Skip to content

Using a car’s heartbeat for access control

In the future, our vehicles will become a lot more connected than they currently are.  Whilst people are becoming increasingly aware of the concept of the autonomous vehicle, less people are aware of the connected vehicle.  These vehicles will still be operated by a human driver (albeit with assisted driving technologies such as cruise control and lane assist), but will form part of the giant overarching vehicle and roadway network.

Organisations within the EU (ETSI, ISO, EU Commission) have released proposals for how various aspects of these future intelligent vehicle and roadway networks, or Intelligent Transport System (ITS) vehicles and roadways, will function.  If you’re interested in a very long (and honestly pretty dry) dissection of these proposals and the security implications of them, I’d recommend looking at this F-Secure report that I was the lead author of: 

The general gist of the proposals is that everything on the roadways will form a giant mesh network.  This includes the vehicles, CCTV systems, road signs, weather detectors, roadway infrastructure, basically every single aspect of the roadway.  Everything will be aware of everything else, to create a collaborative awareness within roadways.  This will be used for a variety of purposes including to support autonomous vehicles in making sensible decisions, for automated optimised traffic management, and even for vehicle vendors to assess vehicle performance.  

Interestingly, this won’t be an “opt in” system; even older vehicles with zero external connectivity will be inducted into traffic models.  Sensors on ITS vehicles will detect a vehicle next to them.  CCTV systems with automatic object detection and Number Plate Recognition (NPR) will detect them.  Radar systems examining the speed of vehicles will detect them.  Thanks to prolific information sharing between all ITS roadway nodes, your old fashioned vehicles will still be detected and recorded within ITS models.  

Despite the obvious privacy concerns surrounding the above point, the proposed overarching ITS networks will not be completely alien to current ones.  Currently many people make use of GPS systems or maps on their phones, such as Google Maps.  These apps aren’t just providing users with a handy map, but are also sharing valuable data with the map operator.  For instance, Google Maps can detect traffic by analysing the speeds of phones travelling along a stretch of road.  This information can then be used to direct other Google Maps users along other routes which will overall reduce road congestion.  Or alternatively, you can use it to mess with Google Maps by pulling a bunch of phones down a road in a little cart: 

In these future proposed ITS networks, instead of having a phone communicate your locational data, your vehicle will do it directly.  Whilst a lot of different messages will be sent out by ITS vehicles, one of particular interest are the Cooperative Awareness Messages (CAM).  These act as a heartbeat for a vehicle, frequently announcing information about the vehicle.  This includes:

  • The size of the vehicle
  • The direction the vehicle is headed in
  • The speed of the vehicle
  • The type of the vehicle
  • Any special requirements for the vehicle

These messages are key to creating collaborative awareness between vehicles.  Vehicles will announce their presence several times a second, with these messages being picked up by surrounding vehicles and other parts of the roadways.  These are the messages that will help an automated vehicle to perform an emergency stop if the vehicle in front of it suddenly breaks.  They will allow traffic management systems to judge congestion on a section of roadway.  They will also allow for key vehicles, such as ambulances, to get priority upon roadways.  Automated vehicles may automatically move out of their way, and traffic lights may automatically favour the direction in which the ambulance is travelling.

The presence of these heartbeat messages could have an interesting use-case in access control systems.  It is common in parking garages or toll booths to see a wedge or spikes that will flip down once the driver authenticates themself in some way, or the license plate of the vehicle is scanned.  Perhaps the CAM heartbeat messages could be used to do this. 

We could also see this technology used within road lanes that have limited users.  This could include bus lanes, or lanes limited to vehicles with 2+ passengers.  Whilst a bus should be obvious based upon the contents of its CAM message, perhaps an ITS car could send out an altered CAM if it detects multiple passengers are within the car.  

Potentially, these CAM could be used for physical access control to such lanes.  A small ramp could be placed at the entrance to such roadways which automatically lowers itself in time for approaching appropriate vehicles, and raises for inappropriate vehicles.  This would save operators the burden of having to concern oneself with enrolling every license plate.  Or perhaps it could simply be tied into CCTV systems to issue fines to illegitimate lane users.  

In their current state, there are a lot of security flaws within the EU proposals for ITS networks.  In my opinion, they are not currently fit for purpose.  However, they form a respectable foundation which could be built upon to create appropriately secure proposals.  As the proposals are still in draft states, such updates should come with time.  Trials of ITS roadways have begun in some places around Europe, but to my knowledge no complete deployments are in use.  By my estimates, this technology is still five to ten years away from being used in earnest.  That said, it is still good to be aware of what is coming.  When ITS vehicles see mass production and ITS roadways begin mass deployment, organisations should be prepared to respond. 

If you’re interested in an informal chat about what these proposals might mean for you, drop me a message on Twitter @vicharkness

Published inInformation SecurityTechnology

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *