DoS: denial of service.

Different cryptographic solutions have been proposed to address security attacks in VANETs. Engoulou et al.³⁷ proposed a security architecture for VANETs that consists of three layers: a centralized PKI, one-hop security, and multi-hop security. The use of a vehicular PKI to prevent forgery attacks in vehicular communications was also suggested in Raya et al.⁴³ Mejri et al.⁴² described several attacks and the security services affected in VANETs, then a review of several cryptographic primitives and tools that could be used as countermeasures was provided. Razzaque et al.³⁹ addressed the key management problem arising when a cryptographic-based approach for the security in VANETs is used. This work provides a summary of existing secure routing protocols in VANETs which mainly use cryptographic-based solutions. In Riley et al.,⁴⁴ a review of proposals to achieve the authentication security service in VANETs is provided. The authentication schemes are categorized, and available solutions based on the cryptographic schemes recommended in IEEE 1609.2 (if infrastructure is available) and symmetric key schemes (when infrastructure is not available) are described. Oulhaci et al.⁴⁵ studied solutions to provide authentication security services based on the elliptic curve cryptographic schemes recommended in the IEEE 1609.2 standard. Sakiz and Sen⁴⁶ reviewed several attacks and detection mechanisms for VANETs proposed in the literature. One of their most relevant conclusions is that attackers could exploit the network layer operation to pose major security risks for VANETs. However, security aspects and plausible solutions related to the different approaches used broadcast dissemination protocols were not addressed.

The surveys previously mentioned have not addressed the security aspects of message dissemination protocols in VANETs. For this reason, one of the contributions of this article is the identification and description of specific vulnerabilities found in dissemination protocols used in VANETs. Furthermore, this work discusses the specific attacks that can be launched based on the specific characteristics and functioning of the dissemination protocols. In Jaballah et al.,⁴⁷ a vulnerability analysis of position-cheating and replay attacks for broadcast dissemination was presented. In addition, possible countermeasures for the discussed attacks were reviewed. However, only a particular sender-oriented broadcast dissemination protocol was considered in the analysis. Thus, secure design considerations for other broadcast dissemination approaches (i.e. receiver-oriented) were not addressed. Furthermore, important challenges (i.e. jamming attack) and open issues to secure broadcast dissemination protocols were not discussed.

The aim of this work is to analyze the security aspects of broadcast dissemination protocols, as a key part to address the security concerns in VANETs. Because of the cooperative nature of VANETs, insider attacks are more prone to happen and difficult to detect and prevent. Thus, special attention is paid to security concerns related to insider attacks. As suggested in Engoulou et al.,³⁷ in this work, message data verification is revisited as a possible solution for the message falsification/alteration attack, which is very common to happen in broadcast dissemination protocols. Such suggestion is extended to a more comprehensive analysis that includes possible solutions according to the specific vulnerabilities of the broadcast protocols.

The message delay and suppression (real time constraints and availability) attacks are also mentioned in Engoulou et al.³⁷ However, only the case when a malicious node holds onto a message before sending it was analyzed. In contrast, in this article, the case where a malicious node intermittently jams the wireless medium is also addressed. This is an important case, as jamming the wireless medium could also lead to message delays or suppression because of the CSMA/CA mechanism commonly used in standards such as IEEE 802.11p (which is prevalent in VANETs applications).

Gillani et al.⁴¹ described flooding as an important attack in VANETs. This attack can be performed by a node sending a high volume of traffic, which may lead to the BSP. In this article, it is discussed that by attacking the broadcast dissemination protocol operation, the BSP can also be triggered even when only legitimate users rebroadcast messages. Raya et al.⁴³ have remarked the vulnerability of in-transit traffic tampering, where any node acting as a relay can disrupt communications of other nodes by dropping or corrupting messages. This argument is part of the discussion presented in this article as well, however an extended discussion of the scenarios and possible solutions according to the specific approach for broadcast dissemination is provided.

Attacks against the broadcast dissemination process

There are two main goals when attacking the broadcast dissemination process: hindering the dissemination of authentic packets and promoting dissemination of false information. To achieve these goals, the attackers can take advantage of three main weaknesses (from security perspective) inherent to broadcast dissemination in VANETs:⁴⁸

Each receiving node makes a decision about relaying/dropping a broadcast packet.

The cooperative nature of safety applications.

The high number of nodes that share the wireless medium, especially if the vehicles are equipped with IEEE 802.11p transceivers which imply the use of CSMA/CA at the MAC layer.

By taking advantage of these weaknesses, malicious nodes could perform one or more of the attacks reviewed in section “VANETs security in the literature,” aiming to forge spurious messages by means of attacks to the message integrity, hamper the broadcast dissemination protocol operation, and disrupt the normal operation of the lower layers. These three kinds of attacks are detailed next.

Attacks to the message integrity

In these attacks, the attacker might forge packets with information about false events such as crash warnings. This can be done to disseminate spurious messages and take leverage of VANETs applications for the attacker’s own benefit only. For instance, a malicious vehicle could attempt to disseminate spurious crash-warning messages forcing other vehicles to take alternative paths. This selfish behavior could seriously affect the performance of broadcast dissemination protocols for VANETs, whose proper functioning depends on the honest cooperation of participating vehicles. The impact of attacking the message integrity could be greater if the injection of spurious packets is complemented with the impersonation attack.

Attacks to protocol’s operation

These attacks are aimed at tampering with the control information of the broadcast dissemination protocol. This in order to override the protocol rules and either flood the wireless communication channel or disrupt the message dissemination process. An attack to protocol operation varies depending on the particular kind of broadcast dissemination approach used: receiver-oriented or sender-oriented.

The attacks to the operation of receiver-oriented broadcast dissemination protocols can be classified into two categories. The first one is to influence honest vehicles to send false information in order to cheat the potential relay node. Attacks in the second category aim to directly include false control information in the disseminated message in order to influence the relay/drop decision of the corresponding potential relay node.

In the case of sender-oriented protocols, the attacks are focused on influencing the selection mechanism of the relay set by inserting bogus information into the mechanism. Specifically, an attacker might attempt to promote itself to be included in the relay set. Then, upon receiving the message, the attacker could simply drop the message or relay it with information that may adversely affect the network performance.

Attacks to the lower layers

The lower layers of VANETs are susceptible of being attacked by either insider or outsider attackers. Particularly, the attacks to lower layers usually aim to disrupt the MAC mechanism or interfere with the physical signal. For instance, an insider attacker generating dummy packets with a high rate could lead to a high number of collisions at the VANET MAC/PHY layers, increasing the medium access delay or even jamming the access to the wireless resources. Additionally, an outsider attacker could jam the wireless communication channel by generating high-power noise across the entire bandwidth near the transmitting and receiving nodes.

The entity-centric approach for securing the broadcast dissemination

The entity-centric approach has been a fundamental part in the design of global security architectures for VANETs.^37,42,49 This approach has been mainly focused in thwarting severe attacks, like the Sybil attack,⁴² by guaranteeing the authentication security service.^50,51 In this section, an analysis of the entity-centric security approach in VANETs is provided, including a brief overview of the IEEE 1609.2 standard.

IEEE 1609.2 standard overview

The IEEE 1609.2 standard¹⁰ aims to provide confidentiality, authenticity, and integrity services for networking and applications running over the stack. As previously mentioned, this standard is based on entity-centric trust and relies on a PKI to issue, to revoke, and to verify digital certificates interchanged by vehicles.

With a PKI, a digital certificate is issued by a certification authority to any vehicle $v$ in the network prior its registration. Two vehicles within a VANET can exchange and validate their certificates without having access to any other node or gateway. If the certificates are valid, the vehicles can trust each other and establish a secure connection. Usually, the certification authority keeps anonymity of vehicles to preserve its privacy. Certificates are periodically renewed after their lifetimes have expired.⁵² Under this security model, a tamper proof device (TPD) is commonly used by vehicles to internally store the certificates and other cryptographic material (e.g. electronic license plate or an electronic chassis number³⁹) and to execute operations such as hashing, signature generation/verification, and random number generation.

To provide authenticity and integrity, the IEEE 1609.2 standard uses the advanced encryption standard algorithm in counter with ciphertext block chaining message authentication code (CBC-MAC) mode. To verify messages, IEEE 1609.2 proposes the use of elliptic curve digital signature algorithm (ECDSA), which is the elliptic curve analog of the digital signature algorithm (DSA). In addition, the standard considers the secure hash algorithm (ShA-1) defined in the federal information processing standard (FIPS) 180-1.

In IEEE 1609.2, a certification revocation list is needed to revoke malicious nodes. The main issue with a certification revocation list is that it can become increasingly larger. With a large certification revocation list, the time delay to check for a malicious node and the needed storage also become large. Moreover, timely distribution of certification revocation lists also becomes a challenge. In addition, signature verification incurs a cryptographic processing delay at the verifier. Although this delay could be on the order of milliseconds, under a heavy-traffic scenario, a message would be either delayed or accepted without any verification.

Relevant entity-centric security proposals

For one-hop communication, packets sent by a vehicle $v$ in a VANET using the entity-centric security approach are commonly constituted as

$PACKET = {M, σ_{S K_{n}} [M | T], Cer t_{n}}$ (1)

where $σ_{S K_{n}} [M | T]$ represents the digital signature of node $n$ over the concatenation of message $M$ and a timestamp $T$ for freshness check to prevent a replay attack. Since the packet includes the digital certificate, $Cer t_{n}$ , any other node receiving this packet could verify its authenticity by verifying the signature $σ$ .

In case of broadcast dissemination, entity-centric security approaches usually restrict rebroadcast by either a time-to-live (TTL) counter value or a geographic destination area. For secure multi-hop broadcast, each new packet transmitted consists of mutable (MUT) and immutable (IMUT) fields. IMUT fields contain the message itself, a timestamp, and a value to ensure message integrity. MUT fields contain data that are accessed and changed by each node rebroadcasting the packet. If the forward process is TTL-based, IMUT is the message M, the timestamp T, and a hash chain value H that prevents that malicious nodes manipulate the TTL and thus increase the multi-hop propagation area (and hence forcing a wasting of network bandwidth). A node n that starts the packet broadcast creates a random value r and computes its hash $H_{r}$ $TTL_MAX$ times, $H_{r} = H^{TTL_MAX} (r)$ . The complete packet is then formed as

$\begin{matrix} IMUT = {M, H_{r}, T} \\ MUT = {f_{0}, f_{1}} \\ PACKET = {IMUT, MUT, σ_{S K_{n}} [IMUT], Cer t_{n}} \end{matrix}$

For the first time, the originator sends $MUT = {f_{0} = r, f_{1} = TTL_MAX}$ . The receiver node of this packet verifies the certificate, signature, timestamp, and the hash chain. To check the hash chain, the node computes $t = H (f_{0})$ and compares $H^{f_{1}} (t)$ against $H_{r}$ . If any of these checks fails, the message is dropped (not forwarded). If all the checks are passed, the packet is forwarded with the MUT fields updated: $f_{0} = t$ and $f_{1} = f_{1} - 1$ . During all the broadcast process of the packet, the signature and the IMUT fields are not modified by forwarding nodes. Control information related to the broadcast dissemination protocol (e.g. number of neighbors) could be secured by wrapping it in IMUT fields. However, faulty or misbehaving vehicles still could report false information.

The overhead introduced by signature generation/verification has motivated the creation of strategies for improving the performance of multi-hop dissemination methods. Hsiao et al.⁵³ proposed two broadcast authentication schemes based on elliptic curve encryption to address the excessive signature verification requests during message broadcasting in VANETs. While their FastAuth (fast authentication) scheme secures periodic single-hop beacon messages, the SelAuth (selective authentication) secures multi-hop applications in which a bogus signature may spread out quickly and impact a significant number of vehicles. SelAuth provides fast isolation of malicious senders, even under a dynamic topology at low computational costs.

Other works have proposed to use symmetric encryption (considered in general faster) to ensure authentication. Lyu et al.⁵⁴ use prediction-based timed efficient stream loss-tolerant authentication (TESLA) to authenticate V2V communications as an alternative to signatures. TESLA performs instant and lightweight authentication for broadcasts by employing the predictability of future beacons. However, since TESLA cannot provide the property of non-repudiation, digital signatures are still required. Ying et al.⁵⁵ proposed to use a privacy preserving broadcast message authentication scheme based on message authentication code through symmetric encryption. Although the approaches presented in Lyu et al.⁵⁴ and Ying et al.⁵⁵ attempt to reduce the computation overhead of public key encryption, other problems are introduced, as the need of efficient mechanisms for private key distribution.⁵⁶

Limitations of the entity-centric security approach

The entity-centric approach aims to provide a secure and reliable network, trying to ban outsider attackers that disrupt the correct operation of VANETs protocols (message dissemination included). This approach could be effective for most of the security attacks in one-hop communication as recommend by the IEEE1609.2 standard, under the assumption that an infrastructure is available and all nodes registered with the CA are trustworthy. However, for broadcast dissemination, the entity-centric approach, although needed, is not sufficient. Message authentication can only ensure that messages are sent from legitimate senders, but it cannot prevent that a legitimate sender broadcasts bogus or altered messages to neighbor vehicles.^57–59

Insider attacks do not affect a security service straightforward (as commonly classified and ensured by entity-centric mechanisms), but they do have a negative impact in VANETs performance. For example, in the GPS spoofing attack, wrong readings from the sensor will be correctly authenticated and considered reliable by the receiving nodes. The same situation occurs in the case of a timing attack, where although messages are delayed they still come from an authentic source. In the case of the illusion attack, the fake identities produced by the attacker remain as trusted sources as well as the data disseminated by those virtual nodes.

In addition to the fact that PKI-based solutions struggle to cope with insider attackers,⁶⁰ it also exists the challenge of deploying ubiquitous PKI in VANETs. This is why securing broadcast dissemination in VANETs must go beyond PKI-based solutions.

The next section considers potential solutions for securing the broadcast dissemination process using a data-centric security approach. The objective is not to replace the entity-centric approach with a data-centric solution, but to complement each other in order to address most of the relevant vulnerabilities of message broadcasting in VANETs.

The data-centric approach for securing the broadcast dissemination

The data-centric security approach uses data consistency checks to detect faulty/misbehaving nodes or insider attackers,^12,13,61,62 prevent the dissemination of false information originated by these nodes,^11,13,63 or prevent the launch of attacks which are difficult to detect because the attackers are valid participants in the network (insider attackers).^11,59 Under this approach, trust is ensured on the information itself rather than on the information source.⁶⁴ Data consistency verification mechanisms could take advantage of three main sources:^12,61 physical models, to compare claimed information against known models such as the physical behavior of vehicles; local sensors, to verify information received from vehicles in direct vicinity; and redundancy, to exploit the fact that messages are often delivered via multiple routes and observed by multiple vehicles.

This section discusses how the data-centric security approach could address most of the relevant security voids of the broadcast dissemination process. To this end, a vulnerability analysis of the most representative broadcast dissemination protocols is performed and plausible countermeasures based on the data-centric security approach are proposed.

Vulnerability analysis of receiver-oriented broadcast dissemination protocols

In this subsection, a vulnerability analysis of representative receiver-oriented broadcast dissemination protocols found in the literature is presented. As discussed in the analysis, the vulnerabilities arise and strongly depend on the particular operation of each protocol.

Distance-based protocols

Attacks to the operation of distance-based protocols are mainly aimed at cheating the GPS device to report a false geographic location. A TPD is normally used to thwart physical manipulation of the GPS device.⁴³ However, geographic location still could be tamper with an attacker who cheats its own GPS by means of the illusion attack. Additionally, the GPS of an honest node could be cheated by means of a GPS signal generator, that is, GPS spoofing attack.

Vulnerability

Upon receiving a message with false geographic location (bogus information) from a malicious/faulty node, potential relay nodes could compute an overoptimistic relay priority if the attacker (or an influenced honest node) reports a geographic location shifted toward the ZOR. Conversely, reporting a geographic location shifted backwards the ZOR may lead potential relay nodes to compute a pessimistic relay priority. Depending on the particular approach, a pessimistic relay priority could translate to a large waiting time or a low relay probability (see section “Receiver-oriented broadcast dissemination protocols”). In both cases, the time required by the message to reach the ZOR could be increased. However, an optimistic relay probability could translate to a short waiting time or a high relay probability. This may cause message relaying from several potential relay nodes, which in turn may lead to the BSP. The larger the difference between reported and actual geographic location, the biggest the effect over the protocol performance.

Possible solution

In order to perform a reliable calculation, position of both sender and receiver must be verified with mechanisms such as the ones presented in Barnwal and Ghosh,⁶⁵ Fogue et al.,⁶⁶ Monteiro et al.,⁶⁷ Yan et al.,⁶⁸ and Zhang et al.⁶⁹ For instance, Yan et al.⁶⁸ and Monteiro et al.⁶⁷ propose the use of multiple antennas to detect vehicles spoofing their claimed location. The main idea is to use the measured received signal strength (RSS) at each directional antenna, which changes in accordance with the angle it forms with the vehicle. In Yan et al.⁶⁸ and Monteiro et al.,⁶⁷ fading propagation conditions were considered to model the attenuation of the transmitted signal. However, the fading model considered in Yan et al.⁶⁸ assumes line-of-sight propagation conditions, and therefore, it cannot be directly applied in V2V scenarios because other vehicles could obstruct the line-of-sight between the receiver and the transmitter. However, although in Monteiro et al.⁶⁷ the fading model considers obstructed-line-of-sight conditions, the complexity of the proposed mechanism should be considered before implementing it. In particular, the mechanism proposed in Yan et al.⁶⁸ was designed to operate in the RSUs, which have significantly higher computational resources than OBUs. Moreover, as the vehicles claimed position is verified at the RSU, continuous message exchange between RSUs and vehicles is required in order to inform all vehicles within the RSU radio range if the position is reliable or not.

In scenarios where RSUs are not available, fully distributed position verification mechanisms should be considered. The mechanism proposed in Fogue et al.⁶⁶ and Zhang et al.⁶⁹ rely on the measured time-of-flight (ToF) difference between the transmission and reception of periodic exchanged beacons. GPS availability is assumed to fulfill two requirements: (1) a global time reference is available for each node and (2) each node is able to determine its own geographic location. Note that for receiver-oriented broadcast dissemination protocols that do not consider the periodic exchange of beacons (e.g. Wisitpongphan et al.⁷), solutions like the one presented in Fogue et al.⁶⁶ could be adapted to use the disseminated message instead of the exchanged beacons.

Summarizing, distance between a given transmitter–receiver pair in distance-based protocols could be verified using infrastructure-based position verification mechanisms, which in turn can take advantage of the computational resources available at RSUs and their known locations. However, an ubiquitous deployment of RSUs is difficult from economic and logistical perspectives. Thus, fully distributed mechanisms are required to ubiquitously enable position verification.

Vulnerability

Distance-based protocols are also vulnerable to the replay attack, which could lead to the BSP. For example, consider the scenario shown in Figure 4 where vehicle A receives a crash-warning message. As it can be seen, vehicle A is in the border of the transmission range of vehicles at the crash site (point S). Thus, it is highly likely that vehicle A will retransmit the crash-warning message. However, instead of rebroadcasting the crash-warning message with its own geographic location, A might retransmit the same received message. As the maximum relay priority value is directly related to the nominal transmission range⁷ of each potential relay node, a significant number of nodes located after S will compute an optimistic rebroadcast priority, potentially leading to the BSP.

Figure 4.

Scenario where a hidden attacker affects broadcast dissemination protocol.

Possible solution

In one-hop communications, the replay attack could be thwarted using an IMUT fields approach within the packet. However, in multi-hop communications, thwarting the replay attack becomes more challenging, as the broadcasted message is intended to reach nodes outside the transmission range of the original source. Thus, a possible solution might involve the use of the IMUT fields approach complemented with position verification mechanisms, in order to verify if the original source of the message actually is in the reception range of the potential relay.

Counter-based protocols

Attacks to the operation of counter-based protocols aim to cheat the counter $c_{m}$ of potential relay nodes in order to mislead their relay/drop decision. Particularly, by influencing $c_{m}$ , a decrease or increase in the number of relay nodes could be achieved.

Vulnerability

Maliciously, the number of relay vehicles could increase if the physical layer (PHY) is attacked. Specifically, an attacker that performs a jamming or selective jamming attack (lower layers attack) over the wireless channel could interfere with the physical reception of broadcasted messages, with the consequence that the counter $c_{m}$ of potential relay nodes registers less than the actual number of retransmissions. Thus, a jamming attack could lead counter-based protocols to the BSP by causing a large number of honest vehicles to relay the received message.

Possible solution

Interference mitigation techniques (such as the ones presented in Husted et al.⁷⁰) could be used to thwart the reactive and the constant jamming attacks.⁷¹ However, an issue that must be considered when implementing interference mitigation techniques in VANETs, is that the available connectivity time could be of just a few seconds, while the convergence time of mitigation techniques is usually larger (around 30 s).⁷¹ Considering a large transmission range of 1000 m, vehicles approaching at 100 km/h will have only 18 s of connectivity time.

Periodic jamming detection techniques could be useful to implement anti-jamming solutions, for example, the hideaway strategy proposed in Azogu et al.⁷² However, these techniques must be encompassed with complementary ones (e.g. store-carry-and-forward⁷³) in order to be effective for counter-based protocols.

Vulnerability

An attack aiming at maliciously decreasing the number of relay vehicles could be possible. An attacker might inject spurious messages by either claiming different identities (Sybil attack) to relay the same message several times or by replaying different messages received from honest relays (replay attack). Both attacks might cheat the counter, $c_{m}$ , of potential relays and hinder message dissemination. Note that depending on the number of affected potential relay nodes, message dissemination could be delayed or even entirely disrupted. Moreover, if the attacker is hidden, both the Sybil and the replay attacks will increase their negative effect over the broadcast dissemination process.

Possible solution

When disseminating a broadcast message, the number of redundant packets received by one node is related to the vehicle density, that is, the number of potential relays. Thus, a vehicle that receives more packets than the estimated local vehicle density could determine if it is under a Sybil or replay attack. In this case, the attacked vehicle could override the rebroadcast decision rule and retransmit the received packet. As such, vehicle density estimation techniques could be helpful in securing counter-based protocols.

There are several vehicle density estimation techniques proposed in the literature which can be used in VANETs scenarios. For instance, in Khomami et al.⁷⁴ the relationship between the number of nodes present in a scenario and the number of nodes transmitting simultaneously was studied. Each individual node monitors the wireless channel and records the RSS values of several consecutive packets. The average RSS is used as a parameter to compute the number of simultaneously transmitting nodes, which in turn is used to estimate the number of nodes in the network. In Huang et al.,⁷⁵ average spacing information (collected through VANETs infrastructure) in a specific area during short periods of time is used for density estimation. Other approaches for VANET-based vehicle density estimation can be reviewed in the survey presented in Darwish and Bakar.⁷⁶ Additionally, a comprehensive survey for density estimation techniques based on scenario modeling and historical data is presented in Seo et al.⁷⁷

If all the vehicles detecting an attack override the rebroadcast decision rule, solutions based on vehicle density estimation could lead to a scenario where all receiving vehicles retransmit the packet. Considering a single attacker, this will occur only in the current hop. However, if colluded attackers are located along the dissemination path, the proposed solution could lead to the BSP. Therefore, more effective security solutions are required to detect the Sybil attack and discard the spurious packets received from malicious nodes. For example, the work done in Feng et al.⁷⁸ proposes to use of a dynamic reputation system to suppress the spread of false messages. The system considers that there might be multiple sources of false identity. Thus, privacy is protected by sending messages with a pseudonym instead of actual vehicle identities. For each event in the VANET, the system establishes a dynamic reputation value and a trusted value. The message about the event is not spread if the associated reputation and trusted values are below their corresponding threshold, thus suppressing the propagation of false information. Yu et al.⁷⁹ explored the feasibility of detecting Sybil attacks by analyzing the signal strength distribution. In particular, they propose a cooperative method based on a random sample consensus (RANSAC) algorithm to verify the position of potential attackers. The detection mechanism is enhanced using a statistical method able to verify where a vehicle comes from. Most of the defense mechanisms based on encryption and authentication rely on a centralized authority.⁸⁰ In addition, they struggle to cope with the problem of key revocation, which is a major challenge in highly dynamic networks such as VANETs.^81–83 However, distributed defense mechanisms based on position verification such as the presented in Yan et al.⁸⁴ and Yu et al.⁷⁹ are more suitable for infrastructure less scenarios. However, in solutions based on position verification, the privacy requirement could be compromised, because the identity and position of vehicles must be linked.

Vulnerability analysis of sender-oriented broadcast dissemination protocols

Sender-oriented broadcast dissemination protocols are particularly vulnerable to illusion attacks, as the selection of the next(s) relay(s) is based on the context information gathered from sensors or periodic beacons. In sender-oriented protocols, a malicious vehicle could mislead its own sensors (e.g. speed and position), with the aim of influencing the selection mechanisms of the current relay such that the attacker is selected as the next relay node. Thus, data-centric security proposals can be particularly relevant for these protocols in order to validate the neighborhood information required by the selection mechanism, as this information is usually gathered by means of periodic beacon exchange.

It should be noted that data-centric solutions rely on alternative information sources to perform verification. The periodic exchange of beacon messages in sender-oriented broadcast dissemination protocols can be exploited to implement data-centric security solutions.^66,77,85 For instance, in Jaballah et al.,⁴⁷ a cooperative position verification mechanism, based on the exchange of an active neighbors table, is proposed to secure the broadcast dissemination process.

DECA

Vulnerability

The DECA protocol selects as the next relay the node with the higher number of neighbors. Thus, a malicious node could easily report a false number of neighbors (bogus information) to force being selected as the next relay node.

Possible solution

The scenario modeling approach could be used to validate information received from potential relay vehicles, in particular, statistical methods for vehicle density estimation (e.g. Khomami et al.⁷⁴ and Shirani et al.⁸⁶). These methods use parameters such as the mobility pattern of vehicles or signal propagation modeling to validate if the received data are reliable. For DECA, each vehicle could implement a local vehicle density estimation technique (e.g. Darwish and Bakar⁷⁶) and share it periodically in beacon messages. Thus, the current relay node could compare the number of neighbors reported by a potential relay with the reported density of others. So, with the help of a data redundancy security approach, the misbehaving vehicle could be excluded from the relay set.

Vulnerability

If a malicious node is selected as next relay, it could simply drop the message (black/gray hole attack) or select a false potential relay node as next relay (bogus information). Then, when other nodes in the network do not hear the retransmission (from the false node), they will retransmit the packet without any restriction (by flooding) leading to possible collisions or delays in the wireless medium.

Possible solution

To reduce the impact of these vulnerability, a broadcast storm mitigation technique such as those presented in Wisitpongphan et al.⁷ could be included in the design of DECA.

FUZZBR

Vulnerability

In FUZZBR, a malicious node may force being selected as relay node by reporting false information about its location and speed (illusion attack), as well as transmitting with a power level above the nominal one.

Possible solution

The mechanisms previously described in section “Distance-based protocols” could be used to verify the position of the potential relays. Even though the received power is measured at the receiver, it cannot be assumed as secure because malicious vehicles could change its transmission power. Thus, position verification mechanisms based on the RSS could help to verify if the transmission power claimed by the neighbor vehicle is consistent with a transmission performed in the reported geographic location.⁶⁸ In addition, trust level could be added as a metric to select the next relay. To this end, a position verification scheme like the one introduced in Barnwal and Ghosh⁶⁵ could help to assess the trust level of neighbors based on the proposed zone- and trajectory-matching algorithms.

Vulnerability

If a malicious node is selected as next relay, it could simply drop the message (black/gray hole attack) to hinder message dissemination.

Possible solution

To address this vulnerability, alternative dissemination paths should be considered, with mechanisms like the one introduced in Celimuge et al.⁸⁷

Vulnerability

In FUZZBR, one relay must be selected for each propagation direction. An attacker could take advantage of this feature attaching identifiers of nodes in the same direction (bogus information).

Possible solution

Position verification mechanisms such as those reviewed in section “Distance-based protocols” could be used to verify the position of the previous relay and other relay vehicles included in the message.

Shared vulnerabilities of different broadcast dissemination approaches

As illustrated in Figure 2, the modules between $D P_{1}$ and $D P_{2}$ points are shared between the two different dissemination approaches. Thus, they also share the same vulnerabilities before and after these points. Attacks that take advantage of such vulnerabilities are mainly aimed to override the protocol decision about forwarding or dropping a particular message.

Vulnerability

At $D P_{1}$ , a spurious message could be injected to disseminate bogus information. The attack could have a greater impact if the spurious message is sent by an attacker impersonating an emergency vehicle such as an ambulance.

Possible solution

Redundancy-based methods (e.g. the method proposed in Dietzel et al.¹²) could help to detect spurious messages.

Vulnerability

At $D P_{2}$ , an attack to lower layers (e.g. jamming attack) could hinder message dissemination by interfering with the physical transmission and reception of messages. In this sense, because of the cooperative nature of VANETs, any insider attacker could forge and transmit spurious packets at an arbitrary rate to significantly increase the contention at the MAC layer. Note that even if the malicious node does not gain access to the network (outsider attacker), an attack at $D P_{2}$ still can be performed, for example, by generating high-power noise across the entire bandwidth near the transmitting and receiving nodes.

Possible solution

Anti-jamming techniques such as those proposed in Azogu et al.⁷² and Mokdad et al.⁸⁸ should be implemented to address this issue.

Vulnerability

Regardless of the broadcast dissemination approach, the threat level of an attacker increases when it hides with the aim of relaying messages that do not reach vehicles outside the coverage area of the current relay. To illustrate this, consider that $H_{1}$ in Figure 5 is the current relay. The attacker node, $A_{1}$ , could cheat about its current location in order to be chosen as the next relay node for a message disseminating from $H_{1}$ . In addition, an attacker node, $A_{2}$ , could hide itself by reducing its transmission power. In both cases, the additional area covered by the next transmission hop will be minimal or even null, with the consequent increase in the dissemination delay.

Figure 5.

Scenario where attacks take place for distance-based protocols.

Possible solution

Position verification mechanisms (e.g. Barnwal and Ghosh,⁶⁵ Fogue et al.,⁶⁶ Monteiro et al.,⁶⁷ and Zhang et al.⁶⁹) should be implemented to verify the geographic location of nodes.

Figure 6 summarizes the existing relations between the attacks, classes of attacks presented in section “Attacks against the broadcast dissemination process” and their corresponding effect over the different broadcast dissemination approaches discussed in this section.

Figure 6.

Effects of different classes of attacks over the broadcast dissemination protocols. Acronyms use for this figure are attacks to lower layers (ALL), attacks to message integrity (AMI), attacks to protocol’s operation (APO), hinder message dissemination (HMD), influence the selection mechanism (ISM), counter-based protocols (CBPs), distance-based protocols (DBPs), DECA sender-oriented $(SO P_{D})$ , and FUZZBR sender-oriented $(SO P_{F})$ .

Considerations for a secure design of broadcast dissemination protocols

From the analysis performed in the previous sections, it can be stated that entity-centric and data-centric security approaches (i.e. scenario modeling and redundancy) could address most of the relevant vulnerabilities of the broadcast dissemination protocols. However, a secure design is also required.

If security concerns are considered in the design of a broadcast dissemination protocol, its robustness can be increased. For instance, including a retransmission mechanism could increase the resilience of the protocol to jamming attacks. Thus, in addition to entity- and data-centric security solutions, considering security issues when designing the different mechanisms (e.g. periodic beacon exchange) of the broadcast dissemination protocol is a key factor to secure the broadcast dissemination process. This section aims to identify potential solutions for the security weaknesses of broadcast dissemination protocols, which are commonly originated during the design and implementation phases.

Several security solutions proposed in the literature rely on periodic beacon exchange among vehicles.^66,76,89 Moreover, because of the inherent uncertainty of information in VANETs, it is very difficult to provide security solutions able to thwart highly effective attacks (e.g. jamming) every time a packet will be disseminated. Therefore, securing the periodic beacon exchange and the packet loss resolution mechanisms is critical.

The mechanism for periodic beacon exchange is performed using one-hop communication. Thus, approaches such as those reviewed in Yang⁵² (see section “The entity-centric approach for securing the broadcast dissemination”) could be useful to prevent malicious vehicles from replaying or modifying the information related to the vehicle identity. However, to secure the information used by the broadcast dissemination protocol (e.g. position and vehicle density), solutions like those reviewed in the previous sections should be considered.

The packet loss resolution mechanism is part of the design of any broadcast dissemination protocol. Thus, such mechanism should be secured considering the particular vulnerabilities of the protocol. For instance, consider the iack mechanism of FUZZBR (see section “FUZZBR”), which triggers a retransmission when a message dissemination disruption is detected. However, every time the packet is retransmitted, the same set of next relays is attached to the packet. Thus, if a malicious vehicle was selected as next relay, the iack mechanism of FUZZBR will struggle to address the gray/black hole attack. In this sense, the construction of alternative dissemination paths using redundancy (e.g. Celimuge et al.⁸⁷) could help to address black/gray hole attacks. This way, if the selected relay does not retransmit the packet, alternative relays could rebroadcast the packet in order to help in the broadcast dissemination process. As proposed in Jaballah et al.,⁴⁷ receipt messages could be used as rebroadcast proof in order to detect if a malicious vehicle selected as next relay interrupts the message dissemination process.

Table 3 presents a summary of security solutions well-suited to address the main vulnerabilities of the broadcast dissemination process in VANETs (as identified in this work). For this table, PKI-based security services were considered for one-hop communication. Regarding the application level, data-centric security solutions analyzed in this work are included in Table 3. Remember that this solutions could help to verify the reliability of the received information (e.g. traffic jam warnings) or to provide alternative routes to improve the robustness of the protocol. Finally, plausible data-centric security solutions (reviewed in this section) are summarized in Table 3 according to specific vulnerabilities of broadcast dissemination protocols.

Table 3.

Possible approaches to address the identified vulnerabilities of the reviewed broadcast dissemination protocols. The acronyms used are hinder message dissemination (HMD), influence the selection mechanism (ISM), DECA sender-oriented $(SO P_{D})$ , and FUZZBR sender-oriented $(SO P_{F})$ .

	Protocol	Vulnerability	Attack	Possible countermeasure
Multi-hop protocol	Distance-based	BSP	Replay	Immutable fields⁵²
Multi-hop protocol			Bogus information	Position verification^65–67,69
			GPS spoofing
		HMD	Bogus information
	Counter-based	BSP	Jamming	Interference mitigation⁷⁰ hideaway⁷² + store-carry-and-forward⁷³
		HMD	Sybil	Position verification^65–67,69 and/or Vehicle density estimation^74,75,77
	SOP_D	ISM	Bogus information	Position verification^65–67,69 and/or Vehicle density estimation^74,75,77
		BSP	Gray/black hole	Secure design, for example, broadcast storm mitigation⁷
			Bogus information	Vehicle density estimation^74,75,77
	SOP_F	ISM	Bogus information	Position verification^65–67,69 and/or vehicle density estimation^74,75,77
			Illusion	Position verification^65–67,69 and/or vehicle density estimation^74,75,77
		BSP	Bogus information	Secure design
		HMD	Gray/black hole	Redundancy, for example, alternative paths⁸⁷
	Attack	Possible countermeasure
Application	Inject spurious messages	Scenario modeling^12,61
	Inject spurious messages	Redundancy^12,61
		Local sensors⁹⁰
	Malicious drop	Redundancy, for example, Alternative paths⁸⁷
	Attack	Possible countermeasure
One-hop	Impersonation	Authentication^50,51
		Integrity^53–55
		No-repudiation^50,51
	Bogus information	Authentication^50,51
	Bogus information	Integrity^53–55
	Sybil	Authentication^46,50,51
		No-repudiation^46,50,51
	DoS	Availability^72,91

BSP: broadcast storm problem; DoS: denial of service.

Challenges and open issues

Several efforts have been made so far to secure broadcast dissemination protocols in VANETs. However, there still are different challenges and open issues to resolve before broadcast dissemination can be securely enabled in VANETs. This section presents the most relevant open issues and challenges identified from the VANETs security analysis presented in this work.

Ubiquitous security solutions

Broadcast dissemination has the potential to ubiquitously enable the most relevant VANET applications, that is, safety and infotainment applications. Thus, a security solution for VANETs should be extended to scenarios where the available infrastructure is scarce, nonexistent or with reduced service levels, as is the case in highways or rural roads. To this end, different fully distributed security mechanisms have been already proposed in the literature (see section “The data-centric approach for securing the broadcast dissemination”) based on scenario modeling and redundancy. In this sense, periodic beacon exchange among vehicles is considered a fundamental underlying mechanism, especially for safety applications.⁹² Thus, it is reasonable to infer that periodic beacons could provide most of the information required by redundancy-based security mechanisms. However, in order to improve the scalability and efficiency of the VANET, the continuous adaptation of the exchange rate (frequency) of periodic beacons has been proposed.^93,94 Thus, it is necessary to evaluate the impact of continuous adaptation of the frequency of periodic beacons over the efficiency of the security solutions. However, most of the scenario modeling security solutions consider mobility and signal propagation models to infer the vehicle density and position, respectively. The accuracy of such model and thus the efficiency of the security solution is highly related to the rural/sub-urban/urban scenario conditions considered when deriving that model. However, a vehicle in a VANET could travel along different scenarios within the same trip. Thus, the design of scenario modeling security solutions that consider variable scenarios conditions (e.g. buildings and vehicle density) in the vehicle trajectory is an open research area.

Redundant relays

Redundant relay nodes in a VANET could be viewed as an asset from the security point of view, as the reliability of the protocol could be increased by providing alternative dissemination paths for the messages. However, from the network perspective, reducing the number of redundant relays is a primary goal. Therefore, it is an open issue the design of broadcast dissemination protocols that provide the optimum number of redundant relays considering both network performance and security trade-offs.

Design of security solutions considering the particular characteristics of broadcast dissemination protocols

The design and evaluation of security solutions that consider the operation of the different layers (e.g. MAC and network) to secure broadcast dissemination is an open research area. For example, broadcast dissemination protocols might have considered in its design different countermeasures such as a retransmission mechanism to address the main challenges imposed by the high mobility of vehicles. However, if such countermeasures are not considered when designing security solutions, they could be misinterpreted as faulty or misbehaving actions. For instance, packet loss in VANETs is prone to happen due to the harsh nature of the wireless communication channel and the contention-based MAC mechanism commonly used in VANETs transceivers (e.g. IEEE 802.11p). However, packet retransmission (with the same sequence number and/or the same timestamp) could be interpreted as a replay or timing attack. As such, the security layer could block the required retransmission, hindering the dissemination of messages.

Early deployment of VANETs

VANETs deployments will rely on OBUs, which will integrate the IEEE 802.11p and IEEE 1609.x standards. However, because of factors like the low renovation rate of the vehicle fleet, it is expected that OBUs will gradually integrate with the current driving environments.^95,96 Thus, other technologies, such as smartphones, have been proposed to establish vehicular communication links.^95–100 In this way, it is expected that the potential benefits of VANETs could be provided at an early stage. The inclusion of other technologies in VANETs deployments will pose major challenges to secure vehicular communications. Particularly, hardware and operative system heterogeneity could hamper the efficiency of proposed security solutions. For instance, received signal strength indication (RSSI)-based position verification mechanisms should consider that different transmission power levels are allowed. Therefore, considering the heterogeneity of deployment technologies when designing security solutions for VANETs is an open research area.

Radio frequency jamming attack

The design and evaluation of cross-layer anti-jamming techniques for VANETs is an open research area. Jamming attack is a serious threat to VANET security.^71,88 Because of that, the design of more resilient PHYs that increase the robustness of VANETs against jamming should be addressed.⁷¹ Meanwhile, strategies implemented in upper layers, such as the one proposed in Mokdad et al.,⁸⁸ could also help to detect jamming attacks. Moreover, techniques such as the store-carry-and-forward may complement hideaway anti-jamming strategy.

PHY security

In VANETs, key distribution (symmetric methods) and high computational complexity (asymmetric methods) pose major challenges to secure data transmissions.⁹¹ In this sense, PHY security could complement cryptographic techniques to provide secure wireless communications. PHY security methods leverage on the propagation characteristics of wireless channels to handle passive eavesdroppers and active attacks. One PHY security method that has recently received considerable attention is cooperative jamming (CJ).⁹¹ The main goal of CJ is to achieve a better channel quality for legitimate network nodes by degrading channel quality for the eavesdropper. To this end, relay vehicles help to transmit jamming signals to degrade the channel quality of the eavesdropper. In this way, secure communications could be enabled even without any extra security schemes on other layers. However, before PHY security methods can be used in a real-world deployment of mobile networks such as VANETs, different challenges should be addressed. According to Liu et al.,¹⁰¹ two challenges are of particular interest: (1) the design of fast channel state evaluation schemes to handle the highly changing channel conditions and (2) dynamic authentication frameworks able to cope with the changing topology of mobile networks.

Conclusion

In this work, an updated literature review about security issues with special emphasis on the multi-hop broadcast message dissemination process in VANETs was presented. As proposed in the IEEE 1609.2 standard, in scenarios where RSUs are available, the provision of basic security services (e.g. authentication and integrity) can leverage on an entity-centric security approach. It also has been highlighted the cooperative nature of VANETs applications and the requirement of broadcast dissemination protocols to ubiquitously enable the expected benefits of VANET applications. However, before that, it is necessary that security in VANETs go beyond cryptographic solutions. Particularly, security approaches that rely on data consistency rather than on source of information are needed for multi-hop communications and for secure operation of broadcast dissemination protocols.

As it was discussed throughout the article, different broadcast dissemination protocols have particular vulnerabilities that need to be addressed before they can be used and deployed in real-world VANETs. In particular, in order to identify weaknesses in the dissemination process and (more importantly) discuss their potential security solutions, a vulnerability analysis of the most relevant broadcast dissemination approaches was performed. To the best of our knowledge, no similar analysis has been reported so far in the literature. From the analysis, state-of-the-art potential solutions that could address the detected vulnerabilities where identified and discussed. Furthermore, challenges and open issues were also identified.

From the discussion presented in this work, it can be stated that the security approach for VANETs must be holistic. That is, besides entity-centric solutions to secure one-hop communications, data-centric security approaches to secure the broadcast dissemination process altogether with a secure design of the related protocols should be considered.

Footnotes

Handling Editor: Haiping Huang

Declaration of conflicting interests

The author(s) declared no potential conflicts of interest with respect to the research,authorship,and/or publication of this article.

Funding

The author(s) received no financial support for the research,authorship,and/or publication of this article.

References

Schulz

Geis

Future role of cost–benefit analysis in intelligent transport system-research. IET Intell Transp Sy 2015; 9(6): 626–632.

Kenney

Dedicated short-range communications (DSRC) standards in the United States. P IEEE 2011; 99(7): 1162–1182.

Hamida

Noura

Znaidi

Security of cooperative intelligent transport systems: standards, threats analysis and cryptographic countermeasures. Electronics 2015; 4(3): 380–423.

Chaqfeh

Lakas

A novel approach for scalable multi-hop data dissemination in vehicular ad hoc networks. Ad Hoc Netw 2016; 37: 228–239.

Mittag

Thomas

Härri

et al . A comparison of single- and multi-hop beaconing in VANETs. In: Proceedings of the 6th ACM international workshop on vehicular internetworking (VANET’09), Beijing, China, 25 September 2009. New York: Association for Computing Machinery (ACM).

Sanguesa

Fogue

Garrido

et al . A survey and comparative study of broadcast warning message dissemination schemes for VANETs. Mob Inf Syst 2016; 2016: 8714142-1–8714142-18.

Wisitpongphan

Tonguz

Parikh

et al . Broadcast storm mitigation techniques in vehicular ad hoc networks. IEEE Wirel Commun 2007; 14(6): 84–94.

Tseng

Chen

et al . The broadcast storm problem in a mobile ad hoc network. In: Proceedings of the 5th annual ACM/IEEE international conference on mobile computing and networking (MobiCom ’99), Seattle, WA, 15–19 August 1999, pp.151–162. New York: ACM.

IEEE Standard 802.11p:2002. IEEE standard for information technology—telecommunications and information exchange between systems—local and metropolitan area networks—specific requirements: part 11: wireless LAN medium access control (MAC) and physical layer (PHY) specifications.

10.

IEEE Standard 1609.2:2013. IEEE standard for wireless access in vehicular environments security services for applications and management messages (Revision of IEEE Standard 1609.2:2006), pp.1–289.

11.

Dhurandher

Obaidat

Jaiswal

et al . Vehicular security through reputation and plausibility checks. IEEE Syst J 2014; 8(2): 384–394.

12.

Dietzel

Gürtler

Kargl

A resilient in-network aggregation mechanism for VANETs based on dissemination redundancy. Ad Hoc Netw 2016; 37(part 1): 101–109.

13.

Zaidi

Milojevic

Rakocevic

et al . Data-centric rogue node detection in VANETs. In: Proceedings of the 13th IEEE international conference on trust, security and privacy in computing and communications (TrustCom 2014), Beijing, China, 24–26 September 2014, pp.398–405. New York: IEEE.

14.

Al-Sultan

Al-Doori

Al-Bayatti

et al . A comprehensive survey on vehicular Ad Hoc network. J Netw Comput Appl 2014; 37: 380–392.

15.

Cunha

Villas

Boukerche

et al . Data communication in VANETs: protocols, applications and challenges. Ad Hoc Netw 2016; 44: 90–103.

16.

Torres

Calafate

Cano

et al . Evaluation of flooding schemes for real-time video transmission in VANETs. Ad Hoc Netw 2015; 24: 3–20.

17.

Panichpapiboon

Pattara-Atikom

A review of information dissemination protocols for vehicular ad hoc networks. IEEE Commun Surv Tut 2012; 14(3): 784–798.

18.

Celimuge

Ohzahata

VANET broadcast protocol based on fuzzy logic and lightweight retransmission mechanism. IEICE T Commun 2012; 95(2): 415–425.

19.

Wang

Yao

et al . SOBP: a sender-designated opportunistic broadcast protocol for VANET. Telecommun Syst 2013; 53(4): 453–467.

20.

Khan

Cho

YZ.

Beacon-less broadcast protocol for vehicular ad hoc networks. KSII T Internet Inf 2014; 8(4): 1223–1236.

21.

Kumar

Verma

AK.

Position based routing protocols in VANET: a survey. Wireless Pers Commun 2015; 83(4): 2747–2772.

22.

Bakhouya

Gaber

Lorenz

An adaptive approach for information dissemination in vehicular ad hoc networks. J Netw Comput Appl 2011; 34(6): 1971–1978.

23.

Mohammed

Ould-Khaoua

Mackenzie

et al . Dynamic probabilistic counter-based broadcasting inmobile ad hoc networks. In: Proceedings of the 2009 2nd international conference on adaptive science & technology (ICAST), Accra, Ghana, 14–16 January 2009. New York: IEEE.

24.

Tseng

Shih

EY.

Adaptive approaches to relieving broadcast storms in a wireless multihop mobile ad hoc network. IEEE T Comput 2003; 52(5): 545–557.

25.

Yassein

Nimer

Al-Dubai

AY.

A new dynamic counter-based broadcasting scheme for mobile ad hoc networks. Simul Model Pract Th 2011; 19(1): 553–563.

26.

Korkmaz

Ekici

Özgüner

et al . Urban multi-hop broadcast protocol for inter-vehicle communication systems. In: Proceedings of the 1st ACM international workshop on vehicular ad hoc networks (VANET ’04), Philadelphia, PA, 1 October 2004, pp.76–85. New York: ACM.

27.

Zhang

Yin

et al . Design and analysis of a robust broadcast scheme for VANET safety-related services. IEEE T Veh Technol 2012; 61(1): 46–61.

28.

Palazzi

Ferretti

Roccetti

et al . How do you quickly choreograph inter-vehicular communications? A fast vehicle-to-vehicle multi-hop broadcast algorithm, explained. In: Proceedings of the 2007 4th IEEE consumer communications and networking conference, Las Vegas, NV, 11–13 January 2007, pp.960–964. New York: IEEE.

29.

Schwartz

Barbosa

RRR

Meratnia

et al . A directional data dissemination protocol for vehicular environments. Comput Commun 2011; 34(17): 2057–2071.

30.

Amoroso

Marfia

Roccetti

Going realistic and optimal: a distributed multi-hop broadcast algorithm for vehicular safety. Comput Netw 2011; 55(10): 2504–2519.

31.

Bononi

Di Felice

A cross layered MAC and clustering scheme for efficient broadcast in VANETs. In: Proceedings of the IEEE international conference on mobile adhoc and sensor systems (MASS 2007), Pisa, 8–11 October 2007, pp.1–8. New York: IEEE.

32.

Doukha

Moussaoui

Haouari

et al . An efficient emergency message dissemination protocol in a vehicular ad hoc network. In: Proceedings of the international conference NDT 2012, part I, Dubai, UAE, 24–26 April 2012, pp.459–469. Berlin; Heidelberg: Springer.

33.

Lee

Bai

Kwak

et al . Enhanced selective forwarding scheme for alert message propagation in vehicular ad hoc networks. Int J Automot Techn 2011; 12(2): 251–264.

34.

Wang

Yao

XW.

An adaptive and opportunistic broadcast protocol for vehicular ad hoc networks. Int J Autom Comput 2012; 9(4): 378–387.

35.

Venkataraman

Delcelier

Muntean

GM.

A moving cluster architecture and an intelligent resource reuse protocol for vehicular networks. Wirel Netw 2013; 19(8): 1881–1900.

36.

Nawut Na Nakorn Rojviboonchai

DECA: density-aware reliable broadcasting in vehicular ad hoc networks. In: Proceedings of the 2010 international conference on electrical engineering/electronics computer telecommunications and information technology (ECTI-CON), Chiang Mai, Thailand, 19–21 May 2010, pp.598–602. New York: IEEE.

37.

Engoulou

Bellache

Pierre

et al . VANET security surveys. Comput Commun 2014; 44: 1–13.

38.

Privacy-preserving authentication schemes for vehicular ad hoc networks: a survey. Wirel Commun Mob Com 2016; 16: 643–655.

39.

Razzaque

Ahmad Salehi

Cheraghi

SM.

security and privacy in vehicular ad-hoc networks: survey and the road ahead. In: Khan

Khan Pathan

(eds) Wireless networks and security (Signals and communication technology). Berlin; Heidelberg: Springer, 2013, pp.107–132.

40.

Al-Kahtani

MS.

Survey on security attacks in vehicular ad hoc networks (VANETs). In: Proceedings of the 2012 6th international conference on signal processing and communication systems (ICSPCS), Gold Coast, QLD, Australia, 12–14 December 2012, pp.1–9. New York: IEEE.

41.

Gillani

Shahzad

Qayyum

et al . A survey on security in vehicular ad hoc networks. In: Proceedings of the 5th international workshop Nets4Cars/Nets4Trains communication technologies for vehicles, Villeneuve-d’Ascq, 14–15 May 2013, pp.59–74. Berlin; Heidelberg: Springer.

42.

Mejri

Ben-Othman

Hamdi

Survey on VANET security challenges and possible cryptographic solutions. Veh Commun 2014; 1(2): 53–66.

43.

Raya

Papadimitratos

Hubaux

JP.

Securing vehicular communications. IEEE Wirel Commun 2006; 13(5): 8–15.

44.

Riley

Akkaya

Fong

A survey of authentication schemes for vehicular ad hoc networks. Secur Commun Netw 2011; 4(10): 1137–1152.

45.

Oulhaci

Omar

Harzine

et al . Secure and distributed certification system architecture for safety message authentication in VANET. Telecommun Syst 2017; 64(4): 679–694.

46.

Sakiz

Sen

A survey of attacks and detection mechanisms on intelligent transportation systems: VANETs and IoV. Ad Hoc Netw 2017; 61: 33–50.

47.

Jaballah

Conti

Mosbah

et al . Fast and secure multihop broadcast solutions for intervehicular communication. IEEE T Intell Transp 2014; 15(1): 433–450.

48.

Schoch

Keppler

Kargl

et al . On the security of context-adaptive information dissemination. Secur Commun Netw 2008; 1(3): 205–218.

49.

Ploßl

Nowey

Mletzko

Towards a security architecture for vehicular ad hoc networks. In: Proceedings of the 1st international conference on availability, reliability and security (ARES 2006), Vienna University of Technology, Vienna, 20–22 April 2006, pp.1–8. Washington, DC: IEEE.

50.

Manvi

Tangade

A survey on authentication schemes in VANETs for secured communication. Veh Commun 2017; 9: 19–30.

51.

Zhang

Domingo-Ferrer

et al . Distributed aggregate privacy-preserving authentication in VANETs. IEEE T Intell Transp 2017; 18(3): 516–526.

52.

Yang

Security in vehicular ad hoc networks (VANETs). In: Chen

Zhang

(eds) Wireless network security. Berlin; Heidelberg: Springer, 2013, pp.95–128.

53.

Hsiao

Studer

Chen

et al . Flooding-resilient broadcast authentication for VANETs. In: Proceedings of the 17th annual international conference on mobile computing and networking (MobiCom ’11), Las Vegas, NV, 19–23 September 2011, pp.193–204. New York: ACM.

54.

Lyu

Zhang

et al . Efficient, fast and scalable authentication for VANETs. In: Proceedings of the 2013 IEEE wireless communications and networking conference (WCNC), Shanghai, China, 7–10 April 2013, pp.1768–1773. New York: IEEE.

55.

Ying

Makrakis

Mouftah

HT.

Privacy preserving broadcast message authentication protocol for VANETs. J Netw Comput Appl 2013; 36(5): 1352–1364.

56.

Zhu

et al . Lightweight and scalable secure communication in VANET. Int J Electron 2015; 102(5): 765–780.

57.

Khan

Agrawal

Silakari

A detailed survey on misbehavior node detection techniques in vehicular ad hoc networks. In: Proceedings of the 2nd international conference INDIA 2015, Kalyani, India, 8–9 January 2015, vol. 1, pp.11–19. India: Springer.

58.

Van der Heijden

Dietzel

Kargl

Misbehavior detection in vehicular ad-hoc networks. In: Proceedings of 1st GI/ITG KuVS Fachgespräch inter-vehicle communication (FG-IVC 2013), Innsbruck, 21–22 February 2013, pp.23–25. University of Innsbruck, Institute of Computer Science.

59.

Wei

Chen

YM.

Efficient self-organized trust management in location privacy enhanced VANETs. In: Lee

Yung

(eds) Information security applications, vol. 7690 (Lecture notes in computer science). Berlin; Heidelberg: Springer, 2012, pp.328–344.

60.

Gantsou

Invited paper: VANET security: going beyond cryptographic-centric solutions. In: Laouiti

Qayyum

Mohamad Saad

(eds) Vehicular ad-hoc networks for smart cities, vol. 306 (Advances in intelligent systems and computing). Singapore: Springer, 2015, pp.43–49.

61.

Dietzel

Petit

Heijenk

et al . Graph-based metrics for insider attack detection in VANET multihop data dissemination protocols. IEEE T Veh Technol 2013; 62(4): 1505–1518.

62.

Kounga

Walter

Lachmund

Proving reliability of anonymous information in VANETs. IEEE T Veh Technol 2009; 58(6): 2977–2989.

63.

Ruj

Cavenaghi

Huang

et al . On data-centric misbehavior detection in VANETs. In: Proceedings of the 2011 IEEE vehicular technology conference (VTC Fall), Budapest, 5–8 September 2011, pp.1–5. New York: IEEE.

64.

Raya

Papadimitratos

Gligor

et al . On data-centric trust establishment in ephemeral ad hoc networks. In: Proceedings of the 27th IEEE international conference on computer communications, joint conference of the IEEE computer and communications societies (INFOCOM 2008), Phoenix, AZ, 13–18 April 2008, pp.1238–1246. New York: IEEE.

65.

Barnwal

Ghosh

SK.

KITE: an efficient scheme for trust estimation and detection of errant nodes in vehicular cyber-physical systems. Secur Commun Netw 2016; 9(16): 3271–3281.

66.

Fogue

Martinez

Garrido

et al . Securing warning message dissemination in VANETs using cooperative neighbor position verification. IEEE T Veh Technol 2015; 64(6): 2538–2550.

67.

Monteiro

MEP

Rebelatto

Souza

RD.

Information-theoretic location verification system with directional antennas for vehicular networks. IEEE T Intell Transp 2016; 17(1): 93–103.

68.

Yan

Malaney

Nevat

et al . Location verification systems for VANETs in rician fading channels. IEEE T Veh Technol 2016; 65(7): 5652–5664.

69.

Zhang

Boukerche

Cooperative location verification for vehicular ad-hoc networks. In: Proceedings of the IEEE international conference on communications (ICC), Ottawa, ON, Canada, 10–15 June 2012, pp.37–41. New York: IEEE.

70.

Husted

Singla

Adaptive interference immunity control. US Patent 7349503, 2008.

71.

Puñal Pereira

ÓC

Aguiar

Gross

. Experimental characterization and modeling of RF jamming attacks on VANETs. IEEE T Veh Technol 2015; 64(2): 524–540.

72.

Azogu

Ferreira

Larcom

et al . A new anti-jamming strategy for VANET metrics-directed security defense. In: Proceedings of the 2013 IEEE globecom workshops (GC Wkshps), Atlanta, GA, 9–13 December 2013, pp.1344–1349. New York: IEEE.

73.

Glacet

Fiore

Gramaglia

Temporal connectivity of vehicular networks: the power of store-carry-and-forward. In: Proceedings of the 2015 IEEE vehicular networking conference (VNC), Kyoto, Japan, 16–18 December 2015, pp.52–59. New York: IEEE.

74.

Khomami

Veeraraghavan

Fontan

FP.

An adaptive node density estimation in vanets using received signal power. In: Proceedings of the 2015 21st Asia-Pacific conference on communications (APCC), Kyoto, Japan, 14–16 October 2015. New York: Institute of Electrical & Electronics Engineers (IEEE).

75.

Huang

Wang

Jiang

et al . Vehicular network based reliable traffic density estimation. In: Proceedings of the 2016 IEEE 83rd vehicular technology conference (VTC Spring), Nanjing, China, 15–18 May 2016, pp.1–5. New York: IEEE.

76.

Darwish

Bakar

KA.

Traffic density estimation in vehicular ad hoc networks: a review. Ad Hoc Netw 2015; 24: 337–351.

77.

Seo

Bayen

Kusakabe

et al . Traffic state estimation on highway: a comprehensive survey. Annu Rev Control 2017; 43: 128–151.

78.

Feng

Chen

et al . A method for defensing against multi-source Sybil attacks in VANET. Peer Peer Netw Appl 2017; 10: 305–314.

79.

Xiao

Detecting Sybil attacks in VANETs. J Parallel Distr Com 2013; 73(6): 746–756.

80.

Mohammadi

Pouyan

AA.

Defense mechanisms against Sybil attack in vehicular ad hoc network. Secur Commun Netw 2015; 8: 917–936.

81.

Busanelli

Ferrari

Veltri

Short-lived key management for secure communications in VANETs. In: Proceedings of the 2011 11th international conference on ITS telecommunications (ITST), St. Petersburg, Russia, 23–25 August 2011, pp.613–618. New York: IEEE.

82.

Duan

Xiao

et al . A novel key management scheme in VANETs. In: Proceedings of the 14th international conference on algorithms and architectures for parallel processing (ICA3PP 2014), Dalian, China, 24–27 August 2014, pp.587–595. Cham: Springer International Publishing.

83.

Vijayakumar

Azees

Kannan

et al . Dual authentication and key management techniques for secure data transmission in vehicular ad hoc networks. IEEE T Intell Transp 2016; 17(4): 1015–1028.

84.

Yan

Olariu

Weigle

MC.

Providing VANET security through active position detection. Comput Commun 2008; 31(12): 2883–2897.

85.

Kum

Khan

Cho

YZ.

Traffic density-based broadcast scheme for vehicular ad hoc networks. IEICE T Commun 2012; E95.B(12): 3875–3878.

86.

Shirani

Hendessi

Gulliver

TA.

Store-carry-forward message dissemination in vehicular ad-hoc networks with local density estimation. In: Proceedings of the 2009 IEEE 70th vehicular technology conference fall, Anchorage, AK, 20–23 September 2009. New York: Institute of Electrical & Electronics Engineers (IEEE).

87.

Celimuge

Satoshi

Toshihiko

A low latency path diversity mechanism for sender-oriented broadcast protocols in VANETs. Ad Hoc Netw 2013; 11(7): 2059–2068.

88.

Mokdad

Ben-Othman

Nguyen

AT.

DJAVAN: detecting jamming attacks in vehicle ad hoc networks. Perform Evaluation 2015; 87: 47–59.

89.

Van der Heijden

Kargl

Abu-Sharkh

OMF

et al . Enhanced position verification for VANETs using subjective logic. In: Proceedings of the 2016 IEEE 84th vehicular technology conference (VTC-Fall), Montreal, QC, Canada, 18–21 September 2016. New York: IEEE.

90.

Gerlach

Mylyy

Mariyasagayam

et al . Securing multihop vehicular message broadcast using trust sensors In: Cuenca

Guerrero

Puigjaner

et al . (eds) Advances in ad hoc networking, vol. 265 (International federation for information processing (IFIP)). New York: Springer, 2008, pp.109–120.

91.

Mukherjee

Fakoorian

SAA

Huang

et al . Principles of physical layer security in multiuser wireless networks: a survey. IEEE Commun Surv Tut 2014; 16(3): 1550–1573.

92.

Renda

Resta

Santi

et al . IEEE 802.11p VANets: experimental evaluation of packet inter-reception time. Comput Commun 2016; 75: 26–38.

93.

Ghafoor

Bakar

van Eenennaam

et al . A fuzzy logic approach to beaconing for vehicular ad hoc networks. Telecommun Syst 2013; 52(1): 139–149.

94.

Qian

Jing

Huo

et al . An adaptive beaconing scheme based on traffic environment parameters prediction in VANETs. In: Yang

Challal

(eds) Wireless algorithms, systems, and applications. Cham: Springer, 2016, pp.524–535.

95.

Park

Kuk

et al . A feasibility study and development framework design for realizing smartphone-based vehicular networking systems. IEEE T Mobile Comput 2014; 13(11): 2431–2444.

96.

Tornell

Patra

Calafate

et al . GRCBox: extending smartphone connectivity in vehicular networks. Int J Distrib Sens N 2015; 2015: 478064-1–478064-13.

97.

Apple CarPlay, 2016, https://www.apple.com/ios/carplay/

98.

Caballero-Gil

Molina-Gil

How to build vehicular ad-hoc networks on smartphones. J Syst Architect 2013; 59(10): 996–1004.

99.

Car Connectivity Consortium (CCC). MirrorLink, 2016, http://www.mirrorlink.com/

100.

Android Auto, 2016, http://www.android.com/auto/

101.

Liu

Chen

Wang

Physical layer security for next generation wireless networks: theories, technologies, and challenges. IEEE Commun Surv Tut 2017; 19(1): 347–376.